Reveal URLs — Privacy Policy

Last updated: 2026-07-02

Reveal URLs reveals the URL each link in your mail points to so you can spot phishing before you click. It comes in three forms: the browser extension (and Thunderbird add-on), the Outlook add-in and the Gmail add-on.

The short version

Reveal URLs sends nothing to us or to any third party. There is no analytics and no tracking, and we — the developers — receive none of your data. The browser extension and the Thunderbird add-on do all their work on your own device, transmitting nothing. The Outlook add-in analyses the message on your own device and sends no email or message data anywhere; its task-pane code (the HTML, JavaScript, CSS and icons) is, however, loaded from https://www.reveal-urls.eu over HTTPS — like opening any web page — so the host serving that code sees the request for it. The Gmail add-on is the one form that runs elsewhere: because Gmail add-ons run on Google's own servers, the open message is read and analysed there (by Google, who already hold your mail), never by us and never by anyone else.

What it accesses

To reveal and check links, Reveal URLs reads the visible text and the destination (href) of links in the message you're reading. How and where this happens depends on the form:

What it stores

Only your own settings — never email content or browsing history. Where they are stored depends on the form:

What it does NOT do

Permissions

Browser extension (and Thunderbird add-on)

Outlook add-in

Gmail add-on

Gmail add-on: how it handles your Google user data

This section documents, for Google's review, exactly how the Gmail add-on accesses, uses, stores, shares, protects, retains and deletes Google user data.

Data accessed. The add-on reads only the body of the single email message you currently have open, under one narrow scope, https://www.googleapis.com/auth/gmail.addons.current.message.readonly. It also holds https://www.googleapis.com/auth/gmail.addons.execute, the standard scope that lets an add-on run in Gmail; that scope grants no access to your data. The add-on cannot read your other messages, and does not access subjects, headers, sender or recipient addresses, attachments, labels, or any Google account profile data.

Data usage. The message body is used for one purpose only: to find the links in it, compare each link's visible text against its real destination, and show you a card highlighting mismatches so you can spot phishing. All of this runs on Google's own Apps Script servers when you open the message. The add-on makes no external network requests and sends the message content nowhere.

Data sharing. None. Google user data is never sold, and never shared with or transferred to any third party. The developer receives none of it. There are no analytics, advertising, or tracking components.

Data storage & protection. Message content is processed transiently in memory during the request and is never written to durable storage by the add-on. The only data the add-on stores is your own settings, saved as a small JSON configuration object in Google's per-user Apps Script UserProperties. In the Gmail add-on you can edit your ignore-list and the mismatch-highlighting toggle; the object also carries display-preference fields shared with the browser extension (kept at their defaults unless changed), and never any email content. It is held within Google's infrastructure and protected by Google's platform security (encrypted in transit and at rest), scoped to your account, and never leaves Google. No data is stored on any developer or third-party server.

Data retention & deletion. The add-on retains no message content: each message is processed only for as long as it takes to build the card when you open it. The only data that persists is your settings object, and only until you delete it. You can delete it yourself at any time from the add-on's settings using the Clear settings button, which removes everything the add-on has stored for you and returns it to defaults. For any question about your data, contact us (see Contact below).

Limited Use. Reveal URLs' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Contact

Questions about this policy: https://www.phpfreelance.co.uk/contact.html