跳到主要内容

隐私政策

最后更新:2026 年 6 月 22 日

以下法律文本仅提供英文版本。以英文版本为准。

Overview

GeoSpoof is committed to protecting your privacy. This extension is designed to enhance your location privacy and does not collect, store, or transmit any personal data to the extension developer.

GeoSpoof does not implement VPN functionality. It does not use NetworkExtension or any VPN framework, and it does not route, tunnel, or inspect network traffic. The word "VPN" appears only in reference to the optional "Sync with VPN" feature, which helps align your browser's reported location with the exit region of a third-party VPN you are already running.

Data Collection

GeoSpoof does not collect any personal data. The extension:

  • Does NOT track your browsing activity
  • Does NOT collect analytics or telemetry
  • Does NOT store data on external servers
  • Does NOT share data with third parties for advertising or marketing

Local Data Storage

All extension settings are stored locally on your device using the browser's local storage API (browser.storage.local):

  • Your spoofed location coordinates
  • Your timezone preferences
  • Resolved location name (city, country)
  • WebRTC protection settings
  • VPN sync preference
  • Onboarding completion status

This data never leaves your device and is only accessible by the extension.

Third-Party API Usage

When you use certain features, GeoSpoof (both the Safari extension and the companion app) communicates with external services. With one exception, the developer operates no server and receives none of this data. The exception is the timezone boundary data, which the extension fetches from the developer's own domain (cdn.geospoof.com) — see that entry below.

Nominatim (OpenStreetMap) — Used when you search for a city or the extension performs reverse geocoding. Sends your search query or coordinates over HTTPS. Privacy Policy

VPN Sync Services — Used only when you explicitly enable "Sync with VPN" or tap the "Re-sync" button. GeoSpoof first detects your public (VPN exit) IP, then looks up its approximate region. In the Safari extension, detection tries checkip.amazonaws.com (AWS), cloudflare.com/cdn-cgi/trace, whatismyip.akamai.com (Akamai), and ipify (api.ipify.org) in order with failover; the companion app instead sends a STUN request to Cloudflare and Google (stun.cloudflare.com, stun.l.google.com) with ipify as a fallback. The detected IP is then sent in parallel over HTTPS to up to four geolocation services; the first successful response is used and the rest are cancelled. Only your public IP is transmitted — no identifiers, account data, or browsing history:

Privacy safeguards for VPN Sync: all requests use HTTPS. Your IP address is held only in an in-memory cache for the current browser session — it is never written to disk. The in-memory cache is cleared the moment you disable "Sync with VPN" or switch to a different location input method.

browser-geo-tz (served from cdn.geospoof.com) — Makes HTTPS range requests to cdn.geospoof.com to fetch small chunks of timezone boundary data, then resolves your timezone locally on your device. This data is hosted on the developer's own infrastructure — an Amazon CloudFront distribution in front of a private Amazon S3 bucket (provisioned as code with the AWS CDK), on a subdomain of the developer's own site. Because the request reaches the developer's infrastructure, it carries your IP address (your real IP, unless you are behind a VPN) and the byte ranges requested — and those ranges correspond to the region being looked up, so the request can reveal your approximate spoofed region. Your coordinates are never sent as a query. The developer does not use these requests for analytics, tracking, profiling, advertising, or accounts, and stores no personal data from them. The developer has not enabled access logging on the CloudFront distribution; Amazon, as the infrastructure operator, processes each request (including your IP and the requested path) transiently to deliver the file and may keep its own operational logs under its own policies. The data is cached by your browser, so it is rarely re-fetched. Project page

Apple geocoding (companion app only) — When you set a manual location in the app, it uses Apple's on-device geocoding (CLGeocoder) to resolve the precise timezone for the chosen coordinates, falling back to bundled offline boundary data when offline. City search in the app is fully offline and sends nothing.

In-App Purchases and Subscriptions

The app offers paid options through Apple's In-App Purchase system:

  • GeoSpoof Pro (iOS and iPadOS only) — an auto-renewable subscription (monthly or annual) that unlocks Pro features such as automatic background VPN sync, per-site allowlist/denylist rules, Home Screen and Control Center widgets, custom accuracy, and the on-map location picker. The subscription renews automatically until cancelled; you can manage or cancel it anytime in your Apple Account settings. A free, fully functional tier remains available without any purchase. On macOS, all of these features are included at no charge — there is no macOS subscription.
  • Tips (iOS, iPadOS, and macOS) — optional one-time purchases that let you support development and unlock no features or functionality.

All payments are processed by Apple via In-App Purchase. The developer never receives your payment details, card information, Apple Account identifier, or any personal data from a purchase or subscription. Billing, receipts, renewals, and refunds are handled entirely by Apple under its terms. That payment processing is governed by Apple's own privacy policy, and Apple acts as an independent data controller for it.

How your Pro status is determined. Your entitlement — whether you are a subscriber or a grandfathered "founding" user — is resolved entirely on your device using Apple's StoreKit framework. Founder status is derived from your App Store purchase history (the original app version your Apple Account first downloaded) via StoreKit's AppTransaction; this needs no account, no sign-in, and no developer backend, and is read directly from Apple on-device. The resolved status is cached locally on your device only and is never transmitted to the developer — there is no developer-side record of who is or isn't a subscriber, and GeoSpoof maintains no user accounts.

Data Security

  • All settings are stored locally using the browser's secure storage API
  • No data is transmitted to the developer for collection, analytics, or profiling
  • The one request that reaches developer-controlled infrastructure — fetching timezone boundary data from cdn.geospoof.com — is a static-file download and is not used to track or identify you
  • All third-party API calls use HTTPS encryption
  • The developer maintains no user accounts and runs no backend application or database; geospoof.com and its cdn.geospoof.com subdomain serve only static files

Permissions Explained

The extension requires the following permissions. Exact permissions vary slightly by browser (some APIs do not exist on every engine), but the principles below apply everywhere.

  • storage: To save your settings locally on your device
  • privacy (Firefox/Chromium only): To configure WebRTC protection settings
  • proxy (Firefox/Chromium only): To detect when a browser-based VPN switches exit nodes so VPN Sync can re-align your spoofed location. GeoSpoof only observes proxy changes — it never sets or routes a proxy.
  • scripting: To inject the location-spoofing overrides into pages
  • alarms: To run periodic health checks that keep the spoofing overrides active
  • idle (Firefox/Chromium only): Part of the VPN-sync re-check scheduling
  • <all_urls> / host access to all websites: To inject location spoofing on every website you visit
  • webRequest permissions (Firefox only): To repair the timezone leak inside Web Workers at the network layer

These permissions are used solely for the extension's functionality and not for data collection.

Why Safari warns that GeoSpoof can "read and alter webpages"

When you enable GeoSpoof, Safari shows a prompt similar to: "The extension 'GeoSpoof' would like to access [websites]. This extension will be able to read and alter webpages and see your browsing history on these websites. This could include sensitive information, including passwords, phone numbers, and credit cards."

This warning is standard for any extension that runs on every site, and the specific websites Safari names are simply the tabs you happen to have open at that moment — GeoSpoof does not single them out and has no special interest in them. Safari shows this same wording for ad blockers, password managers, and dark-mode extensions.

GeoSpoof needs broad website access because its only job is to make every site you visit see your chosen location instead of your real one. To do that it must run a small script on each page that overrides the browser's location, timezone, and date APIs before the page's own code runs. There is no narrower permission that would let it spoof location site-wide.

What "read and alter webpages" technically allows vs. what GeoSpoof actually does:

Safari says it couldWhat GeoSpoof actually does
Read page content (including passwords, form fields, credit cards)Never reads form fields, passwords, page text, or any page content. The overrides only replace location/time API return values.
Alter webpagesOnly "alters" the values returned by the Geolocation, Date, Intl, and Temporal APIs. It does not modify page text, inject ads, or rewrite content.
See your browsing historyNever reads, stores, or transmits your history or the list of sites you visit.
Transmit data externallySends nothing to the developer for collection or analytics. Outbound requests are the optional geocoding / VPN-sync API calls described above (only when you use those features) and fetching timezone boundary data from cdn.geospoof.com when a location is set.

The extension is open source, so you can verify all of the above: github.com/anthonysgro/geospoof

Which Safari permission option should you choose?

  • Allow for One Day — best for trying GeoSpoof out. Access expires automatically, so it's the lowest-commitment option.
  • Always Allow on Every Website — most convenient if you want location protection everywhere without re-granting access.
  • Allow / Always Allow on specific websites — if you only want spoofing on certain sites, grant access per-site and leave the rest unprotected.
  • Deny — GeoSpoof will not run on that site (it cannot spoof your location there).

You can change or revoke any of these at any time in Safari → Settings → Extensions → GeoSpoof, or per-site from the AA menu in the address bar on iOS/iPadOS. Restricting access never deletes your settings — it only controls where spoofing is allowed to run.

Your Rights

You have complete control over your data:

  • All settings can be cleared by disabling or removing the extension
  • You can view all stored data in your browser's extension storage inspector
  • No account or registration is required

Important Disclaimers

What this extension does NOT do:

  • Does NOT implement VPN functionality — no NetworkExtension, no tunneling, no traffic interception
  • Does NOT change browser language or locale settings — your browser's language preferences remain unchanged, which may create detectable inconsistencies with your spoofed location
  • Does NOT spoof IP address — your real IP address is still visible to websites unless you use a VPN
  • Does NOT bypass server-side detection — websites can still detect your location through IP address, payment methods, account history, and other server-side signals

Terms of service compliance. Using location spoofing may violate the terms of service of certain websites, particularly streaming services (Netflix, HBO Max, Disney+, etc.), financial services, and e-commerce platforms with region-specific pricing. You are responsible for ensuring your use of this extension complies with applicable terms of service and laws. The extension developer is not liable for any violations or consequences resulting from your use of this extension.

Intended use. This extension is intended for privacy protection and testing, web development and testing, educational purposes, and legitimate privacy enhancement. It is NOT intended for circumventing geo-restrictions on copyrighted content, fraud or deception, or violating terms of service agreements. We absolutely do not endorse any illegitimate or illegal use of this tool whatsoever. Use responsibly and in accordance with local laws and regulations.

For Users in the European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, the following applies to you in addition to the rest of this policy.

Controller: Anthony Sgro, an individual developer based in the United States, acts as the data controller for any personal data processed by this extension. You can contact the controller at support@geospoof.com.

Legal basis for processing: Two kinds of personal data may be processed, both limited to your public IP address. (1) When you explicitly enable "Sync with VPN," your public IP is sent to the IP-detection and geolocation services listed above; we rely on your consent (GDPR Art. 6(1)(a)), which you give by enabling the feature and can withdraw at any time by disabling "Sync with VPN" in the extension popup. (2) Whenever the extension resolves a timezone, it fetches boundary data from cdn.geospoof.com, which — like any web request — transmits your IP to the developer's CDN (Amazon CloudFront); we rely on legitimate interests (GDPR Art. 6(1)(f)) in delivering the boundary data needed for the location-spoofing you requested, and the IP is used only to serve the file and is not retained. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

International transfers: The third-party services listed above (AWS, Cloudflare, Akamai, ipify, GeoJS, FreeIPAPI, ReallyFreeGeoIP, ipinfo.io, Google STUN, and Nominatim) are operated outside the EEA, including in the United States; each is an independent controller and determines its own transfer mechanisms. Separately, the timezone boundary data is served from the developer's own domain cdn.geospoof.com, hosted on Amazon Web Services (CloudFront and S3), whose infrastructure is also outside the EEA, including in the United States. When you use features that contact any of these endpoints, your public IP is transferred to that infrastructure. Apart from serving that static boundary data from cdn.geospoof.com, the extension developer operates no server and performs no other cross-border transfer of its own.

Your rights under GDPR / UK GDPR: you have the right to access, rectify, erase, restrict, object to, and port your personal data, and to withdraw consent at any time. Because the extension stores no personal data on any server controlled by the developer, most of these rights are exercised directly by you within the extension: uninstalling the extension or disabling "Sync with VPN" fully erases everything the developer could ever access. You also have the right to lodge a complaint with your local data protection authority.

Retention: Your public IP is held only in volatile memory for the current browser session and cleared when you disable the feature or close your browser. No retention period applies because no storage occurs.

For California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not disclose personal information for cross-context behavioral advertising. We do not knowingly handle the personal information of consumers under 16.

Categories collected: The only category of personal information touched by the extension is an internet identifier (your public IP address). This happens when you enable "Sync with VPN" (sent to the IP-detection and geolocation services) and when the extension fetches timezone boundary data from cdn.geospoof.com (your IP reaches the developer's CDN as part of an ordinary web request). In both cases it is used only for the purposes described above and is not retained.

Your rights: You have the right to know what personal information is collected, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of sale or sharing (there is nothing to opt out of here), and the right not to receive discriminatory treatment for exercising these rights. Because no personal information is retained by the developer, these rights are effectively exercised by uninstalling the extension or disabling the feature. For any inquiry, contact support@geospoof.com.

Children's Privacy

GeoSpoof is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has used the extension in a way that caused personal information to reach a third-party service referenced above, please contact us at support@geospoof.com and we will take reasonable steps to assist.

Security Incidents

Because the extension stores no personal data on any developer-operated server, there is no developer-side database that can be breached. In the unlikely event of a security issue affecting the extension itself (for example, a vulnerability in the extension code), we will publish an advisory on the project's GitHub page and release a patched version through the relevant browser stores. Where required by applicable law, we will notify affected users and the relevant data protection authority.

Changes to This Policy

If this privacy policy changes, the updated version will be posted on this page and in the extension's repository. The "Last Updated" date at the top of this page will be revised accordingly. Continued use of the extension after changes are posted constitutes your acceptance of the updated policy.

Contact

For questions about this privacy policy, contact us at support@geospoof.com or open an issue on GitHub.

Open Source

GeoSpoof is open source. You can review the complete source code to verify these privacy practices: github.com/anthonysgro/geospoof.