Habeas

Privacy Policy

Last updated: 6 July 2026

Habeas is a free, open-source (AGPL-3.0) browser extension that helps you extract your own personal data — receipts, invoices, card and investment records — from services that offer no API or export, entirely inside your own, already-authenticated browser session. Habeas is not a company and runs no servers that see your documents. This policy explains, plainly, what the extension touches and where anything goes.

The short version: Habeas is local-first. Your documents and your login session never leave your browser unless you choose a destination. It never reads, stores, or transmits your passwords. It only ever sends your data to a place you pick (a download, a local folder, your own Google Drive, or an endpoint you configure).

1. What data Habeas accesses

Habeas never reads, stores, transmits, or autofills your credentials. You log in yourself, including any MFA. There is no background scraping while you are away.

2. Where your data goes (destinations)

Nothing leaves your browser unless you select a destination for a document. The destinations are:

3. Google user data (Google Drive)

If, and only if, you connect Google Drive as a destination, Habeas requests the https://www.googleapis.com/auth/drive.file scope.

Limited Use disclosure. Habeas's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4. Community sources catalog

The extension can browse a public catalog of community-contributed "source" definitions (habeas-dev.github.io/sources). These are static JSON files describing how to read a given service. Browsing or installing them sends no personal data.

5. Ratings & comments (optional)

If you rate or comment on a source, that text and star rating are sent to api.habeas.dev and stored so others can see them. To limit abuse we store a salted hash of your IP address (never the raw IP) for rate-limiting. No account, name, or email is required or collected. Don't submit personal information in a comment.

6. Site integrations (external hooks)

A website you use may ask Habeas to set up a data flow or to collect on your behalf. This never happens silently: a site can only route data back to its own origin, and nothing is registered or run until you explicitly approve it in Habeas. You can revoke any such integration at any time in Settings.

7. Analytics & tracking

The extension contains no analytics, telemetry, or third-party trackers, and self-hosts its fonts (no third-party font requests).

8. Data retention & your control

Everything Habeas keeps lives on your own device. Remove documents from a destination as you would any file; clear the extension's settings, ledger, and activity log at any time from its options or by removing the extension. Session data is memory-only and gone when you close the browser.

9. Legal basis

Habeas operates on your own data, in your own session, via software you run (GDPR Art. 20 data portability / habeas data). Each service's Terms of Service may restrict automated access; complying with them is your responsibility.

10. Children

Habeas is not directed to children under 13 (or the equivalent minimum age in your jurisdiction).

11. Changes

We may update this policy; the "Last updated" date will change and material changes will be noted in the GitHub repository.

12. Contact

Questions or requests: open an issue at github.com/habeas-dev/habeas.