← Back to Tabease

Privacy Policy

Last updated: March 24, 2026

This Privacy Policy explains how Tabease collects, uses, and protects your personal data when you use the Tabease Chrome extension and its associated backend service at api.tabease.app.

We are committed to full compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

---

1. Who We Are (Data Controller)

The data controller for Tabease is the developer operating under the brand name Tabease:

• Website: https://tabease.app
• Contact: hello@tabease.app

2. What Data We Collect and Why

We only collect data strictly necessary to provide the service, and never without your prior, informed consent.

2.1 Account Data (only if you register)

Data	Purpose	Legal Basis (GDPR Art. 6)
Email address	Account identification, login	Consent (Art. 6(1)(a))
Display name	Personalisation	Consent (Art. 6(1)(a))
Profile picture URL	Personalisation (Google sign-in only)	Consent (Art. 6(1)(a))
Password hash (PBKDF2, never plaintext)	Authentication	Contract (Art. 6(1)(b))
Subscription tier (free/pro)	Feature access control	Contract (Art. 6(1)(b))

You are not required to create an account. The extension is fully functional without one.

2.2 Tab and Canvas Data

Your tab history, mind map nodes, edges, and canvas layouts are stored locally in chrome.storage.local on your device. This data is never transmitted to our servers unless you explicitly enable cloud sync (a Pro feature).

2.3 Authentication Tokens

When you sign in, a JWT is stored in chrome.storage.local on your device, used solely to authenticate requests to our backend. It expires after 7 days.

2.4 Subscription and Payment Data

Payment processing is handled entirely by Stripe, Inc. We never see or store your card number or bank details. Stripe provides us only with your subscription status and tier. Stripe privacy policy

2.5 AI Requests (optional)

If you use AI features, your prompts and relevant canvas context are forwarded to the AI provider you select. These requests are proxied through our backend and are not stored by us.

3. What We Do NOT Collect

• We do not collect your browsing history beyond what you explicitly add to a canvas.
• We do not use tracking pixels, analytics SDKs, or advertising cookies.
• We do not sell, rent, or share your personal data with any third party for marketing purposes.
• We do not build advertising profiles.
• We do not use your data to train AI models.

4. Data Storage and Security

• Account data is stored in Cloudflare KV (EU data centres where available).
• All data in transit is encrypted via HTTPS/TLS.
• Passwords are never stored in plaintext — we use PBKDF2 with 100,000 iterations and SHA-256.
• Stripe webhook payloads are verified using HMAC-SHA256 signatures before processing.

5. Data Retention

Data	Retention period
Account data	Until you delete your account
JWT tokens	7 days (auto-expire)
Subscription status cache	1 hour (auto-expire in KV)
Local canvas/tab data	Until you clear it or uninstall the extension

6. Your Rights Under GDPR

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your account and all associated data.
• Right to restriction — request that we limit processing of your data.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — withdraw consent at any time without affecting prior processing.

To exercise any of these rights, contact hello@tabease.app. We will respond within 30 days.

You also have the right to lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your local EU DPA).

7. Cookies

The Tabease Chrome extension does not use cookies. Authentication state is stored in chrome.storage.local, scoped to the extension and not accessible by websites.

8. Third-Party Services (Sub-processors)

Service	Purpose	Privacy Policy
Cloudflare Workers & KV	Backend hosting and data storage	cloudflare.com/privacypolicy
Stripe	Payment processing	stripe.com/privacy
Google (OAuth)	Optional sign-in	policies.google.com/privacy
OpenRouter / Together AI / Anthropic / Google Gemini	Optional AI features	See each provider's policy

9. Children's Privacy

Tabease is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@tabease.app and we will delete it promptly.

10. Changes to This Policy

We will notify users of material changes by updating the "Last updated" date at the top of this document.

11. Contact

Email: hello@tabease.app
Website: https://tabease.app/privacy