Chrome Web Store · Privacy Policy

ELAI Chip Bridge
Privacy Policy

What this extension collects, what it sends, and what it persists. Short answer: nothing.

Last updated · June 6, 2026 · Effective from extension v1.0.0

TL;DR. The ELAI Chip Bridge extension collects no personal data, sends no data over the network, uses no analytics, and persists no user information. The only thing it does is forward chip-card-protocol messages between web pages on a small allowlist of origins and a local Native Messaging host that you install yourself.

1. Who we are

The ELAI Chip Bridge extension is published by AmericaFirst4Us Inc., the same entity that operates verifythecard.com, americafirst4us.com, idregulators.com, idregulars.com, and 4pdfs.com. Contact: jjloflin@americafirst4us.com.

2. What data the extension handles

The extension handles three message types between web pages and the local Native Messaging host:

ping — liveness check. No card data involved.
health — returns the connected chip-card reader's name, its ATR (a public, non-secret identifier), and whether a card is currently inserted.
chip-event — runs an ISO 7816-4 SELECT-by-AID + INTERNAL AUTHENTICATE protocol exchange. Returns the raw exchange (AID, ATR, status words, and any card-emitted public response data).

None of this data is your private key, your card number (PAN), or your name. Chip cards refuse to release those over INTERNAL AUTHENTICATE outside a full payment transaction — the chip itself protects them, not us.

3. What we collect and store

Nothing. The extension does not write to chrome.storage, does not use cookies, does not maintain any database, and does not send any data to any remote server (including ours).

Communication happens entirely between:

Web pages on the allowed origin list (americafirst4us.com, verifythecard.com, idregulators.com, idregulars.com, 4pdfs.com, plus localhost for development)
The local Native Messaging host (elai-chip-helper-host.py) that you installed yourself

Both ends of that pipe are local to your computer. The extension has no outbound network access of its own.

4. What we send to third parties

Nothing. No analytics. No telemetry. No crash reporters. No advertising. No remote logging.

5. Permissions and why we need them

nativeMessaging

Required to spawn the local Python host (elai-chip-helper-host.py) that talks to your chip-card reader via the OS PC/SC subsystem. Without this permission, the extension cannot perform its single function.

host_permissions and content_scripts (5 ELAI origins + localhost)

Required so the extension can be reached by web pages on those origins via the externally_connectable API. The allowlist is hard-coded and limited to AmericaFirst4Us Inc.-operated domains.

6. The chip reader and your card data

When you use a website that calls chrome.runtime.sendMessage(..., {type: 'chip-event'}) via this extension, the following information flows briefly through the extension and back to the calling page:

The card's ATR (a public hardware identifier the card emits when powered)
The matched AID (e.g. A0000000031010 for Visa Credit/Debit)
The card's SELECT response (a public application identifier block)
The status word the card returned for INTERNAL AUTHENTICATE
If the card is a federal credential (PIV/CAC) that signs the challenge, the resulting cryptographic signature over a fresh random challenge

The chip's private key never leaves the secure element. Your PAN, your name, and your magstripe data are not exposed by the ISO 7816-4 commands this extension uses.

What the calling website does with this data is up to them. This extension only handles delivery — the privacy policies of the calling website (verifythecard.com, americafirst4us.com, etc.) govern what happens to the response data after it reaches the page. Their policies are available at the URLs of those sites.

7. Children's data

This extension is not directed at children under 13 and we do not knowingly collect data from any user, of any age. (See section 3.)

8. Changes to this policy

If we update this policy, we'll update the "Last updated" date at the top. Material changes will be announced via the Chrome Web Store listing description prior to a new version going live.

9. Your rights

Because we don't collect data, there's nothing for us to delete, correct, or hand back to you. You can verify this by:

Reading the extension source — it's distributed unminified and the entire codebase is under 500 lines
Watching outbound network traffic with lsof -i, Little Snitch, or your firewall of choice — you will see zero traffic from the extension
Uninstalling at any time at chrome://extensions/; nothing is left behind beyond the local Native Messaging host you installed yourself (which has its own uninstall script)

10. Contact

Questions, security concerns, or vulnerability reports: jjloflin@americafirst4us.com.

ELAI Chip BridgePrivacy Policy

1. Who we are

2. What data the extension handles

3. What we collect and store

4. What we send to third parties

5. Permissions and why we need them

nativeMessaging

host_permissions and content_scripts (5 ELAI origins + localhost)

6. The chip reader and your card data

7. Children's data

8. Changes to this policy

9. Your rights

10. Contact

ELAI Chip Bridge
Privacy Policy