Back to articles

Streaming enhancement extensions reviewed: security analysis, data practices & safer alternatives

24 streaming extensions in the QVI Empire network legally sell your Netflix and Hulu viewing data. Privacy analysis, risk breakdown, and safer alternatives.

Maxim Kosterin
7 min read

You installed an extension to skip Disney+ recaps. Another to adjust playback speed on Prime Video. Maybe one to customize your Netflix profile picture. Each one works exactly as advertised. And while you're watching, they're watching you back.

In April 2026, LayerX Security published research identifying 82 Chrome extensions that explicitly reserve the right to sell user data — all of it disclosed in privacy policies that almost nobody reads. A network of 24 of those extensions targets streaming services specifically: Netflix, Hulu, Disney+, Amazon Prime Video, HBO Max, and Peacock. According to LayerX's findings, these extensions collectively affect around 800,000 users.

I already covered the ad blocker subset of this problem. The streaming category is worse in a specific way: people expect their ad blocker might have privacy tradeoffs. Nobody expects their skip-intro button to be building a viewership database.


TL;DR

  • The "QVI Empire" (HideApp LLC) is a network of 24 streaming enhancement extensions targeting Netflix, Hulu, Disney+, and six other platforms
  • According to LayerX Security's research, these extensions collect viewing history, content preferences, playback behavior, and demographic data inferred from your email address
  • The data is sold to analytics and market research firms — legally, per the extensions' privacy policies
  • Native streaming platform controls and open-source tools offer the same functionality without the data trade-off

What these extensions actually do

The QVI Empire network — published by a developer known as HideApp LLC on the Chrome Web Store under the account name "dogooodapp" — includes extensions like:

  • Custom Profile Picture for Netflix [QVI]
  • Skip ads and intros, works with Disney Plus [QVI]
  • Ad Skipper for Prime Video [QVI]
  • Hulu Skipper: skip intros, recaps & more [QVI]
  • Prime Video Speeder: adjust playback speed [QVI]

Twenty-one of the 24 extensions were still live on the Chrome Web Store when LayerX published their report in April 2026. The naming convention gives it away in retrospect — the "[QVI]" tag in the title stands for "Quality Viewership Initiative," which is apparently the network's internal branding.

The extensions work. That's the point. You get genuine utility, leave them installed, and they run continuously in the background as you stream.


What they collect — and sell

According to LayerX's research, the QVI network collects:

  • What you watch, when, and for how long
  • Content preferences and subscription status across platforms
  • Playback behavior patterns (speed adjustments, rewinds, skipped sections)
  • Your email address — cross-referenced with external demographic databases to infer age, gender, and potentially income bracket

That last point is the uncomfortable one. An email address combined with viewing behavior across Netflix, Hulu, and Disney+ is surprisingly rich raw material. Commercial identity graphs can match these signals to real-world demographic and consumer profiles. Once that match is made, your viewing history isn't just "watched Hulu on Tuesday at 9pm" — it's effectively "35-44, premium streaming subscriber, watches sports and documentary content."

HideApp LLC has not publicly responded to LayerX's findings.


The labeling gap that makes this harder to catch

Here's the systemic problem underneath this specific case: the Chrome Web Store lets developers self-certify their privacy labels. A listing can say one thing while the actual privacy policy says another.

LayerX flagged a concrete example in their report: an extension called Dashy New Tab displays "does not sell your data" on its Chrome Web Store listing. The actual privacy policy, linked from that same listing, reads: "Sold or Shared: Yes."

Dashy New Tab has not publicly responded to LayerX's findings.

Google has not made any public statement about addressing this discrepancy. There's no automated verification that compares privacy policy text against a developer's self-reported data practice labels. This creates a trust problem that goes beyond any individual extension: users reasonably assume the "privacy practices" section of a store listing reflects reality.

Until that changes, the only reliable approach is to read the actual privacy policy — or use a tool that does it for you. The Extenshi catalog surfaces privacy policy data practices per extension, which is exactly the kind of check that would have caught this. If you want the legal mechanics, I broke down exactly how the "we may sell your data" clause turns a buried policy into blanket consent.


The risk beyond what you're watching

The viewing data itself is the obvious concern. But there's a less-discussed angle: extension data collection happens at the browser level, which means it's not limited to what the streaming platform can see. When Netflix measures your engagement, it does so within its own walled garden. When a browser extension sits in front of that content and monitors your playback, it can also observe everything else happening in the same browser session.

That means the extension has visibility when you switch from Netflix to your bank account, when you open a medical portal, or when you're comparison-shopping something sensitive. The QVI extensions are selling viewership data specifically — but the permission model gives them access to much more.

This isn't a QVI-specific flaw. It's how browser extensions work. But it's a reason to think carefully about which extensions you leave running in the background at all times.


Safer alternatives that don't sell your data

You don't need to give up skip buttons and speed controls. These alternatives do the same job without the data trade-off:

Video Speed Controller (by David Huang) — Free, open source, works on Netflix and most streaming platforms. Control playback speed with keyboard shortcuts. The source code is publicly available on GitHub — you can verify exactly what it does. No "we may sell your data" anywhere in the project. Check its current score at Extenshi before installing.

Your streaming platform's own controls — Before reaching for an extension, check what the platform natively offers. Netflix added variable playback speed controls (0.5×–1.5×) to its desktop player. Hulu supports native intro skipping for Hulu Originals. Disney+ has expanded its playback options progressively. These features aren't always prominent, but they exist — and using them means no extension sitting between you and the content at all.

Enhancer for YouTube — If YouTube is your main streaming platform, this is a well-established option with a much cleaner privacy record than the QVI network. Search for it on Extenshi to see the current security score before installing.


How to check if you have QVI extensions installed

Open chrome://extensions in Chrome. Look for any extension with "[QVI]" in its name, or check the "Developer" or publisher information for "dogooodapp" or "HideApp LLC."

If you find any, removing them is straightforward: click "Remove" on the extension card. Your streaming experience won't change — minus the data collection running in the background.


Final recommendation

The QVI extensions are functional. That's not the issue. The issue is that "works as advertised" and "doesn't monetize your behavior" are separate questions, and a working extension can fail the second one completely.

If you have QVI extensions installed, remove them. The native alternatives or Video Speed Controller replace the functionality without the data sale. If you're unsure what any of your current extensions are doing with your data, the Extenshi catalog scan surfaces privacy policy practices across your installed extensions — it's faster than reading 24 separate privacy policies yourself.

As a general rule going forward: when an extension's purpose seems unrelated to data collection, that's often exactly when it's worth checking the privacy policy. The less obvious the data angle, the easier it is to miss.

See security reports for streaming extensions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles