MVweb SEO Inspector — Privacy Policy
MVweb SEO Inspector is a browser extension that analyzes the on-page SEO setup of the page you currently view. This document explains exactly what data the extension reads, sends, and stores.
What we collect
Nothing. We operate no servers and have no telemetry, analytics, error reporting, or remote logging. The extension reads the DOM of the page you explicitly open it on and renders the result locally inside the popup.
What we store
The extension uses your browser's local extension storage (chrome.storage.local). All stored data lives on your device and is removed when you uninstall the extension. We store:
| Key | What | Lifetime |
|---|---|---|
mvwebLinkStatusCache | HTTP-status results from the optional «Check Status» feature | Per page load — discarded when the page reloads |
mvwebSqi:{hostname} | Cached Yandex SQI value (number or PNG badge) — only if you opt-in | 24 hours |
serpNumberingYandex, serpNumberingGoogle | SERP numbering preferences (off by default) | Until you change them |
enableYandexSqi, enableYandexFeatures | Yandex feature opt-in flags (off by default in English UI) | Until you change them |
textStatsTopN, textStatsStopWords, copySummaryTemplate | Text statistics and Copy summary preferences | Until you change them |
The data never leaves your device.
What network requests we make
When you open the popup on a page, the extension makes the following requests on your behalf, from your browser:
| Request | Why | Conditions |
|---|---|---|
GET <origin>/robots.txt | Parse robots.txt to surface Sitemap: directives and check whether the current URL is allowed for crawler UA * and Yandex | Only on shareable URLs (skips localhost, 127.x, 10.x, 192.168.x, 172.16-31.x, .local) |
HEAD <current-page-url> | Read HTTP status code and X-Robots-Tag header of the current page | Only on shareable URLs |
GET https://bar-navig.yandex.ru/... and GET https://yandex.ru/cycounter?... | Fetch the Yandex SQI value/badge for the current site | Only if you opt-in in Settings (enableYandexSqi), cached 24 hours |
When you click «Check Status» in the «Links» tab, the extension issues parallel HEAD requests (with GET fallback for servers that respond 405 / 501) to every link visible on the page. We use 12 parallel workers and an 8-second timeout per request. No request body is sent; no custom headers are added. Private/intranet URLs are skipped (no SSRF on local networks).
All requests originate from your browser session and contain whatever your browser would normally send (cookies, user-agent). They are never proxied through any server we control.
Content scripts
The extension registers one content script (serp-numbering.js) that runs only on Google and Yandex search result pages (10 regional domains). It does not collect anything — it only adds visual position numbers (1, 2, 3, ...) next to organic search results, and only if you have enabled it in Settings (off by default). It does not communicate with any server.
Third-party services
The «Tools» tab provides shortcut links to external SEO services (Google PageSpeed Insights, Schema.org Validator, Wayback Machine, SSL Labs, WAVE, Yandex.Webmaster, Yandex Wordstat, etc.). These open in new tabs. Once you click such a link, you are interacting with the third-party service directly, governed by its privacy policy — not this one.
The «Search» tab works the same way — clicking a search operator (e.g. site:domain.ru) opens Yandex or Google in a new tab.
The extension itself does not transmit anything to those services behind the scenes; it only constructs a URL with your current page as a parameter when you click.
Permissions justification
| Permission | Why we need it |
|---|---|
activeTab | Read the DOM of the page you click the toolbar icon on. Without this, the extension cannot inspect any meta tags, headings, links, or images. |
scripting | Inject the collector.js script into the active tab via chrome.scripting.executeScript. The script reads the page DOM and sends the result to the popup via runtime.sendMessage. |
storage | Persist user preferences (Settings) and short-lived caches (Check Status results, Yandex SQI 24-hour cache) in chrome.storage.local. No data is shared off-device. |
host_permissions: <all_urls> | (a) Keep the toolbar icon active on every page (otherwise Chrome grays it out until interaction), (b) make robots.txt and HEAD requests without CORS errors, (c) make HEAD requests for the «Check Status» feature on links the page contains. |
content_scripts (serp-numbering.js on Google/Yandex search) | Add position numbers to organic search results, only if you opt-in in Settings. Off by default. |
Remote code
The extension ships no remote code. There is no eval, no remote script, no dynamic import(), no fetch-and-eval pattern, and the manifest enforces a strict Content Security Policy:
script-src 'self'; object-src 'none'; base-uri 'none'All logic lives in the JavaScript files included in the ZIP package shipped to the Chrome Web Store.
Privacy-by-default
- Yandex SQI counter is off by default. The hostname of the current page is sent to
yandex.ruonly after you explicitly enable it in Settings. - SERP numbering is off by default. The content script does nothing until you enable Yandex or Google numbering in Settings.
- Yandex features as a whole (robots.txt rules, Webmaster shortcuts, search operators, SQI option, SERP-numbering option) are hidden by default in the English UI. They are always available in the Russian UI.
- Private hosts (intranet, localhost, RFC 1918) are excluded from
robots.txt,HEAD, SQI, and Check Status requests — the extension does not perform side-channel reconnaissance on local networks.
Children
The extension does not target children under 13 and does not knowingly collect any personal data about anyone — adult or child.
Changes to this policy
If we change this policy, we will update the Effective date at the top and publish the revision in the extension's repository.
Contact
- Website — mvweb.ru
- Telegram — @mvweb_ru
- Twitter / X — @MVweb_master