Privacy Policy
Last updated: July 6, 2026
Short version: Detab stores your tab data locally on your device first. Cloud sync is optional and requires signing in. We don't sell your data, we don't read your tabs, and you can export or delete everything at any time.
Who we are
Detab ("we", "us", "our") is a browser extension and web application for saving, organizing, and searching browser tabs. The service is operated by Detab.ai. You can reach us at [email protected].
What data we collect
The data we collect depends on how you use Detab.
Without an account (local-only mode):
- Tab URLs, titles, and favicons you choose to save — stored only in your browser via
chrome.storage.local. We never see this data.
When you create an account:
- Email address — collected when you sign in via Google OAuth or email, used to identify your account.
- Tab library — your saved tabs, collections, spaces, tags, and notes, synced to our servers so they're available across devices.
- Device information — browser name and operating system (e.g. "Chrome on Mac"), used to show you your synced devices.
- Sync timestamps — when each device last synced, used for conflict resolution.
When you subscribe to Pro or Team:
- Billing is handled entirely by Paddle (our payment processor). We receive confirmation of your subscription status and a Paddle customer ID. We never see your payment card details.
How we use your data
- To sync your tab library across your devices.
- To enforce plan limits (e.g. the 2-device limit on the free tier).
- To restore your data if you reinstall the extension or switch devices.
- To send transactional emails (subscription confirmations, payment receipts) — no marketing email without your consent.
We do not sell your data. We do not use your tab data for advertising. We do not read the content of your tabs.
Legal basis for processing (GDPR)
If you are located in the European Economic Area (EEA) or the UK, we process your personal data under the following legal bases:
- Contract performance — processing your email address and synced tab library is necessary to provide the Detab service you signed up for. Without this, we cannot offer cloud sync or account features.
- Legitimate interests — fetching favicons to display alongside your saved tabs, maintaining service security, and resolving sync conflicts. These interests do not override your rights and freedoms.
- Legal obligation — retaining billing records as required by applicable law.
- Consent — for any optional communications or features we introduce in future that are not strictly necessary to provide the service. You may withdraw consent at any time.
Third-party services
Detab uses the following third-party services to operate:
- Clerk — authentication (sign-in, session management, JWT issuance). Clerk processes your email address and issues session tokens.
- Cloudflare — hosting, edge compute (Workers), and database (D1). Your synced tab data is stored in Cloudflare's infrastructure.
- Paddle — payment processing and subscription management. Paddle acts as the Merchant of Record and handles tax compliance globally.
- Google Favicon Service — the extension fetches favicon images via
https://www.google.com/s2/favicons?domain=…to display icons next to your saved tabs. This means the domain names of your saved tabs are sent to Google's servers to retrieve the icon. If this concerns you, note that the URLs themselves (not the full tab content) are the only information shared.
Data storage and security
Your tab library is stored in two places:
- Locally — in
chrome.storage.localon each device where you have the extension installed. This is the authoritative copy. - Cloud — in a Cloudflare D1 database, encrypted at rest, accessible only to your account. Cloud storage requires signing in and is used solely for sync.
We use HTTPS for all data in transit. Access to our database is restricted to authenticated Workers running our API code.
International data transfers
Detab's infrastructure is operated by Cloudflare, which is headquartered in the United States. If you are located in the EEA or UK, your synced tab data is transferred to and stored in the US.
This transfer is covered by Cloudflare's participation in the EU-US Data Privacy Framework (DPF) and their UK Extension, which provide adequate safeguards for personal data transferred from the EEA and UK to the US. Cloudflare's data processing addendum (DPA) is available on their website.
Authentication is handled by Clerk, which is also US-based and EU-US DPF certified. Billing is handled by Paddle, which operates globally and is GDPR compliant.
Your rights and choices
You have the following rights over your personal data. To exercise any of them, email [email protected] and we will respond within 30 days.
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your account and all associated cloud data. We will action this within 30 days.
- Data portability — export your entire tab library at any time directly from the extension (HTML, Markdown, JSON, CSV, or browser bookmarks format). No account required.
- Restriction — ask us to pause processing your data while a dispute is resolved.
- Object — object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds that override your interests.
- Device management — view and remove synced devices from the extension's Settings panel at any time.
- Sign out — signing out stops sync and removes your session token from the device. Your local tab data is not affected.
If you are in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your national data protection authority (e.g. the ICO in the UK, or your EU member state's DPA). We would appreciate the opportunity to address your concern directly first — please contact us before filing a complaint.
Data retention
We retain your synced data for as long as your account is active. If you delete your account, your data is deleted within 30 days. Billing records (subscription history) may be retained longer as required by law or by Paddle as our payment processor.
Children's privacy
Detab is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Detab after changes are posted constitutes your acceptance of the revised policy.
Contact us
Questions about this policy? Email us at [email protected].