Privacy

Your open tabs are
not our dataset.

Tab Checkout is designed around on-demand access, minimal collection, local-first storage, and a clear boundary before anything can leave the device.

Data map

What is touched, where it goes, and why.

Tab metadataLocal defaultTitle, full URL, position, pin/active/audio/private status used to create the snapshot and plan. URL query strings can contain secrets.
Page contentPer checkoutReadable text is extracted after a Chrome prompt. Full bodies stay in memory; bounded cited quotes may enter the receipt, while headings and metadata excerpts may enter the paired snapshot. Selected text is not currently captured.
Remote analysisOpt-in boundaryRelay URLs remove every query value and fragment, redact long opaque path segments and embedded credentials, then apply common secret-pattern redaction to remaining text. Local receipts still retain full URLs for Undo.
ReceiptsLocal firstSnapshots and receipts are intended to persist on the user’s device and be exportable by the user.
Validation metricsOff by defaultOptional local counters contain event names and counts only—never URLs, titles, page text, or receipt content.

Redaction is a guardrail, not a guarantee.

Pattern-based redaction reduces obvious exposure. It cannot prove that arbitrary page text contains no confidential information. That is why page-content analysis is optional and remote analysis must remain a user-controlled boundary.

Current redaction targets

  • Every URL query value and fragment before relay
  • Long opaque URL path segments and embedded URL credentials
  • Email addresses and common API-key prefixes
  • Bearer tokens and JWTs
  • Payment-card-like number sequences

Your controls

ACCESS

Start access yourself

The extension inspects a selected window only when checkout is initiated. Browser permission does not become permission to watch.

EXPORT

Take the record with you

Receipts use open JSON and can render to Markdown or HTML. They include source URLs, so review an export before sharing it.

DELETE

Remove local history

Delete one receipt and its snapshot, or clear all local Tab Checkout data from the extension.

Receipt first. Close second.

Inspect the boundary before trusting it.

Read the threat model and receipt format. Privacy claims should be testable in code, not just comforting copy.