Yes, and you don’t have to take our word for it. Any software you type a password into, including Proton’s own apps, holds it in memory for that moment, and that is unavoidable. The question that matters is whether it sends or stores your password anywhere it should not, and both are things you can check from outside the extension. Sign-in uses Proton’s SRP protocol, so your password is never transmitted, not even to Proton: a proof is computed on your device and only that proof is sent. The extension also verifies Proton’s signature on the login parameters and checks the server’s counter-proof, so a tampered login exchange is detected and aborted. Your password is used only on your device, to build that proof and to unlock your Proton keys, and two-factor codes go only to Proton.
Between sessions the extension keeps only the session tokens and the derived key passphrase it needs, encrypted with AES-256-GCM — the Data & Encryption section above lists exactly what is stored, where, and the honest limits of that encryption. With default settings all traffic goes to Proton’s own servers, with two scoped exceptions: Proton’s human-verification step (which loads Proton’s hCaptcha page), and a licence check for paid subscriptions that receives your Paddle subscription ID and nothing else — without a licence key the extension never contacts our servers at all. There are no analytics, no telemetry and no crash reporting of any kind (the Firefox manifest formally declares “no data collection”), and remote content in emails stays blocked until you choose to load it.
To check all of this yourself: every release ships as readable, unminified source. The Firefox package is the source verbatim — no bundler, no minifier — so you can download the .xpi from the add-on listing, unzip it, and read exactly the code that runs; the only minified files are the two official cryptography libraries (OpenPGP.js and bcrypt.js), and every listed release additionally goes through Mozilla’s add-on review. There is no certificate pinning and no traffic obfuscation, so you can watch every request the extension makes in your browser’s own devtools. Mail Checker is an independent project and is not affiliated with Proton AG — if you would rather trust no third party at all, Proton’s own web app is the right choice.