Konto – Privacy Policy
Last updated: 2025-09-17
Konto is a Chrome extension that helps you quickly open and switch AWS console accounts and roles. We designed it to minimize data access and avoid collecting personal information.
— Summary —
• We do not collect, sell, or share personal data.
• We do not use analytics or tracking beacons.
• We do not execute remote code; all code ships with the extension.
• Only lightweight preferences are stored locally in Chrome and may sync via your Google account if Chrome Sync is enabled.
• The extension enhances AWS Console pages and may open Amazon internal federation pages to start a session; no data is sent to the developer.
— Data We Store (locally in Chrome) —
Stored using chrome.storage (Sync or Local, depending on your Chrome settings):
• Pinned/favorite accounts (name/ID you configure)
• Preferred role (e.g., Admin / Read)
• UI options (filters, last used account, layout choices)
• Optional usage counters within the extension UI only (e.g., “time saved”, “clicks saved”)
We do not store page content, credentials, secrets, billing data, or browsing history.
You can clear all extension data any time from the extension options or by removing/clearing extension data in Chrome.
— On-Page Processing (Content Script) —
The extension injects a small script only on:
• https://*.console.aws.amazon.com/*
• https://*.merlon.amazon.dev/*
What it does on these pages:
• Reads minimal DOM elements to locate account identifiers and place quick-action buttons
• Does not exfiltrate page content; processing happens on your device and results are not transmitted to any developer server
— Permissions and Justifications —
• activeTab — Activated only when you click the extension button. Used to read the current tab URL to detect supported console pages and to inject helpers. Access is temporary and limited.
• tabs — Lets the extension open a console tab, focus an existing one, and prevent duplicates by checking extension-created tabs. It does not read content from unrelated sites.
• Host permissions — Restricted to the domains listed above so the content script can enhance only those pages.
• storage — Persists your preferences (pins, role, UI options). You control this data via Chrome settings.
The extension does not request unnecessary broad permissions and does not use history, cookies, or webRequest APIs.
— Network Requests and Destinations —
The extension itself does not send data to developer-controlled servers. When you use it, it may open or redirect your browser to service URLs to start or resume a console session (normal site navigation under your control), such as:
• https://console.aws.amazon.com/*
• https://conduit.security.a2z.com/*
• https://*.merlon.amazon.dev/*
These requests are standard navigations your browser makes to AWS/Amazon services. No telemetry is sent to the extension developer. Any information you enter on those sites is governed by their respective privacy policies.
— Remote Code Policy —
We do not execute remotely hosted JavaScript. All executable code is packaged with the extension (Manifest V3). The extension’s content security policy restricts scripts to 'self'. Remote assets, if ever used in the future (e.g., icons), would be version-pinned and would not execute code on third-party pages.
— Data Sharing, Sale, and Advertising —
• We do not sell data.
• We do not share data with third parties.
• We do not use data for advertising or profiling.
— Data Retention and Your Controls —
• Preferences remain in Chrome storage until you clear them or remove the extension.
• You can reset all data via the extension options or by removing the extension from Chrome.
— Security —
We intentionally limit the data we process and store. Sensitive console actions happen directly on AWS/Amazon pages under your account and authentication. While we follow Chrome security best practices, no internet software is perfectly secure—please keep Chrome up to date and review the permissions you grant.
— Changes to This Policy —
If we make material changes, we will update the “Last updated” date above and publish the updated policy at the same URL.