Hem and Haw Privacy Policy

Effective Date: 2025/06/20

Introduction

Hem and Haw is a browser extension available on Firefox's add-on store and Google Chrome's web store.

This extension detects and reports when hashes of your personally identifiable information (PII)—such as email addresses and phone numbers—are being sent by websites you visit to third-parties.

As part of a University of Calgary study, we collect some data from users of our extension for research purposes.

What We Don't Collect

To provide functionality, the Hem and Haw browser extension asks for your PII such as:

Email addresses
Phone numbers
Dates of birth
ZIP codes
Other identifiers input by the user

The extension will calculate and save the corresponding hashes of the PII you provide to search for in network traffic.

All PII and corresponding hashes are stored locally in your browser. This data is never transmitted or shared.

What We Collect

For the purposes of our study, whenever Hem and Haw detects a website transmitting a hash of a PII identifier to a third-party, we collect:

the hostname of the website you visited (ex. example.com),
the hostname of the third party (ex. trackingcompany.com),
the type of PII being shared (ex. Email, Phone Number, Zip Code),
the hash function used (ex. SHA256),
whether you declared you use an adblock or not,
where in the transmission (HTTP request) the hashed PII was found (ex. url, body, headers).

This is triggered only when:

the Hem and Haw extension is enabled and actively searching for PII hash transmissions, and
you inputted the PII whose corresponding hash was detected

These details are sent from the extension installed on your browser to our server. We do not record your IP address or any other identifying information.

Additionally, if you entered and submitted your Prolific ID on Hem and Haw, the extension will ping our server with your Prolific ID at most once daily. This is to keep track of Prolific participants who are actively using Hem and Haw throughout the week for bonus payment purposes. We do not record your IP address, any other identifying information. We also only record the date of the ping instead of a full timestamp.

How We Use Your Data

Your local extension data (including the PII your provide and its hashes) is stored using the browser's built-in local storage (e.g., browser.storage.local). This means:

This data never leaves your device
You can delete all locally stored data by removing the extension or clearing browser storage

The non-identifying research data we collect is stored in a protected server at the University of Calgary. We do not:

Send any personal or sensitive data to external servers
Share your data with third parties
Identify or attempt to identify you uniquely
Track or attempt to track you across websites
Sell, rent, or trade your information

Your Control

You may delete your hashed PII transmission logs by:

Opening Hem and Haw -> See all results -> Clear your data, or
Deleting your entire browsing history (this will trigger the deletion of the logs), or
Removing the extension from your browser.

You may delete your provided PII and its hashes by:

Opening Hem and Haw and deleting individual PII or clicking the Clear button, or
Removing the extension from your browser.

Contact

If you have any questions about this privacy policy or how your data is handled, please contact:
hemandhaw@ucalgary.ca.