Privacy Policy — Thread Context Cards

1. Introduction

Thread Context Cards ("the Extension", "we", "our", or "us") is a browser extension that provides inline context cards within Gmail, displaying recent conversations, attachments, calendar events, and Drive files. This Privacy Policy explains how the Extension handles information when you use it.

We take your privacy seriously. This policy describes: (a) what data the Extension accesses, (b) how that data is used and processed, (c) your rights and choices regarding your data, and (d) our legal commitments under applicable privacy laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

By installing and using the Extension, you acknowledge the practices described in this policy. If you do not agree with any part of this policy, please uninstall the Extension.

2. Data Controller and Contact Information

Data Controller: The Extension is developed and operated as an individual developer project.

Contact: For any privacy-related inquiries, data access requests, or concerns, please contact us at burhanmujahid750@gmail.com or through our support channels at patreon.com/c/burhanmujahid.

We will respond to all legitimate requests within 30 days.

3. Data Accessed and Purpose

The Extension accesses the following categories of data through Google's OAuth 2.0 authentication framework using the principle of least privilege. All access is read-only unless explicitly stated:

Gmail (read-only) Retrieve email thread subjects, snippets, and attachment metadata for contacts you hover over. We do not read full email bodies, and we never store email content on any server.

Google Calendar (read-only) Fetch event titles, start/end times, and organizer information for upcoming and past meetings with a contact.

Google Drive (read-only) List file names, MIME types, and modification dates for files shared with or by a contact.

People / Contacts (read-only) Retrieve contact names, phone numbers, organizational data, and group memberships to enrich the card header.

OpenID / Email / Profile Verify your identity and display your account information in the Extension's settings and popup.

What We Do NOT Collect

Full email content or bodies — The Extension only reads thread metadata (subject, snippet, date, attachment presence). Complete message bodies are never retrieved or processed.
Passwords or credentials — Authentication is handled entirely through Google's OAuth 2.0 flow. We never see or store your password.
Browsing history — The Extension only activates on mail.google.com and makes API calls to Google Workspace endpoints. It does not track your browsing activity on other sites.
Personal communications content — We do not read, analyze, or store the contents of your emails or messages.
Keystrokes or input data — The Extension responds only to hover events on sender names within Gmail's interface. It does not log keystrokes or form inputs.

4. How Data Is Processed and Stored

Local Processing

All data fetched from Google's APIs is processed entirely on your local device within the browser extension's runtime. Data is temporarily cached in the browser's IndexedDB storage to improve performance and reduce API calls. This cached data is stored locally and is never transmitted to any external server (beyond the initial API requests to Google's own servers).

The local cache has a time-to-live (TTL) of up to 60 minutes for most data types and up to 24 hours for contact profile information. Expired cache entries are automatically pruned by the Extension every 15 minutes.

Firebase Usage Analytics

If you choose to sign in via the Extension's settings page, the Extension uses Firebase (Google's application development platform) to collect anonymized usage metrics. Specifically, the Extension logs:

A count of how many context cards you view per day and per month
Which sections of the card (threads, attachments, calendar, drive) had data
Whether the data was served from cache or fetched fresh
The response time for data fetches (in milliseconds)

This data is used solely to improve the Extension's performance, detect errors, and manage rate limits. It is stored in Firebase Firestore and is associated with an anonymized user ID derived from your Google account. The usage data is retained for the lifetime of your account with the Extension and can be deleted upon request.

You may opt out of usage analytics at any time by clicking "Disconnect account" in the Extension's settings page. This revokes the Firebase authentication token and stops all data transmission to Firebase.

No Third-Party Data Sharing

We do not sell, rent, trade, or otherwise transfer your data to any third party. We do not use third-party analytics services, advertising networks, or data brokers. The only external services accessed are:

Google Workspace APIs (Gmail, Calendar, Drive, People) — to fetch the data you explicitly request by hovering over a contact
Firebase (optional) — to store anonymized usage metrics if you choose to sign in

5. OAuth Scopes — Justification

The Extension requests the following OAuth 2.0 scopes, each with a specific, narrowly-tailored purpose:

gmail.readonly — Required to list recent email threads from a specific sender and detect attachments. Used only when you explicitly hover over a contact. No email content is stored or transmitted.
calendar.readonly — Required to check for upcoming and past events involving the hovered contact. Only event metadata (title, time, organizer) is retrieved.
drive.readonly — Required to list files shared with or created by the hovered contact. Only file metadata (name, type, modification date) is retrieved.
contacts.readonly — Required to enrich the card header with the contact's name, phone number, and organization from your address book.
openid, email, profile — Required for Firebase authentication to enable usage tracking and rate limit management.

All scopes are read-only and are used exclusively for the core functionality of the Extension. The Extension does not modify, delete, or create any data in your Google accounts.

6. Data Retention and Deletion

Local cache: Automatically expires and is pruned on a rolling basis (TTL: up to 24 hours). You can clear the cache at any time by clicking "Reset defaults" in the Extension's settings page or by uninstalling the Extension.
Firebase usage data: Retained for the duration of your account. You can delete all usage data by disconnecting your account in the settings page or by contacting us directly.
OAuth tokens: Managed by Chrome's identity API. Tokens are stored securely by the browser and can be revoked at any time by signing out in the Extension's settings page, or by visiting your Google Account permissions page.
Uninstalling: When you uninstall the Extension, all locally cached data is automatically removed by the browser. Firebase usage data can be deleted upon request.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit: All API requests are made over HTTPS (TLS 1.2 or higher).
OAuth 2.0: Authentication is handled by Google's industry-standard OAuth 2.0 framework. The Extension never receives or stores your Google password.
Local storage: Cached data is stored in the browser's sandboxed IndexedDB storage, which is isolated from other extensions and websites. Firebase authentication uses indexedDB-based persistence for token storage.
No server storage of email data: Email thread metadata is fetched on-demand and cached only on your local device. It is never uploaded to any server other than Google's own APIs (which are already authorized to access your data).

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your data:

Under GDPR (European Economic Area)

Right of access: You may request a copy of the usage data associated with your account.
Right to rectification: You may correct any inaccurate data.
Right to erasure ("Right to be forgotten"): You may request deletion of all data associated with your account.
Right to restrict processing: You may revoke OAuth consent at any time via your Google Account permissions page.
Right to data portability: You may request a machine-readable export of your usage data.
Right to object: You may object to the processing of your data for analytics purposes by disconnecting your account.

Under CCPA (California, USA)

Right to know: You may request disclosure of the categories and specific pieces of personal information we collect.
Right to delete: You may request deletion of personal information we have collected.
Right to opt out: We do not sell personal information. No opt-out is necessary.
Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us at burhanmujahid750@gmail.com. We will respond within the timeframes required by applicable law.

9. Children's Privacy

The Extension is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete such information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make changes, we will update the "Effective Date" at the top of this policy. Material changes will be communicated through the Extension's settings page or via the Chrome Web Store listing.

We encourage you to review this Privacy Policy periodically. Your continued use of the Extension after the effective date of any changes constitutes your acceptance of the updated policy.

11. Google API Services User Data Policy

The Extension's use and transfer of information received from Google APIs to any other app adheres to Google's API Services User Data Policy, including the Limited Use requirements. Specifically:

The Extension only uses Google API data to provide its core functionality (inline context cards).
The Extension does not transfer Google API data to any third party.
The Extension does not use Google API data for advertising, machine learning, or any purpose other than displaying context cards.
Human review of Google API data is limited to debugging and only with your explicit consent.

12. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the United Kingdom, without regard to its conflict of law provisions. However, if you are a resident of the European Economic Area or California, you retain all rights granted to you under applicable local data protection laws, and nothing in this policy shall limit those rights.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the Extension's data practices, please contact us at:

Email: burhanmujahid750@gmail.com

Support: patreon.com/c/burhanmujahid

We are committed to resolving any complaints promptly and transparently.