Trust

Security

Last updated · June 2026

TelPrompt is built to be secure by architecture rather than by audit. The smaller the surface, the fewer the ways to compromise it. We aim for the smallest possible surface.

Short version. The extension holds one permission (storage). It cannot read web pages, send network requests on your behalf, or transmit your data. Your audio stays on-device. Your scripts stay on-device. If you find a vulnerability, email [email protected].

Architecture-level guarantees

No page access. The Chrome extension manifest declares no activeTab, no scripting, no host permissions. There is no content script. There are no web-accessible resources. The extension is structurally incapable of interacting with any web page you visit.
Single permission: storage. Used to save your settings and script library to chrome.storage.local. Local-only.
On-device speech. Voice tracking uses Chrome's processLocally: true mode. Your audio never leaves your machine. If on-device isn't available for your language, the extension switches to Fixed Pace mode rather than silently falling back to a cloud service.
No telemetry. The extension makes no network requests of its own. Anything you type, save, mirror, or read aloud stays on your device.

What we control on this website

HTTPS-only with HSTS in production.
No third-party trackers, ad networks, or fingerprinting scripts.
Single first-party session cookie for account access. Marked Secure, HttpOnly, SameSite=Lax.
Stripe handles payments. We never see card details.
Email + password auth with bcrypt-hashed passwords. We do not store plaintext credentials.

Responsible disclosure

If you've found a security issue in the extension, this website, or our infrastructure, we want to hear about it before anyone else does. Please:

Email [email protected] with reproduction steps. PGP encryption available on request.
Give us 90 days to confirm and fix the issue before publishing.
Don't test against accounts you don't own, exfiltrate user data, or perform denial-of-service.

In return:

We'll acknowledge your report within 3 business days.
We'll keep you updated as we investigate.
For confirmed vulnerabilities, we'll credit you in the release notes (if you'd like).
For high-severity findings, we may pay a bounty proportional to impact — case-by-case for now.

Out of scope

Reports generated by automated scanners without manual verification.
Missing security headers on static marketing pages (we'll add them if they protect anything, but most don't matter on pages with no auth surface).
Self-XSS, social engineering, physical attacks.
Vulnerabilities in third-party services we use (Stripe, our email provider) — please report those to the relevant vendor.

Hall of fame

Confirmed researchers who've helped harden TelPrompt will be credited here. (We've shipped one major architecture release; this list will grow.)

Contact

Security questions: [email protected]
General support: visit the support page

Read our Privacy Policy →