SafeCart

Tracking since May 26, 2026.

Changelog

• Jun 8, 2026
  description

  SafeCart is the protection layer your card needs when you shop online.
  
  It runs quietly in the background. The moment you reach a checkout page, SafeCart checks the site against Google Safe Browsing, PhishTank, and a dozen offline phishing heuristics. If anything looks off — a brand-name typo, a freshly registered domain, a suspicious top-level domain — SafeCart locks the card field and shows a big, clear warning before you type your number.
  
  After every successful checkout, SafeCart quietly records what you bought and from where. If a confirmation email doesn't arrive within 30 minutes, you get a notification with a ready-to-send chargeback template and the merchant's real support contact. No more "did that order actually go through?" anxiety.
  
  And once a day, SafeCart checks every store you've shopped at against HaveIBeenPwned. If one of them appears in a breach, you'll know which store, what data leaked, and exactly what to do next — change a password, replace a card, freeze your credit — without having to read the whole breach report yourself.
  
  
  WHAT YOU GET FOR FREE
  
    ✓ Phishing detection on every checkout page
    ✓ Local-only purchase tracking
    ✓ Daily breach scan of stores you shop at
    ✓ Chargeback help with real merchant support contacts
    ✓ No ads. Ever.
  
  PREMIUM ($2.49 / month) ADDS
  
    ✓ Auto-match receipts in Gmail (and Outlook, soon)
    ✓ Priority breach alerts within 1 hour
    ✓ Sync your payment history across all your Chrome installs
  
  FAMILY ($4.99 / month) ADDS
  
    ✓ Everything in Premium for up to 5 people
    ✓ Shared chargeback help across your household
  
  
  PRIVACY YOU CAN VERIFY
  
  SafeCart was built privacy-first and the source code is structured so you can audit it.
  
    • All Gmail reads happen in your browser. No email content is ever sent to our servers.
    • Phishing checks use a thin proxy on our side so YOUR copy of the extension never carries any third-party API keys.
    • Breach checks send only public store domains (e.g. "example.com") — never your email, password, or anything that identifies you.
    • No ads, no analytics SDKs, no data sales. The full privacy policy is linked from the listing.
  
  
  HOW IT WORKS
  
    1. Install. The default settings cover most people. The optional API-key fields are for power users who want to use their own quotas.
    2. Shop. The extension is silent on safe sites and only steps in when there's actually a risk.
    3. Sign in (optional). If you want subscriptions or the Gmail-receipt feature, create a free SafeCart account.
    4. Upgrade (optional). If the free features are useful, Premium and Family add receipt matching, priority breach alerts, and cross-device sync.
  
  
  BUILT FOR PEOPLE WHO ACTUALLY SHOP ONLINE
  
  SafeCart was built to handle real checkout flows — Shopify stores, big-box retailers, regional marketplaces. The phishing engine has a curated allowlist so well-known brands aren't false-positives. The payment tracker handles partial confirmations (a "thank-you" page without an email yet) gracefully. The breach module focuses on stores you've actually shopped at, not a generic list, so the alerts you get are alerts that matter to you.
  
  
  QUESTIONS
  
  If you hit a checkout page that's incorrectly flagged, or a real phishing page that slipped through, please report it — the engine improves every time someone does.
  
  For privacy questions or data-deletion requests: [email protected]

  Fake stores are good now. The logo, the layout, the checkout — identical to the real thing. SafeCart is the second pair of eyes that catches what you can't.
  
  The moment a checkout looks fake — a lookalike domain (paypa1, not paypal), a store registered days ago, a known phishing pattern — SafeCart warns you in plain words and locks the card field, before you type a single digit.
  
  WHAT SAFECART DOES
  • Fake-checkout & phishing protection — a real-time safety check on every payment page, with a clear warning when something's off.
  • Payment tracking — a private log of what you bought and where, so a bad charge is easy to dispute and claw back.
  • Breach alerts — if a store you've shopped at is breached, you're among the first to know.
  
  PRIVATE BY DESIGN — a scam-blocker that would never scam you
  • Runs only on checkout pages — never while you browse, read, or search.
  • Your purchase history stays on your device. We don't keep a copy.
  • Safety lookups go through a keyless proxy that stores nothing.
  • No ads. No trackers. No sale of your data — ever.
  
  WHO IT'S FOR:
  Anyone who shops online — and especially the people in your life who'd never spot a fake site themselves. SafeCart was built after a fake "Amazon" page took the founder's mum's card. It's the tell she never had.
  
  PERMISSIONS, EXPLAINED:
  We ask for as little as the job needs — and here's exactly why we ask for each:
  
  • Runs on the sites you visit — SafeCart has to watch checkout pages, and it can't know in advance which stores you'll shop at. It only wakes up when a page has a card field, and it never runs on Google domains.
  
  • Safety checks (Google Safe Browsing, PhishTank, domain-age lookups) — to check the site you're on against known-scam lists and flag brand-new domains. These run through a keyless SafeCart relay that stores nothing about you.
  
  • Breach checks (Have I Been Pwned) — to see whether a store you've shopped at has been breached. We only ever check the store's public domain — never your personal details.
  
  • Notifications & background timers — to alert you about a flagged checkout or a breach, and to run quiet breach checks without slowing your browsing.
  
  • Storage — to keep your settings and your private purchase log on your own device. We don't keep a copy.
  
  • Gmail (optional, read-only) — only if you connect it. SafeCart reads order-confirmation emails to confirm your purchases, parses them on your device, and never sends them to us. Skip it and everything else still works.
  
  • Account sign-in (optional) — to sync settings if you choose. Your password goes straight to the provider; our server never sees it.
  
  If a permission ever feels like more than the job needs, tell us. A scam-blocker should be the most trustworthy thing in your browser.
  
  Free. No account needed. One click to add.
  
  Spot the scam before you pay.

Permissions & access

Permissions

storagealarmsactiveTabnotificationsidentity

Host access

https://safebrowsing.googleapis.com/*, https://checkurl.phishtank.com/*, https://rdap.org/*, https://rdap.verisign.com/*, https://gmail.googleapis.com/*, https://haveibeenpwned.com/*, https://safecart-api.safecart-hzj.workers.dev/*, https://kwptfmvvlvjvseksnpxb.supabase.co/*

Screenshots