The OC Vault extension is a zero-knowledge browser companion to your vault at vault.ochk.io. It exists to fill saved logins and capture new ones; it does nothing else.

What the extension communicates with? Only two origins, both OrangeCheck:

• vault.ochk.io — to fetch your own encrypted vault (the passphrase-wrapped key escrow + ciphertext entry blobs) and your signed-in OrangeCheck identity.
• ochk.io — the OrangeCheck auth host, for the oc_session cookie that authenticates the calls above.

No third party. No analytics. No telemetry. No remote code. The extension's content-security policy (script-src 'self'; object-src 'self') makes loading remote code impossible.

What is inside those bytes?

The blobs are encrypted client-side under a key derived from your passphrase before they leave the browser. OrangeCheck only ever holds ciphertext. The categories of data inside that ciphertext are declared in the manifest's data_collection_permissions:

• Authentication information — your saved logins, TOTP seeds, API keys.
• Personally identifying information — entries of the identity type (name, email, phone, address) and your OrangeCheck identity itself.
• Financial / payment information — entries of the card type.
• Website content — the username and password values you just typed into a login form, read at submit time so the extension can offer to save them.
• Website activity — the origin of the page being filled, used for origin matching (matched locally; never transmitted).

What stays on your device, never transmitted:

• Your vault key, derived from your passphrase. Held only in the service worker's memory and a RAM-only storage.session slot — never written to disk, wiped on browser close, re-derived on the next unlock.
• Decrypted entries, transiently, while the popup is open or a fill is in flight.
• Origin matching — deciding whether to offer a saved credential on the current page happens locally. The URL never leaves the browser.

What is cached locally (ciphertext only)

• Encrypted vault blobs and the passphrase-wrapped key escrow, in chrome.storage.local — so the popup opens instantly and survives a service-worker restart. Nothing plaintext is ever written.
• Non-secret settings (auto-lock minutes, the autofill toggle, the clipboard-clear delay).

Capture

When you submit a login form, the content script reads the values you just typed into the page's own input fields and sends them to the extension's service worker. The page already holds those values; the extension reads them only at the submit gesture, holds them in memory, and offers a save prompt. Nothing is written to vault.ochk.io until you click save — and what is written is ciphertext, encrypted client-side.

What we never do

• Sell, rent, or transfer any data to a third party.
• Run analytics, telemetry, error reporting, or any diagnostic phone-home.
• Use the data for advertising, profiling, or any purpose unrelated to operating your vault.

Where to go from here

• Full OC Vault privacy policy: https://vault.ochk.io/privacy
• Security model: https://docs.ochk.io/vault/security
• Source code (MIT): https://github.com/orangecheck/oc-vault-extension
• Contact: https://ochk.io/contact