Grizzly Privacy Policy

Last updated: June 6, 2026

Introduction

Grizzly is a phishing-detection platform developed by Upstream Labs. It includes a Chrome extension, a scan API, a web app for managing your account and scans, and public scan result pages. This policy explains what we collect across all of these surfaces, how we use it, and what we don't do with it.

The short version: the Chrome extension is anonymous and stores nothing about you on our servers. The API and web app require an account, so we store the minimum needed to run the service — your sign-in profile, a hashed API key, and the scans you submit. We never collect your passwords, credentials, or browsing history, and we never sell your data.

Information We Collect

Grizzly for Chrome (browser extension)

The extension analyzes characteristics of the page you're viewing to detect phishing and credential-harvesting behavior, so it can warn you before you enter sensitive information. It does not collect or store:

• •Personally identifiable information (such as your name, email address, or account identifiers)
• •Passwords, credentials, or form input contents
• •Browsing history
• •Financial or payment information
• •Personal communications

The extension uses a random, per-installation identifier (a device ID) for operational purposes only — rate limiting, abuse prevention, and aggregate metrics. It is never linked to any personal information and cannot be used to identify you.

Grizzly API and web app

Using the API or web app requires an account, so here we do collect some information:

• •OAuth profile. When you sign in with Google or GitHub, we receive and store your name, email address, and profile image.
• •API keys.We store a hashed version of your API key plus a short prefix to help you recognize it. We never store the full key after it's created.
• •Scan submissions. The URLs you submit, along with the resulting verdict and related metadata (final URL, host, timestamp). Result pages are public by default — anyone with the link can see the verdict.
• •Usage data. Records of your API requests (endpoint, status, timestamp, latency) used to enforce rate limits and operate the service.
• •Email preferences.Whether you've opted in to product or marketing emails.

How We Use Information

We use the information above only to operate and improve the service:

• •Classify the URLs you submit and render scan result pages
• •Authenticate you, and let you manage your account and API keys
• •Enforce rate limits and prevent abuse
• •Send transactional messages (e.g. account or security notices), and product emails only if you've opted in

We do not use your data for advertising, and we do not sell it.

Data Sharing

We don't sell or rent your data, and we don't share it with third parties for their own marketing. We rely on a small set of service providers (sub-processors) strictly to run Grizzly, and they only process data as needed to provide their function:

• •Render — hosting and database
• •Google and GitHub — OAuth sign-in
• •Resend — transactional and product email

Data Retention

We retain user data for as long as your account is active.

• •Account data (name, email, OAuth profile information): retained until you delete your account.
• •API keys: retained until you rotate or revoke them, or delete your account.
• •Scan submissions: retained while your account is active so that scan result pages remain accessible and historical lookups are possible.
• •Chrome extension: no data is retained server-side. The extension stores device-local preferences only.

If you delete your account, we delete the associated data within a reasonable period. To request account or data deletion, contact us at support@grizzlysec.com.

Security

All connections use HTTPS. API keys are stored hashed at rest — never in plaintext. Your session is a signed token rather than a server-side session record. We take reasonable technical and organizational measures to protect the data we hold and use it only for its intended purpose.

Your Rights

You can request a copy of the personal data we hold about you, ask us to correct it, or ask us to delete it. You can rotate or revoke your API key at any time from your dashboard. To exercise any of these, contact us at support@grizzlysec.com.

Children's Privacy

Grizzly is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time as the service evolves. Any material changes will be reflected on this page with an updated revision date.

Contact

If you have questions about this policy, you may contact:

Upstream Labs

Email: support@grizzlysec.com