Privacy Policy — Mobile Simulator

Last updated: 2026-05-31

Extension: Mobile Simulator (Chrome Web Store)

Mobile Simulator is a Chrome extension that lets web developers preview any

URL on multiple device frames (iPhone, Galaxy, Pixel, iPad) side by side

inside one Chrome tab. This document explains what data the extension

processes and what it does not.

1. We do not sell or share your data

We never sell, rent, license, or otherwise share any data with third

parties beyond what is described in this document. There is no advertising,

no profiling, no cross-site tracking.

2. Data the extension processes locally

The following is processed on your computer only, in chrome.storage.local,

and is never sent to our servers:

Your simulator session. The list of device panels you have open, their

device IDs, orientations, dark-mode states, and current zoom level. Saved

so you can close and re-open the tab without losing your layout.

Recent URLs. Up to 10 URLs you've typed into the simulator address

bar, so the "Recent" list in the sidebar can show them.

Settings. Toggle states (PWA mode, sync scroll, keyboard overlay,

theme, etc.) and your custom device definitions, if any.

A locally-generated random identifier (UUID). See section 4 below.

You can clear all of this at any time from Chrome's extension settings

(chrome://extensions → Mobile Simulator → Site data → Clear) or from the

"Clear history" button inside the extension.

3. Browsing-target data the extension touches

To make the iframe rendering work, the extension reads and modifies HTTP

headers on requests to the URL you preview. Specifically:

Removes X-Frame-Options, Frame-Options, Content-Security-Policy,

and Content-Security-Policy-Report-Only response headers, so the URL

can be displayed inside an iframe.

Spoofs the User-Agent request header to match the simulated device

(e.g., iPhone Safari) so the target site serves its mobile layout.

Spoofs Sec-Fetch-* headers so the iframe appears as a top-level

navigation to the target server.

These modifications are scoped to the single Chrome tab running the

simulator. They use Chrome's declarativeNetRequest API, which processes

the rules natively inside Chrome — the extension does not see request or

response bodies, cookies, or page content.

The extension does not read, store, or transmit:

The URL you preview, its hostname, or its content.
The page title, body, or DOM of the previewed site.
Cookies, localStorage, sessionStorage, or IndexedDB of the previewed site.
Form input, scroll position, or interaction events inside the previewed

iframe.

4. Anonymous usage analytics (enabled by default, one-click disable)

Mobile Simulator includes anonymous-usage analytics that help us

understand which features are most valued and where to invest time. It

is enabled by default so that we can see how the extension is used

across the install base. You can disable it at any time via the

"Help improve Mobile Simulator" toggle in the extension's sidebar

(Display group). Disabling is immediate — one final

analytics_opt_in_changed event records the choice, then no further

events leave your computer.

What is collected when opt-in is ON

A random identifier. A UUID generated locally at first install

(crypto.randomUUID()), stored in chrome.storage.local. It is not

linked to your Chrome profile, your Google account, your email, or your

IP address.

Feature-name events. When you take an action like switching device,

rotating, taking a screenshot, or loading a preset, the extension sends

the name of that action (e.g., device_changed, screenshot_captured,

preset_loaded) plus a minimal, non-identifying payload. The full

schema of every event type is published in

docs/ANALYTICS_EVENTS.md.

Aggregate device metadata. Operating system family (Mac /

Windows / Linux / ChromeOS), browser locale (en-US, ru-RU,

…), and extension version.

Redacted error reports. When an internal error is caught, a

truncated 200-character message is sent. URLs, file paths, and email

addresses are automatically replaced with [URL] / [PATH] / [EMAIL]

placeholders before transmission.

What is NEVER collected — even when opt-in is ON

URLs of websites you preview, their hostnames, or any part of their

content.

The text of search queries you type in the device picker (only the

string length).

The names you give to custom devices.
Your IP address. PostHog, our analytics provider, strips the IP at the

server boundary (anonymize_ips=true setting on our project).

Your email, your name, or any account credentials.
Cookies of any kind.

Analytics provider

Anonymous events are sent to PostHog (https://posthog.com), an

open-source product analytics service. Our project is hosted on PostHog

Cloud US (https://us.posthog.com). PostHog's own privacy practices are

described at https://posthog.com/privacy.

4a. Feedback forms (user-initiated, not automatic)

The extension includes a Send feedback button (sidebar → Settings →

Tools) that opens an in-extension form with three categories: report a

bug, suggest an improvement, or request a device. Submissions are

user-initiated — the form never sends anything automatically.

What is sent when you submit a feedback form

The message you typed.
An optional email address — only if you provide one because you want a

reply.

Metadata: extension version, operating-system family (Mac / Windows

/ Linux / ChromeOS), browser locale, the active device name and

viewport size (e.g. iPhone 17 Pro Max (440×956)), the number of open

device panels.

The same anonymous random identifier described in §4 — **only if

anonymous analytics is enabled**. Lets us correlate a report with the

events from that install (e.g. "this report came from someone who saw

the screenshot error this week"). If you've disabled analytics, the

identifier is dropped before transmission.

What is NEVER sent with a feedback form

The URL of the website you were previewing.
The hostname, page title, or content inside the iframe.
Names you gave to custom devices.
Search queries from the device picker.
Your IP address (Formspree may see it transiently for spam protection;

it is not stored in the message we receive).

Feedback delivery pipeline

Submissions are sent over HTTPS to a small Cloudflare Worker

(*.workers.dev) under our control. The Worker validates the request

came from a Chrome extension and forwards the message to a private

Telegram chat via the Telegram Bot API. Nothing is stored — the Worker

holds no database, and the only delivery destination is the developer's

Telegram. Cloudflare's privacy practices are described at

https://www.cloudflare.com/privacypolicy/, Telegram's at

https://telegram.org/privacy.

Spam protection

The submit button is disabled for 2 seconds after the form opens to

discourage automated submissions. The Worker additionally rejects any

request whose Origin header is not a Chrome extension.

How to turn it off

Open the extension, scroll to the Display section in the sidebar,

and toggle "Help improve Mobile Simulator" off (the toggle ships

checked on; one click disables it). The act of disabling fires one final

analytics_opt_in_changed event with enabled=false and then no further

events are sent. You can also clear the stored random identifier by

uninstalling the extension or by clearing site data in

chrome://extensions.

5. Permissions justification

The extension requests the following Chrome permissions. Each is used

strictly for the feature next to it; no permission is used for any other

purpose.

Permission	Why we need it
`storage`	Save your simulator layout, settings, URL history, and (if you opt in) the anonymous identifier.
`tabs`	Open the simulator in a new tab when you click the extension icon or the right-click menu.
`activeTab`	Read the URL of the current tab when you click the extension icon so the simulator can preview the page you were on.
`scripting`	Inject a small