Privacy & Security

Complete privacy and security documentation for FlowPick, covering zero data collection, local processing, permission explanations, network behavior, and security best practices.

FlowPick is designed with privacy-first principles. All data processing happens locally in your browser; we do not collect, store, or transmit any of your personal data.


Core Principles

Zero Data Collection

Data TypeCollection StatusExplanation
Browsing historyNot collectedExtension does not record which websites you visit
Download historyNot collectedDownload records only exist locally in your browser
Personal informationNot collectedNo account system, no login required
Usage statisticsNot collectedNo analytics or tracking code
Device informationNot collectedNo hardware fingerprinting

Local Processing

All core functions run entirely in your browser:

FunctionProcessing LocationData Transmission
Video detectionBrowser extensionNone
Audio detectionBrowser extensionNone
Image detectionBrowser extensionNone
Fragment downloadBrowser → Server (direct)Only media data
Format conversionBrowser WASMNone
File mergingBrowser memoryNone
DecryptionWeb Crypto APINone

Key Point: Your media files are never uploaded to our servers. All processing completes in your browser.

Open Source & Transparent

  • Fully open source: Code available on GitHub for audit
  • No obfuscation: Core logic readable, no hidden code
  • No remote code: No dynamic loading of external scripts
  • Community review: Anyone can review code for security issues
You can review our complete source code on GitHub: flowpick repository. If you discover any security issues, please report via GitHub Issues.

Permission Explanations

FlowPick requires following permissions to function properly. Each permission has specific purpose and scope limitations:

Required Permissions

PermissionPurposeScope Limitation
activeTabAccess current tab's network requests to detect media resourcesOnly works on user-active tab, needs user action to trigger
downloadsTrigger browser native download to save filesCan only download user-selected resources
webRequestMonitor network requests to identify video/audio/image URLsRead-only, cannot modify requests or responses
<all_urls>Intercept requests from all domains for media detectionOnly reads Content-Type headers, does not read page content

Optional Permissions

PermissionPurposeWhen Needed
storageSave user preferences (output format, filter settings, etc.)User modifies settings
notificationsShow download completion notificationsUser enables notifications

Why These Permissions Are Safe

activeTab Permission:

  • Only activates when you click extension icon or use shortcut
  • Cannot access background tabs
  • Automatically revoked when tab navigates away

downloads Permission:

  • Uses browser's built-in download manager
  • Cannot access previously downloaded files
  • Cannot delete or modify downloaded files

webRequest Permission:

  • Read-only monitoring, cannot modify request content
  • Only reads response headers (Content-Type, Content-Length)
  • Does not read request/response body

<all_urls> Permission:

  • Despite broad name, actual usage is very limited
  • Only intercepts media-type requests (video/audio/image)
  • Does not intercept page HTML, JavaScript, CSS
  • Does not read cookies or authentication info

Network Behavior Analysis

Normal Operation Network Requests

When using FlowPick, following types of network requests occur:

Request TypeDirectionPurpose
Media resource requestsBrowser → Media serverDownload video/audio/image fragments
Manifest file requestsBrowser → Streaming serverDownload M3U8/MPD manifest files
Key file requestsBrowser → Key serverDownload decryption keys (AES-128)
FFmpeg WASM loadingBrowser → CDN/LocalLoad FFmpeg WASM library (first time only)

Important Notes:

  • All media downloads are direct connections between your browser and media server
  • FlowPick servers are NOT involved in this process
  • We cannot see what you're downloading
  • We cannot access your download content

No Data Upload

During entire usage process:

  • ❌ No browsing history upload
  • ❌ No usage statistics upload
  • ❌ No error log upload
  • ❌ No device information upload
  • ❌ No personal information upload

Only exception: FFmpeg WASM library is loaded from CDN on first use (open source project, no tracking code).


Data Storage

What Is Stored Locally

Data TypeStorage LocationRetention Period
User preferencesChrome storage APIPermanent until user clears
Temporary download cacheBrowser memoryCleared when popup closes or download completes
WASM runtime memoryBrowser memoryFreed after processing completes

What Is NOT Stored

  • ❌ Browsing history
  • ❌ Downloaded file list
  • ❌ Detected resource URLs
  • ❌ User operation logs
  • ❌ Error details

How to Clear Data

If you want to completely remove FlowPick data:

  1. Right-click extension icon → "Manage Extensions"
  2. Click "Remove" button
  3. All data will be completely cleared

Or clear just settings without removing extension:

  1. Open FlowPick popup
  2. Click settings icon
  3. Click "Reset to Defaults"

Security Best Practices

For Users

1. Keep Extension Updated

  • Updates may include security fixes
  • Enable auto-update in extension management page
  • Check for updates regularly

2. Verify Source

  • Only install from Chrome Web Store or official sources
  • Do not install modified versions from unknown sources
  • Check publisher is "ezwebtools"

3. Review Permissions Carefully

  • Review requested permissions before installing
  • Understand each permission's purpose
  • Be suspicious if unnecessary permissions are requested

4. Use in Trusted Environments

  • Avoid using on public computers
  • Pay attention when using on shared devices
  • Log out after use if needed

For Enterprise/Institutional Users

1. Policy Management

Enterprise administrators can control extensions via Group Policy:

  • Allowlist/blocklist specific extensions
  • Force-install or force-uninstall
  • Configure permission policies

2. Network Monitoring

FlowPick's network activity characteristics:

  • Large number of media file downloads (TS/M4S segments)
  • Requests to streaming manifest files (.m3u8/.mpd)
  • Possible key file requests (.key)

3. Data Compliance

  • All data processed locally, compliant with data localization requirements
  • No data upload, meets most privacy regulations
  • Suitable for environments with strict data compliance requirements

Common Concerns

"Does This Extension Steal My Passwords?"

No. FlowPick does not have permission to read:

  • Password manager contents
  • Cookie data (except limited cases needed for media requests)
  • Form autofill data
  • Local storage of other websites

Extension's webRequest permission can only read HTTP headers, not webpage content or sensitive data.

"Can It See My Browsing History?"

Cannot. Extension does not have history permission, cannot:

  • View your browsing history
  • Record visited pages
  • Track your browsing habits

It can only see current active tab's network requests when triggered by user action.

"Will My Downloads Be Uploaded to Servers?"

No. Download process:

  1. You click download button
  2. Extension tells browser: "Please download this URL"
  3. Browser directly connects to media server to download
  4. File saved to your local disk

FlowPick acts as an intermediary throughout the process and never touches the actual file content.

"What About Encrypted Streams?"

For AES-128 encrypted streams:

  • Decryption keys are downloaded directly from key server
  • Decryption happens in your browser via Web Crypto API
  • Keys are not stored anywhere
  • Decrypted data is not uploaded

We cannot decrypt DRM-protected streams (Widevine etc.), nor would we want to.


Comparison with Other Tools

FeatureFlowPickOnline ToolsDesktop Software
Data collectionNoneMay haveVaries
Need installationYesNoYes
Privacy protectionHighestVariesVaries
Local processingYesPartialYes
Open sourceYesUsually notVaries
CORS restrictionsBypassedSubject toBypassed
Cross-platformAny OS with browserAny OSPlatform-specific

Security Audit

Self-Assessment Items

We conduct regular self-assessments on following aspects:

Assessment ItemFrequencyMethod
Dependency vulnerability scanEvery releasenpm audit + manual review
Permission minimization checkEvery releaseReview if new permissions can be avoided
Data flow analysisEvery releaseConfirm no sensitive data leakage paths
Code reviewOngoingPeer review + community feedback

Known Security Measures

✅ No remote code loading
✅ No analytics/tracking code
✅ No third-party advertising SDKs
✅ HTTPS-only communication (when external requests needed)
✅ Content Security Policy restrictions
✅ Minimal permission principle


Report Security Issues

If you discover potential security issues:

  1. Do not publicly disclose vulnerability details
  2. Report via GitHub Issues (can set as private issue)
  3. Include:
    • Vulnerability description
    • Reproduction steps
    • Impact assessment
    • Suggested fix (if any)

We will:

  • Respond within 48 hours
  • Release fix as soon as possible
  • Acknowledge contribution in release notes (if desired)