Legal
Security & data handling
Last updated June 24, 2026
HotKeyNavigator is local-first by design. Your workflows execute on your device, not on our servers — which is both faster and far harder to leak.
Local-first execution
Shortcuts, macros, sequences, and JavaScript functions run entirely in your browser. There is no server round-trip in the hot path, so actions fire instantly and nothing about what you are doing leaves the machine.
Manifest V3 & minimal permissions
The extension is built on Manifest V3 and requests only the permissions it needs to do its job. There is no broad data collection and no telemetry on the content of your workflows.
What never leaves your device
On every tier, the following are never transmitted to us:
- The pages you visit.
- The text you select.
- Your keystrokes.
- The contents of any page the extension reads or acts on.
What does leave your device
To run accounts and billing, two things are stored server-side:
- For all users: your account email and your plan/entitlement state.
- For Pro with cloud sync enabled: your own configuration blob — shortcuts, templates, JavaScript functions, profiles, and Vim config — stored under your private, access-controlled row.
Cloud sync is opt-in and covers your configuration only, never page content. Access to your synced configuration is protected by row-level security so it is readable only by your account.
Reporting an issue
If you believe you have found a security vulnerability, please email us at support@hotkeynavigator.com so we can investigate and fix it promptly. Please give us a reasonable chance to respond before disclosing it publicly.