Security & Privacy Protection

Chrome extensions can be safe when developed responsibly and reviewed by Google. However, extensions request permissions that can access sensitive data. FlowRead prioritizes security by automatically blocking 200+ sensitive site patterns (banking, passwords, healthcare), using Manifest V3 architecture, and never storing your content long-term. Always review an extension's permissions before installing.

Extensions can access data based on their requested permissions. FlowRead minimizes this risk by: (1) blocking itself on password managers, banking sites, and login pages automatically, (2) processing content transiently without storage, (3) using TLS encryption for all communication, and (4) requesting only essential permissions (content access, storage, cookies).

Extensions with broad permissions can potentially access password fields. FlowRead automatically blocks all major password managers (1Password, LastPass, Bitwarden, Dashlane, NordPass, Keeper, RoboForm, Zoho Vault, Proton Pass, Enpass) and all login pages (accounts.*, login.*, signin.*, auth.*) preventing any access to password fields or vaults.

Only grant permissions necessary for the extension's core functionality. For text-to-speech extensions like FlowRead, essential permissions include: page content access (to read text), storage (to save preferences), and cookies (for authentication). Avoid extensions requesting clipboard, browsing history, downloads, or unnecessary host permissions.

Check for: automatic blocking of sensitive sites, Manifest V3 architecture, transparent privacy policy, minimal permissions, HTTPS/TLS encryption, enterprise authentication (OAuth/SAML), and a security contact email. FlowRead implements all of these security measures and publishes comprehensive documentation of our protections.

Yes, FlowRead is safe to use. The extension uses Manifest V3 architecture, automatically blocks 200+ sensitive sites (banking, passwords, healthcare), processes content transiently without long-term storage, encrypts all communication with TLS, and uses enterprise Clerk authentication. We publish comprehensive security documentation and provide security@flowread.io for vulnerability reports.

FlowRead collects minimal data: (1) Authentication data (email via Clerk), (2) Anonymous usage analytics via PostHog (which features you use, not content), (3) TTS conversion metadata (text length, voice selection, not the actual text content). Your reading content is processed transiently for audio generation and immediately discarded.

No. FlowRead processes your content transiently for text-to-speech conversion and does not store it long-term. Text is sent to our API, converted to audio with word timestamps, and immediately discarded. We don't build a database of articles you've read or retain the content.

No. FlowRead automatically blocks all banking sites using pattern matching (/bank/ domains) and explicitly blocks major financial services (PayPal, Stripe, Venmo) and investment accounts (Fidelity, Schwab, E*TRADE, TD Ameritrade, Vanguard, Robinhood). The extension won't initialize on these sites, preventing any access to financial data.

No. FlowRead intentionally blocks all major password managers for your security: 1Password, LastPass, Bitwarden, Dashlane, NordPass, Keeper, RoboForm, Zoho Vault, Proton Pass, and Enpass. Additionally, any vault.* subdomain or /vault URL path is blocked. This prevents any access to your stored credentials.

Yes. FlowRead complies with UK GDPR and Data Protection Act 2018. We use PostHog analytics in the EU region, process data under lawful bases (contract, legitimate interests, consent), provide data subject rights (access, erasure, portability), and maintain transparent privacy documentation. See our Privacy Policy for complete GDPR compliance details.

No. FlowRead never activates automatically on email services. Gmail and Outlook require manual activation-you must click the play button on a specific email to start listening. The extension doesn't run in the background scanning your inbox. Each email requires explicit user interaction to process.

FlowRead blocks 200+ site patterns across 10 categories: (1) Password managers, (2) Banking and financial sites, (3) Account/login pages (accounts.*, login.*, signin.*), (4) Payment processors and authentication, (5) Healthcare portals (HIPAA-protected), (6) Tax preparation sites, (7) HR/payroll systems, (8) Legal research platforms, (9) Cryptocurrency exchanges, (10) Government sites (.gov, .mil). See our complete blocklist on the security page.

FlowRead checks every URL against 200+ blocking patterns before initialization (under 10ms). Patterns include exact URLs (https://accounts.google.com), subdomain regex (/^https?:\/\/accounts\./), path regex (/\/login/), and domain patterns (/\.bank/). If matched, the extension stops initialization, sends a "Protected" message to the popup, and performs no content extraction.

Yes. FlowRead is designed for professionals handling sensitive information. It blocks HR/payroll portals (ADP, Workday, Paychex), legal research platforms (LexisNexis, Westlaw), healthcare systems, and financial services. Enterprise features include: Clerk authentication, Row-Level Security for data isolation, audit logging capability, and compliance with GDPR/data protection regulations.

Manifest V3 is Chrome's latest extension security standard (2024+). It provides stronger security than the older Manifest V2 through: stricter permission requirements, service workers instead of persistent background pages (better isolation), enhanced Content Security Policy enforcement, and restricted remote code execution. FlowRead uses Manifest V3 for improved security.

Row-Level Security is database-level protection that prevents unauthorized data access. In FlowRead, RLS policies ensure your sources, notebooks, and highlights are isolated-other users cannot access your data even if there's a vulnerability in the application code. This provides defense-in-depth security beyond application-layer controls.

FlowRead uses TLS encryption for all communication between the extension and our servers. Your text is encrypted in transit using HTTPS. Our database provider (Supabase) also encrypts data at rest using AES-256.

FlowRead requests minimal permissions: (1) Content access - to read text on pages for TTS, (2) Storage - to save your preferences and settings, (3) Cookies - for Clerk authentication, (4) Tabs - to detect navigation and manage extension state. FlowRead does NOT request: clipboard access, browsing history, downloads, bookmarks, or desktop capture.

No. FlowRead does not track your browsing history. We only collect anonymous analytics about FlowRead usage (which features you use, playback events) via PostHog. We don't know which websites you visit or build a profile of your browsing behavior. The extension only processes content when you explicitly click play.

Only if you explicitly enable "Allow in Incognito" in Chrome's extension settings (chrome://extensions). By default, Chrome extensions don't run in incognito mode unless you grant permission. FlowRead respects this privacy boundary and won't run in incognito unless you enable it.

Your text content is sent to DeepInfra (our TTS provider) for audio synthesis. DeepInfra processes the text to generate audio and word timestamps, then immediately discards it. We use DeepInfra under a data processing agreement. Your content is not used for AI training or shared with other third parties. See our Privacy Policy for the complete list of processors.

No. FlowRead requires an internet connection to convert text to speech via our API. However, this ensures your content is processed with high-quality neural voices and word-level timestamps. We don't store large AI models locally on your device, which would consume significant disk space and raise security concerns about local data storage.

FlowRead implements more comprehensive security measures than Speechify. Key differences: FlowRead blocks 200+ sensitive site patterns automatically (Speechify has limited blocking), uses zero long-term content storage (Speechify may cache), implements Manifest V3 (Speechify varies by version), and provides transparent security documentation. Compare our security page to competitors for detailed differences.

FlowRead provides stronger security controls: automatic blocking of 200+ sensitive sites vs Read Aloud's minimal blocking, enterprise Clerk authentication vs basic or no auth, zero content storage vs potential caching, and comprehensive privacy documentation. FlowRead is designed for users handling sensitive information.

Browser built-in TTS is generally secure since it processes content locally without network transmission. However, it lacks: smart site blocking (won't auto-block sensitive pages), high-quality neural voices, word-level highlighting synchronization, and speed control. FlowRead adds these features while maintaining security through site blocking, transient processing, and encryption.

FlowRead implements stronger privacy protections: automatic site blocking (Natural Reader has minimal blocking), zero long-term content storage (Natural Reader may retain content), privacy-first analytics in EU region (Natural Reader's analytics vary), and transparent security documentation. FlowRead is built for privacy-conscious users.

No. FlowRead automatically blocks all major tax preparation sites including TurboTax, H&R Block, TaxAct, FreeTaxUSA, TaxSlayer, and IRS.gov. The extension won't initialize on these sites, preventing any access to your tax documents, SSN, or financial information.

No. FlowRead blocks healthcare and medical portals that contain HIPAA-protected information. This includes patient portals, MyChart (Epic Systems), FollowMyHealth, HealthVault, and insurance portals (UnitedHealthcare, Anthem, Blue Cross Blue Shield, Aetna, Cigna, Humana). Medical privacy is protected by default.

No. FlowRead blocks all major cryptocurrency exchanges including Coinbase, Binance, Kraken, Gemini, and Crypto.com. The extension won't activate on crypto trading platforms, preventing access to your assets, private keys, or trading information.

No. FlowRead blocks HR and payroll portals that contain sensitive employee information. This includes ADP, Workday, Paychex, Paylocity, Paycom, UltiPro/UKG, and BambooHR. Your salary, benefits, SSN, and tax forms are protected from extension access.

No. FlowRead blocks legal research and court filing systems to protect confidential legal documents. This includes LexisNexis, Westlaw, Bloomberg Law, PACER (federal court records), and US Courts domains. Legal document confidentiality is maintained.

If you encounter a sensitive site where FlowRead activates (false negative) or a safe site that's incorrectly blocked (false positive), report it via https://flowread.featurebase.app/. We review all reports and update the blocklist regularly. Your feedback improves security for all users.

Currently, FlowRead uses a centrally-managed blocklist updated by our team. User-customizable blocking is planned for a future update. For now, you can report sites that should be added to the global blocklist via our feedback page.

FlowRead's blocklist is reviewed and updated regularly based on user reports, security research, and new service launches. Critical security updates (new payment processors, major service changes) are pushed immediately. General updates occur monthly.

Yes. FlowRead uses Clerk for authentication, an enterprise identity platform trusted by thousands of companies. Clerk provides: secure OAuth with Google/Microsoft, passwordless email magic links, optional two-factor authentication (2FA), session management, and security monitoring. Your account credentials are never stored by FlowRead-Clerk handles all authentication.

Yes. FlowRead supports two-factor authentication (2FA) through Clerk. You can enable 2FA in your account settings for enhanced security. Options include authenticator apps (Google Authenticator, Authy) and SMS-based verification.

If you suspect account compromise: (1) Change your password immediately via Clerk, (2) Enable two-factor authentication, (3) Review active sessions and revoke suspicious ones, (4) Contact support@flowread.io for assistance. Since FlowRead doesn't store your reading content, compromised accounts cannot access your historical reading data.

Content Security Policy is a browser security mechanism that restricts which scripts can execute in a web application or extension. FlowRead enforces a strict CSP that allows only scripts from trusted sources ('self') and prevents inline script execution. This reduces the risk of XSS (cross-site scripting) attacks and malicious code injection.

FlowRead prevents XSS (cross-site scripting) through multiple layers: (1) Strict Content Security Policy restricting script sources, (2) HTML sanitization for user-generated content using DOMPurify, (3) Input validation on all API endpoints, (4) No use of dangerous functions like eval() or innerHTML with untrusted data. These combined protections minimize XSS risk.

FlowRead uses UUIDs (Universally Unique Identifiers) for all resource IDs instead of sequential numbers. This means your sources, notebooks, and highlights have random IDs like "a3f2b8c9-4d1e-4f5a-9c2b-7e8f9a0b1c2d" instead of "1, 2, 3". This prevents enumeration attacks where attackers guess IDs to access other users' data.

Currently, Google Docs is blocked while we develop a specialized adapter for it. This ensures we can handle Google Docs' complex structure securely without risking data leakage. The adapter is under development and will be enabled once thoroughly tested.

FlowRead requires manual activation on social media (Twitter/X, Facebook, Instagram, LinkedIn) but doesn't completely block them. You can click the extension icon to activate FlowRead when needed. This "manual-only" approach protects your privacy while allowing flexibility for reading long social media content.

FlowRead can access local files if you enable "Allow access to file URLs" in Chrome's extension settings (chrome://extensions). However, this grants broad file system access. Only enable this if you specifically need to use FlowRead with local PDFs and trust the extension.

FlowRead is working toward SOC 2 compliance. Current security controls include: enterprise authentication (Clerk), database-level security (Supabase RLS), encryption in transit (TLS), audit logging capability, and access controls. SOC 2 certification is planned for 2026 as we grow our enterprise customer base.

FlowRead blocks all healthcare portals and patient management systems to protect HIPAA data. However, FlowRead itself is not currently HIPAA-compliant for processing protected health information (PHI). Healthcare organizations should not use FlowRead to process patient records or PHI. It can be used for general medical articles and non-PHI content.

FlowRead conducts regular internal security audits. We have identified and documented 200+ sensitive site patterns for blocking, implemented Manifest V3 security standards, and maintain comprehensive security documentation. Third-party penetration testing is planned for Q2 2026 before wider public launch.

Report security vulnerabilities responsibly to security@flowread.io. Include: description of the vulnerability, steps to reproduce, potential impact, and your contact information. We aim to respond within 24 hours for critical issues. We do not currently have a bug bounty program but plan to launch one in 2026.

No. Site blocking adds less than 10ms overhead per page load. FlowRead uses efficient pattern matching with caching-the performance impact is negligible. The security benefit (preventing sensitive data access) far outweighs the minimal performance cost.

If FlowRead blocks a site you believe is safe (false positive), the extension popup shows "Protected" status with a "Report Incorrect Blocking" link to https://flowread.featurebase.app/. Submit a report describing why the site should be allowed, and we'll review it. Updates typically roll out within 1-2 weeks.

Yes. Our security roadmap includes: user-customizable site blocking (allow/block specific domains), enhanced audit logging for enterprise users, SOC 2 compliance certification, third-party penetration testing, bug bounty program, and automatic security updates for new threat patterns. Follow our roadmap at https://flowread.featurebase.app/roadmap.

No. FlowRead has a permanent policy against using your content for AI training. Text processed through our TTS API is used only for audio generation and immediately discarded. We do not build datasets, train models, or sell data to third parties. This is a core privacy commitment.