Hem and Haw Privacy Policy

Effective Date: 2025/09/21

Introduction

Hem and Haw is a browser extension available on Firefox's add-on store and Google Chrome's web store.

This extension detects and reports when hashes of your personally identifiable information (PII)—such as email addresses and phone numbers—are being sent by websites you visit to third-parties.

As part of a University of Calgary study (REB25-0355_MOD1), we collect some data from users of our extension for research purposes.

What We Don't Collect

To provide functionality, the Hem and Haw browser extension asks for your PII such as:

Email addresses
Phone numbers
Dates of birth
ZIP codes
Other identifiers input by the user

The extension will calculate and save the corresponding hashes of the PII you provide to search for in network traffic.

All PII and corresponding hashes are stored locally in your browser. This data is never transmitted or shared.

What We Collect

For the purposes of our study, whenever Hem and Haw detects a website transmitting a hash of a PII identifier to a third-party, we collect:

the hostname of the website you visited (ex. example.com),
the hostname of the third party (ex. trackingcompany.com),
the HTTP referer of the transmission,
the type of PII being shared (ex. Email, Phone Number, Zip Code),
the hash function used (ex. SHA256),
your user-agent string,
where in the transmission (HTTP request) the hashed PII was found (ex. url, body, headers),
your survey answers which may include:
- whether you declared you use an adblock or not,
- how privacy-conscious you declare you are,
- what browser you declare you are using,

This is triggered only when:

the Hem and Haw extension is enabled and actively searching for PII hash transmissions, and
you inputted the PII whose corresponding hash was detected

These details are sent from the extension installed on your browser to our server. We may also occasionally collect your answer to the survey question of whether you have been notified that your data was in a data breach. We do not record your IP address or any other identifying information.

Prolific Users

If you entered and submitted your Prolific ID on Hem and Haw, you may be eligble for weekly bonus reward payments. To determine whether you are eligible for a weekly bonus, the extension will ping our server with:

your inputted Prolific ID, and
the number of unique web domains you've visited today (only up to 10), and
the number of PII fields you are searching for.

at most once daily. This is to keep track of Prolific participants who are actively using Hem and Haw sufficiently throughout the week for bonus payment purposes. We do not record your IP address, any other identifying information. We also only record the date of the ping instead of a full timestamp. Your Prolific ID will not be associated with your transmission data.

Your Data

Your local extension data (including the PII your provide and its hashes) is stored using the browser's built-in local storage (e.g., browser.storage.local). This means:

This data never leaves your device
You can delete all locally stored data by removing the extension or clearing browser storage

The non-identifying research data we collect is stored in a protected server at the University of Calgary. We do not:

Send any personal or sensitive data to external servers
Share your data with third parties
Identify or attempt to identify you uniquely
Track or attempt to track you across websites
Sell, rent, or trade your information

Your Control

You may delete your hashed PII transmission logs by:

Opening Hem and Haw -> See all results -> Clear your data, or
Opening Hem and Haw -> See all results -> Clear all Hem and Haw data, or
Deleting your entire browsing history (this will trigger the deletion of the logs)

You may delete your provided PII and its hashes by:

Opening Hem and Haw and deleting individual PII fields or clicking the Clear button, or
Opening Hem and Haw -> See all results -> Clear all Hem and Haw data.

Contact

If you have any questions about this privacy policy or how your data is handled, please contact:
hemandhaw@ucalgary.ca.