The following data is read by the extension but never sent to our server:

The titles and URLs of your tabs (read locally to render the tab bar)

The contents of any web page (the extension does not read or modify page content beyond positioning its own tab bar near the top of the page)

Your bookmarks (read locally for the "Open bookmark folder into workspace" feature)

Your tab groups

Your browsing history

Your form data, passwords, or any other input

3. How collected data is used

Email and Google account ID: to identify your account, prevent duplicate trials, recognise the same user across multiple installs, and (if you've linked a second Google account) authorise that account for the same Pro features.

API key: to authenticate API requests from your install to our server.

Stripe identifiers: to look up your billing status when our server receives webhook events from Stripe (subscription started, payment failed, subscription cancelled, etc.). Our server polls every hour to refresh subscription state.

IP address: incidental to making HTTP requests. We do not log or analyse IP addresses beyond what your hosting provider does for standard rate-limiting and abuse prevention.

4. Where data is stored

On your device (in chrome.storage.sync): your settings, the IDs of tabs in your workspace bar, the URLs of tabs in your visual bar groups, your API key, and a cached copy of your subscription status. This data syncs across Chrome installs you are signed into via your Chrome profile, but never reaches our server unless explicitly listed in section 2.

On our server: the data listed in section 2, stored in a Postgres database, retained until you delete your account.

Stripe: handles all payment information directly. We do not store credit card numbers, billing addresses, or other payment details on our server. Stripe's privacy policy is at https://stripe.com/privacy.

5. Who data is shared with

We share data only with the following third parties, and only the data that is strictly required:

Google — to verify the OAuth tokens you provide when signing in (read-only profile and email scopes).

Stripe — to process payments and manage subscriptions. Your email is shared with Stripe so receipts can be sent.

Our hosting provider ( Railway ) — runs the server that processes your requests; sees only the data we transmit to our server.

We do not sell, rent, or share your data with advertisers. We do not run analytics on your tab activity.

6. Data retention and deletion

You can request deletion of your account and associated server-side data at any time by emailing [email protected] 

Within 7 days, we will:

Delete your row from the users table (email, Google IDs, API key, Stripe IDs)

Cancel any active subscription via Stripe

Confirm deletion to you by email

Local data on your device is removed when you uninstall the extension or run chrome.storage.sync.clear() in the extension's service worker DevTools console.

If you cancel your subscription via Stripe but do not request account deletion, your row is retained so we can recognise you if you re-subscribe later. Trial-eligibility tracking (the rule that stops the same Google account from starting a new trial) requires retaining your Google account ID for as long as the row exists.

7. Children

Overflow Tab Bar is not directed at children under 13 and we do not knowingly collect data from children under 13. If you believe we have collected data from someone under 13, please contact us and we will delete it.

8. Your rights

If you reside in the European Economic Area, the United Kingdom, or California, you have specific legal rights regarding your personal data, including the right to access, correct, or delete it; the right to data portability; and the right to lodge a complaint with a data protection authority. You can exercise these rights by emailing [email protected].

We do not engage in automated decision-making that produces legal effects. We do not transfer data outside the country where our hosting provider operates beyond what's necessary to serve the request.

9. Security

All API requests between the extension and our server use HTTPS.

Your API key is stored locally in chrome.storage.sync (encrypted in transit by Chrome's sync service).

Our server's database connection uses TLS.

Our server checks a shared secret on every API request, so requests must originate from a properly configured copy of the extension.

We do not store payment details; Stripe handles that.

No system is perfectly secure. If we discover a security breach affecting your data, we will notify you within 72 hours.

10. Changes to this policy

If we change this policy in a way that materially affects what we collect or how we use it, we will update the "Last updated" date at the top and notify users via the extension's update notes and (if you've signed in) by email. Continued use of the extension after the change constitutes acceptance.

11. Contact

Email: [email protected] Postal address (if your jurisdiction requires one): 1980 Kenilworth Cir Apt A, Hoffman Estates, IL 60169

This document is provided as a starting point and may need to be reviewed by a lawyer to comply with your jurisdiction's specific requirements (GDPR, CCPA, PIPEDA, etc.). Do not consider it legal advice.