Mask

Privacy Policy

What Mask sees, what it stores, and what it doesn’t.

Mask is a fintech app. It is delivered as a Chrome extension and a web dashboard that mint single-use virtual cards from your Stripe Link wallet and autofill them at checkout. This policy explains exactly what happens to the data that flows through it. Effective May 14, 2026.

1. Who runs Mask

Mask is operated by an independent developer. Contact: aayanagarwal05@gmail.com. Mask is not affiliated with Stripe, Inc., Google LLC, or any card network.

2. The two surfaces of Mask

Mask is delivered as two complementary surfaces. They share one account and one backend, but the data they touch is different.

  • Web dashboard (this site, at the Mask domain) — where you join the waitlist, sign in with Google, pair your Stripe Link wallet, manage your virtual cards, edit your profile and notification preferences, and trigger mints from a desktop browser.
  • Chrome extension — where Mask reads the merchant domain and amount on a checkout page you are actively visiting, asks the backend to mint a single-use virtual card, and autofills that card into the checkout form for you.

Sections 3–6 below describe data common to both surfaces. Sections 7–8 describe data specific to each surface.

3. What we collect (shared across both surfaces)

We collect only what is required to issue a virtual card and let you manage it.

  • Account identity. When you sign in with Google we receive your email address, your Google profile name, your Google profile photo URL, and a stable Firebase user ID derived from your Google account. We do not receive your Google password.
  • Stripe Link account binding. After you pair your Stripe Link wallet, Mask stores the authentication payload returned by Stripe Link, the wallet account ID, and the last four digits and brand of each funding card on file. The payload is rotated by Stripe on every backend call. We never receive or store your Stripe Link password.
  • Card mint events. For each virtual card you mint, we store the merchant domain, the merchant display name, the amount you set, the card’s last four digits, the brand, the issue and expiry timestamps, the freeze state, and any label, emoji, or category you assign.
  • Idempotency cache (this is where the full virtual card number lives). So that an accidental refresh or retry does not mint a second card, the full mint response — including the virtual card number, CVC, expiry, and billing-address envelope — is cached in our database for 24 hours keyed by your user ID and the idempotency key. After 24 hours the record is deleted. This cache is gated by the same per-user security rules as the rest of your data and is read only when you replay an identical mint request.
  • Profile preferences. Your display name, optional billing address (used to prefill checkouts), and notification toggles, all editable on the dashboard.
  • Audit log. A separate, append-only record of mint events, freezes, closes, and wallet pairings, kept for accounting and abuse review.
  • Operational logs. Cloud Run access logs (IP, timestamp, request path, response code) retained for up to 30 days for abuse and reliability monitoring.

4. What we never collect

  • The pages you visit. The extension only reads the page you are actively checking out on, at the moment you trigger a mint, and only the merchant domain and the amount inputs on that page.
  • Form contents from sites where you have not minted a card.
  • Your Stripe Link password or any funding card PAN.
  • Your Google password or any other credential used to sign in with Google.
  • Telemetry, behavioural analytics, ad identifiers, or third-party trackers. Mask ships no analytics SDK on either surface.

5. How a mint flows end-to-end

When you press “Mint” — from either the dashboard or the extension popup — the merchant domain, the amount, and an idempotency key are sent to our backend (Cloud Run, US region). The backend calls Stripe Link on your behalf using your stored authentication payload, receives the freshly minted virtual card, writes the non-sensitive portion (last four digits, brand, expiry, merchant, label) to your card-events list, writes the full mint response to the 24-hour idempotency cache described above, and returns the card to your browser.

On the extension, the full card number is then forwarded from the background service worker to the active tab’s content script via chrome.tabs.sendMessage , where it is typed into the checkout form fields and discarded as soon as the message handler returns. On the dashboard, the full card number is rendered once in the card-detail view with a copy-to-clipboard control and is not retained anywhere on disk in the browser.

6. Where the data is stored

  • Cloud Run, Firestore, and Secret Manager in Google Cloud (us-central1).
  • Firebase Authentication for account identity.
  • Stripe Link operates the underlying virtual-card issuance and holds the funding relationship with your bank.
  • Resend (transactional email provider) for waitlist confirmations and invite emails — receives only your email address and the email content.

7. Web dashboard specifics

On the dashboard we additionally process:

  • Waitlist signup. If you join the waitlist before you have an account, we record your email, a referral code we generate for you, your signup rank (an internal counter), the referral code that referred you (if any), an IP-derived rate-limit fingerprint, and the timestamp of your last confirmation email. We use this only to send transactional emails and to space invite batches; we do not display your position in line.
  • Invite codes. When you redeem an invite to create an account, we record that the code was redeemed, by which user, and when. Unredeemed codes carry the recipient email and an expiry timestamp.
  • Session cookie. After Google sign-in we set a single HTTP-only, SameSite=Lax cookie named mask_sessionthat holds a short-lived Firebase session token, used to authenticate dashboard requests to our API.
  • Email log. We keep a record of which transactional emails (confirmations, invites) we sent to which address, the timestamp, and the provider message ID, so we can debug delivery issues.

8. Chrome extension specifics

On the extension we additionally process:

  • Active tab access. The extension uses the activeTab permission to read the URL and form structure of the page you are actively checking out on, and only for the duration of a mint you explicitly trigger. It does not watch other tabs or background pages.
  • Local extension storage. Inside the browser, the extension uses chrome.storage.local to hold your Firebase ID token, refresh token, and a cached identity row so you stay signed in across browser restarts. It uses chrome.storage.session to hold the currently active mint state and pairing state (cleared on browser restart). Neither surface ever writes the full virtual card number to chrome.storage; the PAN is held transiently in memory only.
  • OAuth scopes the extension requests. When you sign in with Google through the extension, Mask requests three scopes via Chrome’s identity API: openid (confirms you are a real Google account), userinfo.email (used as your Mask account identifier so the same account works on the dashboard), and userinfo.profile (display name + avatar shown in the popup). The Chrome access token is exchanged once with Google’s Identity Toolkit for a Firebase ID token; the original Google access token is not stored on our servers.

9. Who we share data with

We do not sell or rent your data. We share what is strictly necessary with:

  • Stripe Link — to mint and manage virtual cards on your behalf.
  • Google Cloud / Firebase — as our hosting, authentication, and database provider.
  • Resend — to deliver transactional emails (waitlist confirmations, invites).
  • Cloudflare Turnstile (when enabled) — for bot-protection on the waitlist join endpoint.
  • Law enforcement — only when compelled by a valid legal process.

10. How long we keep data

  • Account, profile, card-event, and audit records: retained while your account is active and for 30 days after deletion.
  • Idempotency cache (including the full virtual card number): 24 hours, then auto-deleted.
  • Stripe Link auth payloads: retained while your wallet is paired; deleted within 24 hours of you disconnecting the wallet.
  • Waitlist entries: retained until you redeem an invite or request deletion.
  • Email log: 90 days.
  • Access logs: 30 days.

11. Your controls

  • Disconnect your wallet at any time on the dashboard Profile page; this immediately revokes the stored Stripe Link auth payload.
  • Delete your account by emailing aayanagarwal05@gmail.com from the address on your account; we will purge all records within 7 days.
  • Sign out from the extension Profile tab or the dashboard user menu to clear all tokens stored in chrome.storage.local or in the mask_session cookie.
  • Leave the waitlist by emailing the same address from the email you signed up with; we will delete your entry.

12. Security

Transport is TLS 1.2+. Firestore writes are gated by per-user security rules and a shared-secret check for legacy extension calls. Stripe Link auth payloads, idempotency-cache rows, and waitlist entries are stored in Firestore with restricted access to the backend service account only. We do not back up or export any database to non-Google infrastructure.

13. Children

Mask is not directed to anyone under 18. We do not knowingly collect data from minors.

14. Changes to this policy

We may update this policy from time to time. The current version always lives at this URL with the effective date at the top. Your continued use of Mask after that date constitutes acceptance of the updated policy.

15. Contact

Questions, deletion requests, or data-export requests: aayanagarwal05@gmail.com.