Privacy Policy — Tabgraph
Effective date: TBD before publish.
Tabgraph is a browser extension and companion web service that captures the relationships between the browser tabs you open, organises them into a per-session graph, and lets you save, search, share, and export sessions.
This policy explains what Tabgraph collects, when it leaves your device, what happens to it once it does, and how to delete it.
Plain-language summary
- Local-first: while you browse, Tabgraph captures events into your browser’s local storage. Nothing is sent to our servers until you sign in and the extension’s sync is enabled.
- What we send when sync is enabled: the URLs you visit, the page titles, favicon URLs, the timestamp, and the parent-tab relationship for each navigation. We do not capture page contents, form input, cookies, or any data from inside the page.
- What we do not collect: page content; selected text; form data; passwords; cookies; cross-site identifiers; analytics about your interaction with the Tabgraph UI itself; any data from incognito browsing (we explicitly opt out via
incognito: splitin the manifest). - Where the data lives: Postgres database operated by Stratus Studios. Hosted on infrastructure under our control.
- Retention: free-tier sessions that you don’t explicitly save are deleted automatically after 7 days. Saved sessions are kept until you delete them.
- Sharing: you can generate a read-only share link for a session. The link is a 256-bit random token; we store only its SHA-256 hash. Anyone with the link can view that one session’s graph and nothing else.
- Sign-in: handled by an OpenID Connect provider. We receive your email address and a stable user identifier from the provider; we do not see your password.
Data we collect
From the extension (when signed in and sync enabled)
For each browsing event:
- The full URL of the page (after our canonicalisation rules: tracking parameters like
utm_*,fbclid,gclid,ref,mc_eidare stripped client-side before transmission). - The page title.
- The page’s favicon URL.
- The Chrome tab ID (an integer scoped to your browser session; meaningless outside it).
- The opener tab ID (when one tab opened another).
- The transition type (
link,typed,reload,form_submit,auto_bookmark,restored,push_state). - The Unix timestamp of the event.
- A device identifier we generate when you first sign in.
- A session identifier — created locally, then registered with our backend.
From the web app
- Standard server logs (request method, path, response code, timing, IP address). Retained for 30 days, then deleted.
From sign-in
- Your email address and a stable user identifier from the OpenID Connect provider.
Data we do not collect
- Page contents (HTML, text, images, video).
- Selected text or any user input on a page.
- Form field values.
- Cookies, local storage, or any browser state from inside the page.
- Cross-site tracking identifiers.
- Telemetry about your interaction with Tabgraph’s own UI (popup clicks, scroll position, etc.).
- Any data from incognito windows. The extension declares
"incognito": "split"in its manifest and explicitly drops events from incognito tabs.
When data leaves your device
- Never, while you are signed out.
- Never, when sync is disabled in the extension’s options page.
- In batches roughly every 30 seconds, when you are signed in and sync is enabled. The extension queues events to local storage and flushes them to the backend in batches.
- On manual save: when you click “Save session” in the popup, any pending events are flushed before the session is marked saved.
What happens on the backend
Events are stored in a Postgres database operated by Stratus Studios. They are scoped to your user account; only requests authenticated as you can read them.
Sharing
When you create a share link for a session:
- A 256-bit random token is generated server-side.
- Only the SHA-256 hash of the token is stored.
- The raw token is returned to you once and never again.
- Anyone with the link can view that one session’s graph (read-only) without signing in.
- You can revoke a link at any time from the session view; revocation is immediate.
Retention
- Free-tier sessions that you do not explicitly save: deleted automatically 7 days after creation.
- Saved sessions: kept until you delete them.
- Idempotency records (used to dedupe replayed event batches): deleted automatically 7 days after the event was received.
- Server logs: 30 days.
Deletion
- Single session: click “Delete session” in the session view. Deletion is immediate; all nodes, edges, and visit records for the session are removed.
- All your data: from the Settings page, click “Delete all my data” and confirm. We delete your user record; all your sessions cascade-delete. This action is irreversible.
- Account deletion via email: send a deletion request to
privacy@stratusstudios.comfrom the email address associated with your account. We will respond within 30 days.
Third parties
We use the following third-party services to operate Tabgraph:
- Hosting: TBD before publish.
- OpenID Connect provider: TBD before publish.
- Payment processing (Pro tier): Stripe. See Stripe’s privacy policy. We do not see or store your payment card details.
Security
- All data in transit is encrypted with HTTPS.
- Data at rest is encrypted by the underlying database storage layer.
- Access tokens are stored in your browser’s
localStoragefor the web app andchrome.storage.localfor the extension. - The extension requests only the Chrome permissions it needs to capture tab relationships:
tabs,webNavigation,storage,alarms,identity. It explicitly does not request<all_urls>host permission and does not inject content scripts into pages.
Changes to this policy
We will update the “Effective date” above and the version control history of this file when this policy changes. Material changes will be announced in the extension’s changelog.
Contact
- General:
support@stratusstudios.com - Privacy / data deletion:
privacy@stratusstudios.com - Source code: https://github.com/stratusstudios/tabgraph