Privacy Policy

Last updated: May 2026 — applies to extension version 1.2.2 and later.

BBQOne is a Chrome extension for personal notes, bookmark backups, and a simple calendar. The extension runs in the extension popup and extension pages — it does not inject scripts into the pages you visit, does not read your browsing history, and does not ship any tracking or advertising code. This policy explains what data is stored, where, and what happens when you opt into cloud sync.

Local-first architecture

By default, BBQOne stores your data locally in your browser using chrome.storage.local. We do not collect, transmit, or store your content on remote servers unless you explicitly sign in for cloud sync.

This local data may include:

• Notes, note bodies, and folders (including Secure Folder contents)
• Bookmark backup snapshots and related settings
• Calendar events
• Extension preferences (theme, UI language, layout, banner dismissals)

In addition, BBQOne uses chrome.storage.session to hold the Supabase sign-in token (when you choose to sign in) and short-lived in-memory keys used by Secure Folders. chrome.storage.session data is automatically cleared by Chrome when you close the browser.

What we do not track

• Your IP address
• Your browser fingerprint
• Your browsing history
• The pages you visit
• Your location
• Personal identity (name, address, phone number)
• Payment or financial information
• Any analytics or telemetry

Optional cloud sync (Supabase)

If you choose to sign in (Sign In from the dashboard), BBQOne can sync your data to a Supabase project. After signing in:

• Your data is stored under your account, protected server-side by Row Level Security (RLS) — only your authenticated user can access your own rows.
• You can sign out at any time. The extension continues to work in local mode after sign-out.

What is encrypted vs. stored as plaintext

Encryption-at-rest in the cloud applies only to specific feature surfaces:

• Secure Folder notes — notes (title, label, body) stored inside a passphrase-gated Secure Folder are encrypted on your device using AES-GCM before being sent to Supabase. The encryption key is derived from your passphrase and never leaves your device.
• Bookmark snapshots — optionally protected by a PIN (client-side AES-GCM). When the PIN is set, the bookmark payload is encrypted before upload.
• Regular notes, folders, and calendar events — stored as plaintext under your user account, isolated from other users by RLS. Encryption-at-rest at the database layer is provided by Supabase's infrastructure but is not end-to-end.

All network transmission to Supabase uses HTTPS (TLS).

Authentication credentials

When you opt to sign in, BBQOne uses Supabase Auth with email + password (no OAuth redirect, no chrome.identity permission). Your email and password are used only at the moment of sign-in. Passwords are never stored by the extension — Supabase handles password hashing and credential security on its side.

No content scripts, no in-page features

BBQOne does not inject any content scripts into the pages you visit. It cannot read, modify, or observe the content of websites. All functionality runs inside the extension's own popup and background service worker.

How data is used

Your data is used exclusively to provide the core features of BBQOne. It is never sold, shared, or transferred to any third party for advertising, analytics, or any other purpose.

Data storage & security

Local mode (default): Application data is stored in chrome.storage.local, protected by Chrome's extension sandbox. Other extensions and ordinary websites cannot access this storage.

Cloud mode (opt-in): Data is stored in the Supabase backend configured for this build. Transmission uses HTTPS (TLS). Database access is gated by Row Level Security — your auth.uid() must match row ownership. Sensitive surfaces (Secure Folder notes, PIN-protected bookmark snapshots) are additionally encrypted client-side with AES-GCM before upload.

Your rights

You can at any time:

• Delete or edit items through the extension UI
• Export your Chrome bookmark tree as an HTML file from the Bookmarks tab (file saved on your device using chrome.downloads)
• Sign out from cloud sync (the extension continues to work locally)
• Uninstall the extension to remove local extension data from this browser profile
• Delete or export your cloud data using your Supabase project / account tools

Third-party services

For this version of BBQOne, network access in normal use is limited to:

• Supabase (*.supabase.co) — Authentication and optional data sync. Triggered only after you sign in.
• Google Fonts (fonts.googleapis.com / fonts.gstatic.com) — Loading the Inter UI font for extension pages. Google's terms and privacy policy apply to those requests.

The extension does not load remote scripts or remote code from any domain. It does not include content scripts on websites. It does not contact translation, dictionary, analytics, or advertising services.

Children's privacy

BBQOne is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

Changes to this policy

We may update this privacy policy from time to time. The "Last updated" date at the top will reflect the latest revision. Continued use of BBQOne after changes constitutes acceptance.

Contact

If you have any questions about this privacy policy, please contact hghungdev@gmail.com.