SafeCart

Protects online shoppers from phishing, tracks payments, and surfaces data-breach alerts.

SafeCart is a free safety net for online shopping. It watches for scams while you check out, keeps a private record of what you bought, and warns you when a store you use is caught in a data breach — so you can shop without that "wait, is this site even real?" feeling. Everything below is free. No ads, no data sales, no account required to get protected. PHISHING & FAKE-STORE PROTECTION The moment you reach a checkout page, SafeCart checks the site against Google Safe Browsing, PhishTank, and built-in phishing heuristics, and looks at how old the domain is (most scam stores are only days old). If something's off — a brand-name typo, a freshly registered domain, a suspicious top-level domain — it locks the card field and shows a clear warning BEFORE you type your number. PAYMENT TRACKING & CHARGEBACK HELP After a checkout, SafeCart privately records what you bought and from where — stored on your own device. If an order can't be confirmed, you get a notification with a ready-to-send chargeback template and the merchant's real support contact. DATA-BREACH ALERTS Once a day, SafeCart checks the stores you've shopped at against Have I Been Pwned. If one turns up in a breach, you'll see which store, what leaked, and exactly what to do next — change a password, replace a card, freeze your credit — in plain language. PRIVACY YOU CAN VERIFY • Gmail receipt-matching is optional and read-only — it runs entirely in your browser and never sends email content to our servers. • Phishing checks send only the checkout page's URL to a keyless proxy. Breach checks send only public store domains (e.g. "example.com") — never your email, password, or anything that identifies you. • Your purchases are stored locally, on your device. • No ads. No analytics SDKs. No data sales. Full privacy policy: https://hewzijian.github.io/safecart-privacy/ HOW IT WORKS 1. Install — the defaults cover most people. 2. Shop — SafeCart stays silent on safe sites and only steps in when there's a real risk. 3. (Optional) Create a free account or connect Gmail to auto-match receipts. Both are optional; the core protection works without either. Built by a solo developer who got tired of watching people get scammed at checkout. Hit a checkout that's wrongly flagged, or a scam page that slipped through? Report it — the engine gets better every time. CLARITY ## ▸ Single purpose (Privacy practices tab) SafeCart protects users from phishing checkout pages, tracks their online purchases so missing confirmations are surfaced, and alerts them when stores they shop at suffer a data breach. ## ▸ Data-use justifications PII (email): Create and authenticate the user's optional SafeCart account. Never sold or shared. Authentication: Tokens authenticate the user to our keyless safety proxy and to Gmail (receipt matching). Stored locally; never sent to third parties. Personal communications: Match order-confirmation emails to payments. All reads happen in-browser via the Gmail API under the user's own read-only OAuth token. Email content never reaches SafeCart servers. Website content: Detect card-input fields and read order totals on checkout pages. Used only on the current tab, only when a payment context is present. ## ▸ Permission justifications storage: Persist settings, local payment records, and breach state. alarms: Run the payment-confirmation check and the daily breach scan. activeTab: Read the active tab when a checkout is detected — find card fields, parse totals, show the warning. notifications: Alert the user about unconfirmed payments and newly-found breaches. identity: Obtain a read-only Gmail OAuth token — only if the user connects Gmail. Host permissions (Safe Browsing, PhishTank, RDAP, Have I Been Pwned, the SafeCart proxy, Supabase): run the safety/breach lookups and optional account auth. Questions or data-deletion requests: hewzijian9@gmail.com