gulaq
Chrome Web Store Disclosures
Compliance information for Chrome Web Store review. This page provides a transparent summary of gulaq's purpose, data handling, permissions, and technical architecture.
Effective: June 24, 2026
Privacy Policy URL for Chrome Web Store: https://projectgoldenage.vercel.app/gulaq/privacy
Contact: backtothegoldenage@gmail.com
1. Single Purpose
gulaq has a single, clearly defined purpose: to save and restore browser workspaces and AI conversations through a local-first desktop vault.
All features serve this purpose:
- Saving and restoring Chrome tabs, windows, and tab groups (workspace vault)
- Capturing and storing AI conversations from supported platforms (AI chat vault)
- Organizing, searching, and exporting saved workspaces and chats locally
- Connecting to the local desktop vault via native messaging for persistent SSD storage
2. Data Handling Summary
| Data category | Where stored | Sent to remote server? |
|---|---|---|
| Saved AI conversations (chat text, prompts, responses) | Local SQLite vault on user’s SSD | No |
| Browser workspace data (tabs, windows, groups, URLs) | Local SQLite vault + chrome.storage.local | No |
| Exported chat/workspace files | User’s local filesystem | No |
| Account email and Supabase user ID | Supabase (authentication) | Yes — required for sign-in |
| Account / plan status (gulaq is currently free) | Supabase | Yes — required for feature access |
| Device registration (app versions, OS) | Supabase | Yes — required for device management |
| Privacy-safe event codes and error codes | Supabase | Yes — used for reliability monitoring only |
Supabase data statement: gulaq uses Supabase for authentication, account management, device registration, feature flags, and privacy-safe analytics/error metadata. gulaq does not upload saved AI chat contents, prompts, responses, tab titles, full URLs, browser history, cookies, passwords, auth tokens, local vault files, or exported chat/workspace files to Supabase by default.
Third parties we share data with
gulaq shares only the account and operational data above with these service providers; private vault content is never shared with any of them:
- Supabase, Inc. — authentication, account management, device registration, feature flags, privacy-safe analytics.
- Google LLC — Google OAuth sign-in (basic profile only).
- Vercel Inc. — hosting for the public website and these legal pages.
- Future payment provider — only if paid tiers launch; payment card details never touch gulaq.
gulaq does not sell user data and does not share data with advertising networks or data brokers.
3. Permissions Summary
| Permission | Justification |
|---|---|
sidePanel | Renders the gulaq UI as a Chrome side panel |
tabs | Reads tab URL, title, pinned/active state for workspace save and restore |
tabGroups | Reads and restores Chrome tab groups (title, color, collapse state) |
windows | Saves and restores browser window geometry and state |
storage | Stores extension settings, preferences, and local sync queue |
alarms | Schedules background tasks (sync retries, feature flag refresh) |
clipboardWrite | Copies workspace URLs or transfer prompts when user clicks Copy |
nativeMessaging | Local on-device connection to the gulaq Desktop Vault for SSD/SQLite storage |
scripting | Executes capture logic on supported AI platform pages (scoped to host permissions) |
identity | Google OAuth sign-in via Supabase Auth (basic profile only — email, name, account ID) |
gulaq does not request: cookies, history, bookmarks, webRequest, or broad host permissions such as <all_urls>.
4. Host Permissions
Host permissions are scoped to six AI platform domains (for content script capture) and one Supabase domain (for authentication and cloud metadata):
https://chatgpt.com/*— ChatGPT conversation capturehttps://chat.openai.com/*— OpenAI Chat conversation capturehttps://claude.ai/*— Claude conversation capturehttps://gemini.google.com/*— Gemini conversation capturehttps://www.perplexity.ai/*— Perplexity conversation capturehttps://copilot.microsoft.com/*— Copilot conversation capturehttps://kjbwoyawzfnxlxzgvpvm.supabase.co/*— Supabase auth and cloud metadata API
Content scripts are injected only into the six AI platform domains. They are not injected into any other website. The Supabase domain is accessed only via fetch (not content scripts) for authentication and account/analytics API calls.
5. Native Messaging
gulaq uses Chrome’s native messaging API to communicate with the locally installed gulaq Desktop Vault application. This connection is:
- Local only — native messaging is an on-device IPC (inter-process communication) mechanism. It does not involve any network request.
- Not a remote server — the Desktop Vault is a user-installed Tauri application running on the user’s own machine.
- Used for storage — the primary use of native messaging is to write workspace and chat data to the local SQLite database on the user’s SSD.
- No outbound network calls — the native host does not make outbound network calls to any server using this channel.
Native messaging is necessary because chrome.storage.local has a 10 MB limit, which is insufficient for a real-world vault of AI conversations and browser workspaces.
6. Remote Code
- gulaq does not load or execute remote code (no
eval()of remote scripts). - All extension JavaScript is bundled and included in the extension package at install time.
- No third-party scripts are injected into web pages.
- The Content Security Policy for extension pages restricts script sources to
selfonly. - Supabase API calls are fetch/XHR requests to the Supabase backend — not script loading.
7. Analytics Disclosure
gulaq sends privacy-safe analytics events to Supabase. These events:
- Contain only event codes (e.g.
save_chat_success) and non-identifying metadata (platform name, size bucket, app version, error code). - Do not contain private vault content — no chat text, prompts, responses, URLs, tab titles, or workspace names.
- Are used to monitor service reliability and catch critical bugs.
- Are not used for advertising or shared with third-party advertising networks.
8. Secrets and Keys
- Supabase service role keys are never included in the Chrome extension package or the desktop app client code.
- The extension only uses the Supabase anon key, which is intended for client-side use and is protected by Row Level Security (RLS).
- Payment provider secret keys are never stored in the client extension or desktop app.
- No API keys for third-party services (OpenAI, Anthropic, Google) are included in the extension.
9. User Control and Deletion
Users can:
- Sign out at any time from the side panel or desktop app.
- Request deletion of their Supabase cloud account by emailing us.
- Delete their local vault using the desktop app or manually removing the vault folder.
- Revoke Google OAuth access from Google Account permissions.
- Uninstall the extension and desktop app at any time.
- Export all locally stored data before deletion.
Full instructions: Delete Account & Data
Chrome Web Store Review Contact
For review questions, permission explanations, or compliance concerns:
Related pages: Privacy Policy · Permissions Explained · Data Safety · Delete Account