Privacy Policy
Privacy Policy for the CoreTax Console Chrome Extension — data collection, security, and your rights.
Data We Collect
Session Data from CoreTax Website
The Extension reads the following data from your active CoreTax browser session to enable its automation features:
| Data | Purpose | Storage |
|---|---|---|
| Access Token | Authenticate API download requests | Memory only |
| Cookie | Maintain session continuity | Memory only |
| Taxpayer ID | Identify your tax profile for API requests | Memory only |
| X-DGT-Code | Include in API download requests | Memory only |
Important
IMPORTANTThis data is held in memory only during active jobs and is NEVER persisted to chrome.storage or transmitted to any external server. When the job completes or the Extension is closed, this data is discarded.
API Response Data
The Extension intercepts JSON API responses from CoreTax's list endpoints to enable its capture and download features. This data includes invoice numbers, document numbers, and taxpayer document details. This data is stored locally in chrome.storage.local and is never transmitted to any external server.
Extension Configuration
| Data | Storage Location |
|---|---|
| Settings | chrome.storage.local |
| Job State | chrome.storage.local |
| UI Preferences | localStorage |
| Subscription Data | chrome.storage.local |
| email_id | chrome.storage.local |
Google Authentication Data
When you sign in using Google OAuth, the Extension stores the following authentication data locally:
| Data | Purpose | Storage |
|---|---|---|
| Session Token (JWT) | Authenticate API requests to verify subscription and payment status | chrome.storage.local |
| User Profile | Display name and email in Extension UI; email is hashed (SHA-256) to create your email_id for payment identification | chrome.storage.local |
| Company Access Status | Determine if your account has company-level access (ad-free) | chrome.storage.local |
Your raw email address is stored locally only and is never transmitted to our payment server. Instead, a one-way SHA-256 hash of your email (email_id) is used as your identifier. This hash cannot be reversed to reveal your original email.
Data We Transmit
To Our Payment Server
When you subscribe or donate, the following data is sent to fecttral.com/api/payment/extension:
- email_id — A one-way SHA-256 hash of your Google email address. This replaces the former Device ID system and uniquely identifies your account for payment verification without revealing your actual email.
- Subscription Token — sent only during verification to confirm your subscription is active.
- Payment Type & Amount — "subscription" or "donation" and the requested amount.
We Do NOT Send CoreTax Data
IMPORTANTWe do NOT send any CoreTax data (invoices, documents, taxpayer information, access tokens, or cookies) to our payment server or any other third party.
Company Access Verification
If your account is associated with a company license, the Extension verifies your company access status through our authentication server at fecttral.com. The following data is exchanged:
- Session Token — sent as a Bearer token to authenticate the request and retrieve your company status.
- Company Status — received from the server: company name, expiry date, and active status. Cached locally and refreshed on Extension startup.
No CoreTax data is involved in this exchange. Company access status is checked on startup and periodically to ensure your access level is current.
Data We Do NOT Collect
We Do NOT
- Collect browsing history.
- Collect data from websites other than coretax.pajak.go.id.
- Collect personal information beyond what is needed for CoreTax automation and payment processing.
- Use your data for advertising.
- Sell, rent, or share your data with third parties for marketing purposes.
Passive Skills — Filter & Overlay Restoration
Session Checkpoints
The Extension includes a passive checkpoint system that saves your current filter settings (year, period, invoice number) and visual overlay state into sessionStorage on the CoreTax page. When you navigate away and return, these checkpoints are automatically restored.
This data exists only in sessionStorage (cleared when the tab closes) and is never transmitted externally.
Interstitial Ads
Local Image Ads
Free (non-subscribed) users will see an interstitial image advertisement with a 15-second countdown timer before starting download jobs. These ads are served from local PNG image files bundled with the Extension — they do not contact any ad network, tracker, or external server. No personal data is collected or transmitted during ad display. Ad links point to coretax-console.fecttral.com but no data is sent to that domain.
Data Retention
Retention Periods
| Data Type | Retention |
|---|---|
| Session data (token, cookie) | Memory only, discarded when job ends |
| Job state & settings | Until you clear Extension data or uninstall |
| Subscription data | Until subscription expires or you clear data |
| SessionStorage checkpoints | Cleared automatically when tab is closed |
| Payment records | Retained on server; email_id is only identifier |
Third-Party Services
External Services
| Service | Purpose | Their Policy |
|---|---|---|
| DANA (dana.id) | QRIS payment gateway | Their privacy policy applies |
| Google Fonts | Font loading for UI | Google privacy policy applies |
| Google OAuth | Authentication (sign-in) | Google privacy policy applies |
Data Security
Security Measures
- CoreTax session data is held in memory only, not persisted to disk.
- Payment server communication uses HTTPS encryption.
- Webhook signatures are verified using RSA-SHA256.
- Spreadsheet cell values are sanitized to prevent formula injection attacks.
Your Rights
Data Control
- You may clear all locally stored data at any time by uninstalling the Extension or clearing Extension data in Chrome settings.
- You may request deletion of your payment records by contacting us through the Chrome Web Store listing support channel.
- Subscription can be cancelled at any time; no further charges will be made after the current period expires.
Changes to This Policy
Updates
We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated effective date. Continued use of the Extension after changes constitutes acceptance of the updated policy.
Contact
Get In Touch
For privacy-related questions or concerns, please contact the developer through the Chrome Web Store listing support channel.