Privacy Policy for SEA Tracker

Effective Date: June 2, 2026 | Last Updated: June 5, 2026

Welcome to SEA Tracker, a Chrome Extension connected to the Manassat Platform(https://manassat.vercel.app). This Privacy Policy describes in full detail what data we collect, how we use it, how we store it, and with whom — if anyone — we share it.

1. Single Purpose Statement

SEA Tracker has one single purpose: to verify and record user interaction events (likes and comments) on assigned Facebook and Instagram posts as part of marketing tasks defined on the Manassat platform, and to sync task completion back to the user's personal dashboard.

2. Data We Collect

The extension collects and processes the following data:

Data Type	Description	Purpose
Email Address	User login email for authentication	Account identity & session management
Password	User password submitted only during login. Transmitted securely over HTTPS to Firebase Authentication REST API. Never stored locally or on our servers.	Authentication only — used once to obtain a secure token
Authentication Token (ID Token)	Encrypted JWT token issued by Firebase Auth via REST API after successful login	Secure API access to Manassat backend
Refresh Token	Long-lived token used to renew the ID token every 55 minutes without requiring re-login	Maintain continuous secure session
Post ID	Numeric or alphanumeric identifier extracted from the active Facebook/Instagram page URL or DOM	Match current page to assigned task
Interaction Event	Type of interaction performed (like or comment), platform (facebook/instagram), and associated task ID	Record task completion on the server
Active Task ID	The ID of the marketing task currently assigned to the user	Link interactions to the correct task

3. Password Handling

The extension collects the user's password solely for the purpose of authentication. Here is exactly how it is handled:

The password is transmitted directly and exclusively to Google's Firebase Authentication REST API (https://identitytoolkit.googleapis.com) over a secure HTTPS connection.
The password is never stored locally on the user's device (not in chrome.storage, cookies, or any other mechanism).
The password is never stored on Manassat servers or any third-party server.
The password is never logged, cached, or transmitted to any party other than Firebase Authentication.
After successful authentication, only the resulting encrypted JWT token is stored in chrome.storage.local — the password itself is immediately discarded.

4. How We Collect Data

Authentication: Login credentials are submitted directly to the Firebase Authentication REST API (identitytoolkit.googleapis.com). We never store raw passwords. Only the returned ID token and refresh token are stored locally via chrome.storage.local.
Interaction Detection: The content script listens for touchstart and click events on Facebook and Instagram pages. When a matching interaction element (like or comment button) is detected, the Post ID is extracted from the page URL or DOM metadata.
Task Matching: The extension queries the Manassat API to retrieve the user's currently assigned active task, and matches it against the current page.

5. How We Use Your Data

To authenticate users and maintain a secure session.
To verify that the user has completed the assigned interaction task.
To record verified interactions in the Manassat database and update the user's earnings and interaction count.
To prevent duplicate interaction submissions within a 30-second window.

We do NOT use your data for: advertising, user profiling, behavioral tracking, analytics sold to third parties, or any purpose outside the extension's stated single purpose.

6. Data Storage

Local Storage: Authentication tokens (authToken, refreshToken) and user email are stored exclusively in chrome.storage.local on the user's device. This storage is sandboxed and inaccessible to external websites or scripts.
Server Storage: Verified interaction records (user ID, task ID, action type, platform, post ID, timestamp, and earnings) are stored securely in a Firebase Firestore database hosted on Google Cloud infrastructure.
Retention: Interaction records are retained for operational and payroll purposes. Users may request deletion of their data by contacting us.

7. Data Sharing

We share data with the following parties only:

Party	Data Shared	Reason
Firebase Authentication (Google)	Email and password — for authentication only	Identity verification & token issuance
Firebase Firestore (Google Cloud)	Interaction records, user ID, task ID	Backend database hosting
Manassat Platform API	Task ID, interaction type, post ID, user ID	Core platform functionality

No other third parties receive any user data. We do not sell, rent, trade, or disclose user data to advertisers, data brokers, or any other entities.

8. Data Security

All API communications use HTTPS encryption.
Passwords are never stored — only JWT tokens are retained after authentication.
Authentication uses industry-standard Firebase JWT tokens with automatic 55-minute rotation.
No remote code is loaded or executed — all extension code is bundled locally.
The extension does not use eval(), inline scripts, or any external script sources.

9. User Rights & Control

Logout: Clicking "تسجيل الخروج" (Sign Out) in the extension popup immediately clears all locally stored tokens and session data.
Uninstall: Removing the extension from the browser permanently deletes all locally stored data.
Data Deletion: Users may request deletion of their server-side interaction records by contacting us at the address below.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in extension functionality or legal requirements. The "Last Updated" date at the top of this page will reflect any changes. Continued use of the extension after updates constitutes acceptance of the revised policy.

11. Contact Us

For any questions, data deletion requests, or privacy concerns, please contact us:

Platform: manassat.vercel.app
Contact: https://c.manassatghair.com/contactus/