Privacy Policy
Effective date: April 10, 2026
Article 1 — Data We Collect and How
We collect only the minimum personal data necessary to provide the Service, as follows:
| Data | Collection Method | Purpose |
|---|---|---|
| Email address | Notion OAuth authentication | Account identification, service notices, payment processing |
| Notion OAuth access token | Notion OAuth authentication | Auto-saving analysis results to Notion |
| Credit usage history and service usage metrics (analysis count, characters used per analysis) | Automatic service logging | Billing, analysis history management, service improvement |
| Web page text content | Chrome extension extraction | AI analysis processing (temporary — discarded immediately after analysis) |
| Payment information (email, subscription ID) | Automatic webhook from Polar.sh | Payment processing, subscription status management |
| Server access logs (IP, timestamp, request path) | Automatic service logging | Incident response, security monitoring |
We do not collect sensitive data such as health information, religious beliefs, or political views.
Article 2 — Purpose of Processing
Collected personal data is processed only for the following purposes:
- Service provision and operation (AI analysis, auto-save to Notion)
- Account management (account identification, deletion processing, abuse prevention)
- Billing and subscription management
- Service improvement and usage pattern analysis
- Incident response and security monitoring
- Compliance with legal obligations
Article 3 — Retention Periods
| Data | Retention Period | Basis |
|---|---|---|
| Account information (email, token, credits) | Deactivated immediately upon account deletion; permanently deleted within 30 days via automated process | User consent |
| Service usage metrics (analysis logs) | User identifier (user_id) anonymized 30 days after account deletion; aggregate metrics (characters used, plan, analysis count) retained permanently in anonymized form | Service operational purpose (aggregate analytics) |
| Web page text | Discarded immediately after analysis; never stored on our servers | User consent |
| Payment-related records | 5 years | Applicable commercial law |
| Server access logs | Automatically deleted after 30 days | User consent |
| Deletion record (for abuse prevention) | Permanently deleted 30 days after account deletion via automated process | Service operational purpose |
Article 4 — Third-Party Disclosure
We do not provide User personal data to third parties as a general rule. The sole exception is Notion, to which Users directly grant access via Notion OAuth for the core function of the Service:
| Recipient | Purpose | Data Shared | Retention |
|---|---|---|---|
| Notion Labs, Inc. | Saving analysis results to the User's Notion workspace (authorized directly by the User via OAuth) | AI analysis result text | Until deleted by the User in Notion |
Article 5 — Data Processing Subcontractors
We engage the following subcontractors to operate the Service. Subcontractors process data only as directed by us and are bound by contractual obligations prohibiting use beyond the delegated purpose.
| Subcontractor | Task | Data Processed | Country |
|---|---|---|---|
| Supabase, Inc. | Database and authentication services | Email, token, credit information | United States |
| Railway Corp. | Backend server hosting | Email, access logs | United States |
| Cloudflare, Inc. | Landing page hosting and CDN | Access logs | United States |
| Google LLC (Gemini API) | AI text analysis processing | Web page text, user-entered prompts (discarded immediately after analysis) | United States |
| Polar.sh | Payment processing | Email address (card information is handled directly by Polar.sh) | United States |
Article 6 — International Data Transfers
The Service transfers User personal data outside the country of origin as described below. By using the Service, you consent to these international transfers.
You may object to international data transfers by emailing tjehdqls12@gmail.com. However, because our core infrastructure is located abroad, objecting to transfers will make the Service unavailable and will result in account deletion.
| Recipient | Country | Data | Purpose | Safeguards |
|---|---|---|---|---|
| Supabase, Inc. | United States | Email, token, credit information | Database and authentication | Supabase Privacy Policy and DPA |
| Railway Corp. | United States | Email, access logs | Server hosting | Railway Privacy Policy |
| Google LLC | United States | Web page text, user prompts | AI analysis | Google Cloud Data Processing Agreement (DPA) |
| Notion Labs, Inc. | United States | AI analysis results | Notion document storage | Notion Privacy Policy and DPA |
| Polar.sh | United States | Email address | Payment processing | Polar.sh Privacy Policy |
Article 7 — Data Deletion Procedures
- Upon a deletion request, email, Notion token, credit information, and settings data are deleted without delay.
- Web page text is discarded immediately after AI analysis is complete and is never stored on our servers.
- Personal data in electronic file form is permanently deleted using technical methods that make recovery impossible.
- Information required to be retained by applicable law (such as payment records) is stored separately for the legally prescribed period before deletion.
Article 8 — Your Rights
You may exercise the following rights at any time under applicable privacy law:
- Request to view the status of personal data processing
- Request correction of inaccurate information
- Request deletion of personal data (except where retention is legally required)
- Request restriction of personal data processing
To exercise these rights, email us at tjehdqls12@gmail.com. Requests will be processed within 10 business days. You may also delete your account at any time to have all data removed immediately.
Article 9 — Cookies and Automatic Data Collection
- The Tabtrix extension does not use cookies.
- The landing page does not use tracking cookies.
- The Chrome extension stores authentication tokens and settings in
chrome.storage.local. This data is stored only on your device and is not automatically transmitted to our servers. - Our servers retain access logs (IP address, timestamp, request path) for 30 days for technical purposes (incident response, security monitoring), after which they are automatically deleted.
Article 10 — Security Measures
We implement the following technical and administrative measures to protect personal data:
- Encryption in transit: All data is transmitted encrypted via HTTPS/TLS.
- Access control: User data access is strictly limited via Supabase Row Level Security (RLS).
- Principle of least privilege: Only the minimum permissions needed to operate the Service are requested and granted.
- Authentication token protection: Notion OAuth tokens are used solely for Service delivery and are not reused for any other purpose.
- Data minimization: Only the minimum personal data necessary to provide the Service is collected.
Article 11 — Children Under 14
This Service is not directed at children under 14, and we do not knowingly collect personal data from them. If we become aware that a child under 14 has registered, we will immediately delete their account and personal data. If you believe a child's data has been collected, please notify us by email.
Article 12 — Privacy Contact
For inquiries, complaints, or to seek remedies regarding privacy, please contact us at:
- Email: tjehdqls12@gmail.com
- We aim to respond within 3 business days.
Article 13 — Regulatory Contacts
If you believe your privacy rights have been violated, you may also contact the following authorities (Korea-based regulators; international users may contact their local data protection authority):
- Personal Information Protection Commission (Korea) — privacy.go.kr / 182 (no area code)
- Personal Information Infringement Report Center (KISA) — privacy.kisa.or.kr / 118 (no area code)
- Supreme Prosecutors' Office Cyber Investigation Unit — spo.go.kr / 02-3480-3573
- National Police Agency Cyber Investigation Bureau — cyberbureau.police.go.kr / 182 (no area code)
Article 14 — Policy Changes
- If this Privacy Policy is amended, the reason and content of the change will be announced on the landing page at least 30 days before the effective date.
- Changes that materially affect your rights will also be notified separately to your registered email address.