Privacy Policy

Last Updated: March 4, 2026

Chat Highlight ("we", "our", or "the Extension") is a personal knowledge management tool designed to help you capture, organize, and revisit information across the web—including AI chat platforms like ChatGPT, Claude, and Gemini. All features (highlighting, note-taking, tagging, and cloud sync) serve this single purpose: building your personal knowledge base.

This Privacy Policy comprehensively describes what data we collect, how we use it, how we store it, how we handle it, who we share it with, and your rights regarding your data.

TL;DR (The Short Version):

Local First: Your highlights are stored in your browser first. Cloud sync is optional but recommended for backup.
No AI Training: We are a storage tool, not an AI bot. We do NOT use your data to train any AI models.
No Selling: We never sell your personal data or reading history to advertisers or any third parties.
No Tracking: We do not track your browsing activity or collect analytics data.

1. Data We Collect

We only collect data that is strictly necessary to provide the core functionality of the Extension. Below is a complete and exhaustive list of all data types we collect:

A. Account Information (collected when you sign in)

We support two sign-in methods. The data collected depends on which method you use:

Method 1 — Google Sign-In (via chrome.identity API / OAuth 2.0):

Email address — provided by Google OAuth.
Display name — provided by Google OAuth.
Profile picture URL — provided by Google OAuth.

Method 2 — Email/Password Sign-In (via Supabase Auth):

Email address — entered by you during registration or login.
Password — entered by you during registration or login. Your password is transmitted securely over HTTPS to Supabase Auth and is never stored in plain text by the Extension or on our servers. Supabase handles password hashing and storage using industry-standard bcrypt. We never have access to your plain-text password.

This data is obtained only when you voluntarily choose to sign in. If you do not sign in, we do not collect any account information.

B. User-Generated Content (created by your actions)

The following data is collected only when you actively perform an action (such as selecting text and clicking "Highlight"). Our content script, which runs on web pages to enable highlighting, does not automatically read or transmit any page content. It waits for your explicit action before saving any data.

Highlighted text — the text you select and highlight on web pages.
Notes — any personal notes you attach to highlights.
Tags — labels you create to categorize your highlights.
Highlight color — the color you choose for each highlight.
Page URL — the URL of the web page where the highlight was made, used to link highlights back to their source.
Page title — the title of the web page, used for display in the sidebar and dashboard.
Page cover image — a representative image from the page, used for visual display in the dashboard.
Timestamp — the date and time when a highlight was created or modified.

C. Data We Do NOT Collect

To be absolutely clear, we do not collect any of the following:

General browsing history — we do not track which websites you visit. We only store the URLs of pages where you have explicitly made highlights (see Section 1B).
Form inputs on external websites — our content script does not read or collect data from input fields, search boxes, or forms on the websites you visit. The only input fields the Extension reads are its own built-in login/registration forms (see Section 1A).
IP addresses — we do not log your IP address.
Device information — we do not collect device model, OS version, or hardware identifiers.
Analytics or telemetry — we do not use Google Analytics, Mixpanel, or any analytics service.
Cookies — the Extension does not use tracking cookies.
Location data — we do not access your geographic location.
Financial information — we do not store credit card or payment details (payments are handled entirely by third-party processors).

2. How We Use Your Data

Each type of data we collect is used for a specific, limited purpose directly related to the Extension's core functionality:

Data Type	Purpose of Use
Email address	Authenticate your identity and associate your data with your account
Password (Email/Password sign-in only)	Authenticate your identity via Supabase Auth. Transmitted securely over HTTPS; never stored in plain text by the Extension
Display name & profile picture	Display in the Extension UI (sidebar and dashboard) so you can identify your account
Highlighted text & notes	Store and display your highlights; render them back on web pages; show in sidebar & dashboard
Tags & highlight color	Organize, filter, and visually distinguish your highlights
Page URL & title	Navigate back to the source page; group highlights by page in the dashboard
Timestamp	Sort highlights chronologically and display creation dates

We do not use your data for any purpose other than those listed above. Specifically, we do not use your data for advertising, profiling, marketing, or to train AI models.

3. How We Store Your Data

Your data may be stored in two locations, depending on whether you use cloud sync:

A. Local Storage (Default — No Sign-In Required)

Technology: chrome.storage.local (Chrome browser's built-in local storage API).
Location: Your local device only. This data never leaves your computer unless you enable cloud sync.
Encryption: Protected by your operating system's user account security.
Retention: Data persists until you manually delete individual highlights, clear all data via the Extension, or uninstall the Extension.

B. Cloud Storage (Optional — Requires Sign-In)

Technology: Supabase (PostgreSQL database hosted on AWS) or Firebase (Google Cloud Firestore), depending on server configuration.
Location: Supabase servers (AWS, US West — us-west-2) or Google Cloud servers (US regions).
Encryption: All data is encrypted in transit via TLS/HTTPS. Data at rest is encrypted by the cloud provider's platform-level encryption.
Retention: Data persists until you request account deletion (see Section 7).

4. How We Handle Your Data

We apply the following data handling practices to protect your information:

Access control: Cloud data is stored under your authenticated user account. Only you can access your own data via authenticated API requests.
No server-side processing: We do not process, analyze, or transform your data on our servers. The cloud database is used purely for storage and retrieval.
No human review: We do not manually review or read any user-generated content (highlights, notes, tags). No employee or contractor has standing access to your data.
Minimal data principle: We only collect and store data that is necessary for the Extension's core highlighting, note-taking, and sync functionality.
Secure transmission: All data transmitted between the Extension and cloud services uses HTTPS/TLS encryption.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to any third party.

We share data only with the following trusted infrastructure providers, strictly to operate the service. Below is a complete list of all third parties that may receive user data, along with exactly what data they receive:

Third Party	Data Received	Purpose	Privacy Policy
Google (via `chrome.identity` API / OAuth 2.0)	Email, name, profile picture	User authentication (Google Sign-In)	Google Privacy Policy
Supabase Auth (hosted on AWS)	Email and password (for Email/Password sign-in). Password is hashed by Supabase using bcrypt; we never receive or store plain-text passwords.	User authentication and account management	Supabase Privacy Policy
Supabase Database (hosted on AWS)	Account info, highlights, notes, tags, page URLs, timestamps	Cloud database storage for sync feature	Supabase Privacy Policy
Firebase (Google Cloud)	Account info, highlights, notes, tags, page URLs, timestamps	Alternative cloud database storage	Firebase Privacy Policy
Lemon Squeezy / Creem	Email address (for order processing only). We never receive or store your credit card details.	Payment processing for VIP subscription	Lemon Squeezy Privacy Policy
Cloudflare	No user data (static hosting only)	Hosting the Cloud Dashboard website	Cloudflare Privacy Policy

No other third parties receive your data. We do not use any advertising networks, analytics platforms, data brokers, or AI training services.

6. Extension Permissions Explained

To function, our browser extension requires the following permissions. Here is exactly why we need each one:

Host permissions (<all_urls>) — Our extension injects a content script into web pages so that it can:
1. Detect the text you select and save it as a highlight when you choose to do so;
2. Re-apply (restore) your previously saved highlights when you revisit a page;
3. Inject visual highlighting styles (CSS) so you can see your marks on the page.
Important: The content script does NOT automatically read, collect, or transmit any page content. It only captures text that you explicitly select and choose to highlight. The script does not access passwords, form inputs, cookies, or any data beyond the text you actively highlight. No data is sent to any server unless you have opted into cloud sync.
activeTab & scripting — Used in conjunction with host permissions to read the text you select (for saving highlights) and to inject highlighting styles into the webpage. We strictly use these permissions solely for the core highlighting functionality.
storage — To save your highlights, notes, tags, and settings locally in your browser via chrome.storage.local.
sidePanel — To display the structured sidebar for organizing and browsing your highlights.
contextMenus — To add a right-click menu option for quick highlighting actions.
identity — To authenticate via Google Sign-In for the optional cloud sync feature. This permission is only used when you voluntarily sign in.

We do not request any permissions beyond what is listed above. We do not request history, bookmarks, tabs, or other sensitive permissions.

Content Script Data Access Boundary

To be fully transparent about what our content script can and cannot access:

What the content script CAN access	What the content script does NOT access
Text you explicitly select and highlight The current page URL and title (to link highlights back to source) Previously saved highlight data (to restore them visually on the page)	Full page content or DOM beyond your selection Passwords, form inputs, or authentication tokens Cookies, localStorage, or sessionStorage of the website Network requests or API calls made by the website Other browser tabs or windows Files on your local system

Google API Services Compliance

Chat Highlight's use and transfer to any other app of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

Specifically:

We only use Google API data (email, name, profile picture obtained via chrome.identity) to provide and improve the Extension's core functionality (authentication for cloud sync).
We do not transfer Google API data to third parties except as necessary to provide the service, comply with applicable laws, or as part of a merger/acquisition with adequate data protection.
We do not use Google API data for serving advertisements or for any purpose unrelated to the Extension's single purpose.
No humans read your Google API data unless you provide affirmative consent, it is necessary for security purposes, or it is required by law.

7. Data Retention & Deletion

A. Local Data

Local data is retained indefinitely until you choose to delete it.
You can delete individual highlights from the Extension's Popup or Sidebar at any time.
You can clear all local data for a specific page via the "Clear" function in the Popup.
Uninstalling the Extension will automatically delete all local data.

B. Cloud Data

Cloud data is retained as long as your account is active.
You can delete individual highlights from the Cloud Dashboard at any time.
You can request full account deletion by emailing support@chat-highlight.com. Upon receiving your request, we will delete your account and all associated data from our cloud database within 7 days.
After deletion, your data cannot be recovered.

8. AI & Data Usage

Given that our tool is used to highlight AI chats (like ChatGPT), users often ask if we use this data for training.

Our Stance is Clear: We are a storage tool, not an AI bot.

We do not provide generative AI features, and we do not send your data to any AI service for processing. We do not use your highlights, notes, or chat logs to train, fine-tune, or improve any Large Language Models (LLMs). Your data remains strictly your private intellectual property.

9. Your Rights

Regardless of where you are located, you have the following rights regarding your data:

Right to Access: You can view all your data at any time within the Extension or the Cloud Dashboard.
Right to Export: You can export all your local data directly from the Extension in JSON, Markdown, or HTML format at any time.
Right to Delete: You can delete your data locally (via the Extension) and in the cloud (via deletion request). See Section 7 for details.
Right to Withdraw Consent: You can sign out of cloud sync at any time, and your data will no longer be synced to the cloud. Local data will remain on your device.

For users in the European Union (GDPR) and California (CCPA), you additionally have the right to request a copy of all personal data we hold about you, and the right to object to data processing. To exercise any of these rights, contact us at support@chat-highlight.com.

10. Children's Privacy

Our Extension is not intended for use by children under the age of 13. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 13, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at: support@chat-highlight.com