Privacy Policy
Summary: Tab Organizer AI sends your tab URLs and titles to our server solely to power AI grouping features. We do not sell your data, build advertising profiles, or share your browsing history with third parties. All local caches are stored only on your device.
1. Who We Are (Data Controller)
Tab Organizer AI ("we", "us", "our") operates the browser extension of the same name. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we act as the data controller for personal data processed through this extension.
Contact: edwardnero2020@gmail.com
2. What Data We Collect and Why
2.1 Tab Data (URLs and Page Titles)
When you use AI features (Auto-Group, Auto-Sort, Tab Summary), we transmit the URLs and page titles of your open tabs to our backend server. This data is used exclusively to generate AI-powered group suggestions via a large language model (LLM).
- Tabs with internal browser URLs (
chrome://,about:,file://,chrome-extension://,data:) are never sent. - Tab data is processed transiently — we do not store it after the AI response is generated.
- Results are cached locally on your device (in
chrome.storage.local) to avoid redundant requests.
Legal basis (GDPR Art. 6): Legitimate interests (Art. 6(1)(f)) — necessary to deliver the core functionality you explicitly activate. Where required, consent.
2.2 Account Information
If you create an account, we collect your email address and password (hashed, never stored in plaintext). Authentication is handled by Supabase Auth. Your session token (JWT) is stored locally in chrome.storage.local and sent to our server with each AI request to verify your plan and enforce usage limits.
Legal basis: Contract performance (Art. 6(1)(b)) — required to provide subscription services.
2.3 Usage Data
We track the number of AI operations you perform (manual grouping, auto-grouping, reclassification) server-side to enforce plan limits. This data is tied to your user account and resets monthly.
Legal basis: Contract performance (Art. 6(1)(b)).
2.4 Payment Data
Premium subscriptions are processed by Stripe. We never receive or store your card number or payment details. We only receive a Stripe customer ID and subscription status via webhooks. Stripe's privacy policy applies to payment processing: stripe.com/privacy.
Legal basis: Contract performance (Art. 6(1)(b)).
2.5 Locally Stored Data (On-Device Only)
The following data is stored only on your device and never transmitted to our servers:
- Workspaces — saved tab sessions (URLs + titles) you create manually.
- Bookmark backup — a snapshot of your bookmarks taken before AI reorganization (for undo).
- Classification caches — domain and URL-level grouping suggestions to reduce API calls.
- Summary cache — AI-generated summaries of tab groups.
- Settings — your preferences (language, emoji toggle, etc.) stored in
chrome.storage.sync.
3. Data We Do NOT Collect
- Page content, passwords typed into websites, or form data.
- Browsing history beyond what you explicitly trigger with an AI action.
- Any data from tabs open in Incognito/Private windows (the extension does not have access to those by default).
- Device identifiers, IP addresses stored long-term, or precise geolocation.
4. Data Sharing and Third Parties
| Recipient | Purpose | Data Shared | Location |
|---|---|---|---|
| Our backend server (LLM proxy) | AI tab processing | Tab URLs, titles, language setting, JWT token | EU / as configured |
| Supabase | Authentication & database | Email, user ID, plan data | EU (Frankfurt) |
| Stripe | Payment processing | Email, billing details (handled by Stripe) | USA (SCCs apply) |
| AI/LLM provider | Generating grouping/summary responses | Tab URLs and titles (via our proxy) | USA (SCCs apply) |
We do not sell, rent, or trade your personal data. We do not share data with advertisers.
For transfers to countries outside the EEA (e.g. USA), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission.
5. Data Retention
- Tab data sent for AI processing — not retained after the response is returned (transient).
- Account data — retained for the lifetime of your account, plus 30 days after deletion.
- Usage counters — reset monthly; full history retained for 12 months for billing disputes.
- Local device data — retained until you uninstall the extension or clear it manually.
6. Your Rights (GDPR / UK GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:
- Right of access — request a copy of your personal data (Art. 15).
- Right to rectification — correct inaccurate data (Art. 16).
- Right to erasure ("right to be forgotten") — request deletion of your account and associated data (Art. 17).
- Right to restriction of processing — request that we limit how we use your data (Art. 18).
- Right to data portability — receive your data in a machine-readable format (Art. 20).
- Right to object — object to processing based on legitimate interests (Art. 21).
- Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.
- Right to lodge a complaint — with your local supervisory authority (e.g. CNIL in France, ICO in the UK, BfDI in Germany).
To exercise any of these rights, contact us at edwardnero2020@gmail.com. We will respond within 30 days.
7. Children's Privacy
Tab Organizer AI is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we discover that we have collected data from a child under 16 without verifiable parental consent, we will delete it promptly.
8. Security
We use industry-standard security measures including TLS encryption for all data in transit, JWT-based authentication with short-lived tokens, and Row Level Security (RLS) policies in our database. Passwords are hashed using bcrypt by Supabase Auth.
9. Cookies and Similar Technologies
The extension itself does not use browser cookies. Our backend server may set standard HTTP session cookies for authentication flows. These are strictly necessary and not used for tracking or advertising.
10. California Privacy Rights (CCPA)
If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, and opt out of the "sale" of personal information. We do not sell personal information as defined under the CCPA.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the extension's options page or by email (if you have an account). The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the extension after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions, data subject requests, or to report a concern:
Email: edwardnero2020@gmail.com