Privacy Policy

This Privacy Policy ("Policy") explains the information collection, use, and sharing practices of FedBase ("we," "us," and "our") with respect to the Vendor Risk Check browser extension ("Extension") and the related FedBase services ("Services").

Before you install or use the Extension, please review this Policy. By installing or using the Extension, you agree to the collection, use, and disclosure of information as described here. If you do not agree, please do not install or use the Extension.

• Privacy policies should be human-readable and easy to find.
• We collect the minimum data required to make the Extension work.
• We do not sell your data to third parties.
• Data practices should meet the reasonable expectations of users.

Vendor Risk Check runs on LinkedIn company pages, Crunchbase organization pages, Google search results, and fedbase.io. When you visit a supported page, the Extension reads public content that is already visible to you in your browser (for example, a company name on a business listing) and sends a small, targeted request to the FedBase API at https://crpapi-production.up.railway.app to look up publicly available risk signals from US federal databases.

The Extension does not crawl websites in the background, does not read pages you have not visited, and does not collect content from websites outside the following host permissions:

• https://www.linkedin.com/*
• https://www.crunchbase.com/*
• https://*.google.com/*
• https://fedbase.io/*
• https://crpapi-production.up.railway.app/*

Information automatically sent to the FedBase API

• Page subject data. A short, public identifier pulled from the page you are actively viewing — typically a company name, business listing title, revenue/asking price, or industry label. This is the data a human reader sees on the page.
• Request metadata. Standard HTTP request metadata (IP address, user agent, timestamp) required to serve the API response. We use this only for rate-limiting, abuse prevention, and aggregate analytics.

Information stored locally in your browser

• Preferences and UI state via chrome.storage (for example, whether the side panel is open, dismissal state of the floating badge). This never leaves your browser.

Information we do not collect

• We do not collect your full browsing history.
• We do not read the contents of pages outside the host permissions listed above.
• We do not collect passwords, financial account data, health data, authentication credentials, or other sensitive categories.
• We do not sell personal information to third parties.

• To look up public federal risk signals for the company you are viewing and return them to your browser.
• To maintain, troubleshoot, and improve the Extension and the FedBase API.
• To prevent abuse, enforce rate limits, and protect the integrity of the Services.
• To comply with applicable law.

We do not sell or rent personal data. We may disclose information in the following limited circumstances:

Service Providers

We rely on third-party infrastructure providers (Railway.app for hosting, and the operators of the underlying federal data sources for source material). These providers process request metadata only as necessary to deliver the Services.

Legal Compliance

We may disclose information if required by law, subpoena, court order, or to protect the rights, property, or safety of FedBase, our users, or the public.

Business Transfers

If FedBase is acquired, merged, or transfers its assets, user information may be one of the transferred assets. We will provide notice of any such change.

The risk signals returned by the Extension come from publicly available US federal datasets, including SAM.gov exclusions, OFAC SDN, HHS OIG exclusions, CFPB consumer complaints, FDIC bank financials, Federal Reserve enforcement actions, EPA ECHO compliance, IRS nonprofit BMF, SBA 7(a)/504 FOIA loan data, and CourtListener bankruptcy dockets.

FedBase is not a consumer reporting agency under the Fair Credit Reporting Act (FCRA). The Extension must not be used for decisions about consumer credit, employment, insurance, housing, or other purposes regulated by the FCRA, 15 U.S.C. §§ 1681 et seq. Matches shown by name similarity may include false positives; always verify with the primary source before taking any action.

Uninstalling

You can remove the Extension at any time from chrome://extensions. Removal stops all data transmission from your browser and clears locally stored preferences.

Access, Correction, Deletion

Because the Extension does not create user accounts and does not store personal content on our servers beyond transient request logs, most users have nothing on file to access or delete. If you believe we hold information about you, contact [email protected] and we will respond within 30 days.

EEA, UK, and California Residents

Subject to applicable exceptions, residents of the EEA, UK, and California (and other jurisdictions with comparable laws) have the right to access, correct, port, or delete personal data, and to object to or restrict processing. Submit requests to [email protected].

Transient request logs are retained for a maximum of 30 days for abuse-prevention and debugging purposes, then deleted. Aggregate, de-identified analytics may be retained indefinitely. We do not build user-level profiles.

The Extension is intended for users 18 years of age or older and is not directed at children. We do not knowingly collect data from children under 13 (US) or 16 (EU).

We use HTTPS for all API traffic, enforce rate limits, and apply standard operational safeguards. No system is perfectly secure; we cannot guarantee that all unauthorized access will be prevented.

We may update this Policy to reflect changes to the Extension or applicable law. Material changes will be indicated by revising the "Last updated" date. Continued use of the Extension after an update constitutes acceptance of the revised Policy.

Questions or requests about this Policy:
[email protected]