tatGuard is a Chrome browser extension developed and operated by CosmoLabs Ltd, a company registered in Scotland, United Kingdom.
CosmoLabs Ltd is the data controller for personal data processed in connection with tatGuard. For all data protection queries, please contact us at hello@cosmolabs.co.uk.
This policy is governed by the laws of Scotland and England and Wales. Where users are located in the European Economic Area (EEA), EU GDPR may also apply in addition to UK GDPR.
tatGuard automatically analyses product listings on supported e-commerce websites as you browse and provides an AI-powered risk assessment covering counterfeit risk, safety risk, and quality risk. When tatGuard detects that you are viewing a supported product page, it:
tatGuard operates automatically on supported product pages as you browse — you do not need to manually trigger each scan. It does not read any other browser tabs, access your passwords, bookmarks, or personal files, or track your activity on non-product pages.
| Data | Purpose | Retention | Shared with |
|---|---|---|---|
| Anonymous device identifier (randomly generated UUID) | Manage daily scan limits; link scans to a device without requiring an account | Until you delete your account or uninstall the extension | Supabase (our backend) |
| Product page URL (the URL of the product page you are viewing) | Cache scan results to avoid repeat analysis of the same listing; rate limiting | Hashed URL stored for cache TTL (6 hours for standard, 7 days for search cache). Full URL in feedback table deleted after 90 days. | Supabase |
| Product page content (name, price, seller, reviews, product image URL) | Generate risk assessment | Not stored after analysis is complete. System logs retained max 30 days. | Anthropic (Claude AI), Serper (web search), Supabase (processing) |
| IP address | Rate limiting and abuse prevention | Stored for up to 90 days, then automatically deleted | Supabase (our backend only) |
| Email address (only if you register for a free trial or subscription) | Account authentication (OTP), subscription management, and support | Duration of subscription + 7 years (UK tax obligations), unless earlier deletion is requested | Stripe (payments), Supabase |
| Scan feedback (thumbs up/down on a result, linked to device ID and page URL) | Improve analysis quality | 90 days, then automatically deleted | Supabase (our backend only) |
What we do not collect: We do not collect your name, physical address, payment card details (handled entirely by Stripe), passwords, browser history outside of product pages you scan, or any data from pages tatGuard does not recognise as a supported product listing.
tatGuard automatically detects supported product pages as you browse and initiates an analysis without requiring you to click a button. This means that when you visit a product page on a supported site (such as Amazon, eBay, Temu, or Etsy), the URL of that page and the product content visible on it are sent to our servers for analysis.
We treat product page URLs as potentially sensitive because they reflect your shopping activity. We handle them as follows:
If you do not wish tatGuard to analyse a product page, you can dismiss the scan panel or uninstall the extension.
We use the data described above solely to provide and improve tatGuard's core functionality. Specifically:
| Data | Legal Basis | Justification |
|---|---|---|
| Device identifier, product page URLs, IP address | Legitimate interests (Art. 6(1)(f) UK GDPR) | Necessary to deliver the service, prevent abuse, and manage scan limits. Proportionate and not overridden by your privacy interests given the pseudonymous nature of the data. |
| Product page content (name, price, seller, reviews) | Legitimate interests (Art. 6(1)(f) UK GDPR) | Core to the service. Data is publicly available on the product page and is used solely to generate your risk assessment. |
| Email address | Contract performance (Art. 6(1)(b) UK GDPR) | Necessary to manage your account, authenticate you via OTP, and process your subscription. |
| Marketing emails | Consent (Art. 6(1)(a) UK GDPR) | Only sent where you have explicitly opted in. You may withdraw consent at any time. |
CosmoLabs Ltd remains the data controller. The following third parties act as data processors and process data only on our instructions for the purposes described:
| Processor | Role | Data shared | Location | Privacy Policy |
|---|---|---|---|---|
| Anthropic | AI language model (Claude) for risk assessment generation and plain-English summary | Product name, price, seller name, review text, external search results, product image URL | United States | anthropic.com/privacy |
| Serper | Web search API for external product signals (Reddit, news, forums) | Search queries derived from product name and brand (e.g. "Nike Air Max review reddit") | United States | serper.dev/privacy |
| Supabase | Backend infrastructure, database hosting, and edge function processing | Device ID, IP address, product page URLs (hashed), scan results, email address (if registered) | European Union (eu-west-2) | supabase.com/privacy |
| Stripe | Payment processing for Premium and Pro subscriptions | Email address, payment details (handled directly by Stripe — we do not receive card numbers) | United States / EU | stripe.com/privacy |
We do not share your data with any other third parties. We do not use advertising networks, analytics platforms, or data brokers.
Some of our processors, including Anthropic, Serper, and Stripe, are located outside the United Kingdom or European Economic Area, primarily in the United States. Where personal data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, including Standard Contractual Clauses and, where applicable, the UK Extension to the EU-US Data Privacy Framework.
Product page data transmitted to these processors is used solely to generate your risk assessment and is not retained by them beyond the duration of a single processing request.
You have the right to request deletion of your account and all associated personal data. tatGuard provides a self-service account deletion feature in the extension's Settings page under "Delete Account & Data". When you delete your account:
This action is immediate and irreversible. If you prefer to request deletion by email, contact us at hello@cosmolabs.co.uk and we will action your request within 30 days.
To exercise any of these rights, please contact us at hello@cosmolabs.co.uk. We will respond within 30 days.
tatGuard uses automated processing, including AI language models, to generate product risk scores. These scores are informational only and do not produce legal or similarly significant effects on you. No solely automated decisions are made about individuals — only probabilistic assessments about products based on publicly available data. You remain fully in control of your purchasing decisions.
tatGuard complies with the Chrome Web Store User Data Policy:
Limited Use Disclosure. tatGuard's use of information received from Chrome APIs complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. Data obtained through Chrome APIs is used only to provide and improve tatGuard's core functionality (product risk assessment). It is not transferred to third parties except as necessary to provide that functionality, is not used for purposes unrelated to tatGuard's core functionality, and is not used to determine creditworthiness or for lending purposes. Data is not sold or used for advertising.
Permissions justification. tatGuard requests access to all websites (<all_urls>) because it supports product pages across a wide range of e-commerce platforms. The extension uses this access solely to detect supported product pages and analyse their content. It does not read, store, or transmit any data from pages it does not identify as a supported product listing. The tabs permission is used to manage communication between the extension's background service and content scripts, and to open the welcome page on first install.
tatGuard uses Chrome's built-in extension storage (chrome.storage.local) to store your device identifier, scan count, authentication token, and extension settings. This is not a browser cookie and is not accessible to websites you visit. tatGuard does not set or read browser cookies on e-commerce sites. Supabase may use authentication session tokens stored in extension local storage to maintain your logged-in state — these are used solely for authentication and are cleared when you sign out or delete your account.
All data transmitted between tatGuard and our backend is encrypted in transit using HTTPS/TLS. Our backend infrastructure is hosted on Supabase, which maintains SOC 2 Type II certification and is hosted in the European Union (eu-west-2 region). All database tables use Row Level Security (RLS) to ensure data is accessible only by authorised processes. Access to our systems is restricted to authorised personnel only.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.
tatGuard is intended for users aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at hello@cosmolabs.co.uk and we will delete it promptly.
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify registered users by email and display a notice within the extension where reasonably practicable.
This Privacy Policy is governed by the laws of Scotland and England and Wales. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Scotland, except where mandatory consumer protection laws in your jurisdiction provide otherwise.
If you are a consumer in the European Economic Area, you may also be entitled to bring proceedings in the courts of your country of residence.
For any privacy questions or to exercise your rights: