Privacy & Security
FlowPick is designed with privacy-first principles. All data processing happens locally in your browser; we do not collect, store, or transmit any of your personal data.
Core Principles
Zero Data Collection
| Data Type | Collection Status | Explanation |
|---|---|---|
| Browsing history | Not collected | Extension does not record which websites you visit |
| Download history | Not collected | Download records only exist locally in your browser |
| Personal information | Not collected | No account system, no login required |
| Usage statistics | Not collected | No analytics or tracking code |
| Device information | Not collected | No hardware fingerprinting |
Local Processing
All core functions run entirely in your browser:
| Function | Processing Location | Data Transmission |
|---|---|---|
| Video detection | Browser extension | None |
| Audio detection | Browser extension | None |
| Image detection | Browser extension | None |
| Fragment download | Browser → Server (direct) | Only media data |
| Format conversion | Browser WASM | None |
| File merging | Browser memory | None |
| Decryption | Web Crypto API | None |
Key Point: Your media files are never uploaded to our servers. All processing completes in your browser.
Open Source & Transparent
- Fully open source: Code available on GitHub for audit
- No obfuscation: Core logic readable, no hidden code
- No remote code: No dynamic loading of external scripts
- Community review: Anyone can review code for security issues
Permission Explanations
FlowPick requires following permissions to function properly. Each permission has specific purpose and scope limitations:
Required Permissions
| Permission | Purpose | Scope Limitation |
|---|---|---|
activeTab | Access current tab's network requests to detect media resources | Only works on user-active tab, needs user action to trigger |
downloads | Trigger browser native download to save files | Can only download user-selected resources |
webRequest | Monitor network requests to identify video/audio/image URLs | Read-only, cannot modify requests or responses |
<all_urls> | Intercept requests from all domains for media detection | Only reads Content-Type headers, does not read page content |
Optional Permissions
| Permission | Purpose | When Needed |
|---|---|---|
storage | Save user preferences (output format, filter settings, etc.) | User modifies settings |
notifications | Show download completion notifications | User enables notifications |
Why These Permissions Are Safe
activeTab Permission:
- Only activates when you click extension icon or use shortcut
- Cannot access background tabs
- Automatically revoked when tab navigates away
downloads Permission:
- Uses browser's built-in download manager
- Cannot access previously downloaded files
- Cannot delete or modify downloaded files
webRequest Permission:
- Read-only monitoring, cannot modify request content
- Only reads response headers (Content-Type, Content-Length)
- Does not read request/response body
<all_urls> Permission:
- Despite broad name, actual usage is very limited
- Only intercepts media-type requests (video/audio/image)
- Does not intercept page HTML, JavaScript, CSS
- Does not read cookies or authentication info
Network Behavior Analysis
Normal Operation Network Requests
When using FlowPick, following types of network requests occur:
| Request Type | Direction | Purpose |
|---|---|---|
| Media resource requests | Browser → Media server | Download video/audio/image fragments |
| Manifest file requests | Browser → Streaming server | Download M3U8/MPD manifest files |
| Key file requests | Browser → Key server | Download decryption keys (AES-128) |
| FFmpeg WASM loading | Browser → CDN/Local | Load FFmpeg WASM library (first time only) |
Important Notes:
- All media downloads are direct connections between your browser and media server
- FlowPick servers are NOT involved in this process
- We cannot see what you're downloading
- We cannot access your download content
No Data Upload
During entire usage process:
- ❌ No browsing history upload
- ❌ No usage statistics upload
- ❌ No error log upload
- ❌ No device information upload
- ❌ No personal information upload
Only exception: FFmpeg WASM library is loaded from CDN on first use (open source project, no tracking code).
Data Storage
What Is Stored Locally
| Data Type | Storage Location | Retention Period |
|---|---|---|
| User preferences | Chrome storage API | Permanent until user clears |
| Temporary download cache | Browser memory | Cleared when popup closes or download completes |
| WASM runtime memory | Browser memory | Freed after processing completes |
What Is NOT Stored
- ❌ Browsing history
- ❌ Downloaded file list
- ❌ Detected resource URLs
- ❌ User operation logs
- ❌ Error details
How to Clear Data
If you want to completely remove FlowPick data:
- Right-click extension icon → "Manage Extensions"
- Click "Remove" button
- All data will be completely cleared
Or clear just settings without removing extension:
- Open FlowPick popup
- Click settings icon
- Click "Reset to Defaults"
Security Best Practices
For Users
1. Keep Extension Updated
- Updates may include security fixes
- Enable auto-update in extension management page
- Check for updates regularly
2. Verify Source
- Only install from Chrome Web Store or official sources
- Do not install modified versions from unknown sources
- Check publisher is "ezwebtools"
3. Review Permissions Carefully
- Review requested permissions before installing
- Understand each permission's purpose
- Be suspicious if unnecessary permissions are requested
4. Use in Trusted Environments
- Avoid using on public computers
- Pay attention when using on shared devices
- Log out after use if needed
For Enterprise/Institutional Users
1. Policy Management
Enterprise administrators can control extensions via Group Policy:
- Allowlist/blocklist specific extensions
- Force-install or force-uninstall
- Configure permission policies
2. Network Monitoring
FlowPick's network activity characteristics:
- Large number of media file downloads (TS/M4S segments)
- Requests to streaming manifest files (.m3u8/.mpd)
- Possible key file requests (.key)
3. Data Compliance
- All data processed locally, compliant with data localization requirements
- No data upload, meets most privacy regulations
- Suitable for environments with strict data compliance requirements
Common Concerns
"Does This Extension Steal My Passwords?"
No. FlowPick does not have permission to read:
- Password manager contents
- Cookie data (except limited cases needed for media requests)
- Form autofill data
- Local storage of other websites
Extension's webRequest permission can only read HTTP headers, not webpage content or sensitive data.
"Can It See My Browsing History?"
Cannot. Extension does not have history permission, cannot:
- View your browsing history
- Record visited pages
- Track your browsing habits
It can only see current active tab's network requests when triggered by user action.
"Will My Downloads Be Uploaded to Servers?"
No. Download process:
- You click download button
- Extension tells browser: "Please download this URL"
- Browser directly connects to media server to download
- File saved to your local disk
FlowPick acts as an intermediary throughout the process and never touches the actual file content.
"What About Encrypted Streams?"
For AES-128 encrypted streams:
- Decryption keys are downloaded directly from key server
- Decryption happens in your browser via Web Crypto API
- Keys are not stored anywhere
- Decrypted data is not uploaded
We cannot decrypt DRM-protected streams (Widevine etc.), nor would we want to.
Comparison with Other Tools
| Feature | FlowPick | Online Tools | Desktop Software |
|---|---|---|---|
| Data collection | None | May have | Varies |
| Need installation | Yes | No | Yes |
| Privacy protection | Highest | Varies | Varies |
| Local processing | Yes | Partial | Yes |
| Open source | Yes | Usually not | Varies |
| CORS restrictions | Bypassed | Subject to | Bypassed |
| Cross-platform | Any OS with browser | Any OS | Platform-specific |
Security Audit
Self-Assessment Items
We conduct regular self-assessments on following aspects:
| Assessment Item | Frequency | Method |
|---|---|---|
| Dependency vulnerability scan | Every release | npm audit + manual review |
| Permission minimization check | Every release | Review if new permissions can be avoided |
| Data flow analysis | Every release | Confirm no sensitive data leakage paths |
| Code review | Ongoing | Peer review + community feedback |
Known Security Measures
✅ No remote code loading
✅ No analytics/tracking code
✅ No third-party advertising SDKs
✅ HTTPS-only communication (when external requests needed)
✅ Content Security Policy restrictions
✅ Minimal permission principle
Report Security Issues
If you discover potential security issues:
- Do not publicly disclose vulnerability details
- Report via GitHub Issues (can set as private issue)
- Include:
- Vulnerability description
- Reproduction steps
- Impact assessment
- Suggested fix (if any)
We will:
- Respond within 48 hours
- Release fix as soon as possible
- Acknowledge contribution in release notes (if desired)
Related Documentation
- Installation Guide — Installation source verification
- Configuration Reference — Settings and privacy options
- Usage Guide — Operation security notes
- Video Sniffing — Network monitoring principles
- Audio Capture — Audio detection mechanism
- Image Download — Image processing method
- Format Conversion — Local conversion technology
- Browser Compatibility — Browser security model differences
- Common Issues Troubleshooting — Security-related troubleshooting
Image Download
Complete technical documentation for FlowPick image detection and download, covering supported formats, smart filtering, batch download, gallery scenarios, and best practices.
Format Conversion
Complete technical guide for FlowPick format conversion — TS/MP4 remuxing principles, FFmpeg WASM workflow, output format selection, and performance comparison.