gulaq
Data Safety
A plain English summary of what data gulaq stores, where it is stored, and what is never collected or uploaded.
Effective: June 24, 2026
Short version: Your AI chats, workspaces, and vault files stay on your device. Supabase receives only account metadata, plan status, device info, and privacy-safe event codes — never the contents of your vault.
Data Stored on Your Device (Local)
| Data type | Where stored | Uploaded to cloud? |
|---|---|---|
| Saved AI conversations (messages, prompts, responses) | Local SQLite vault on your SSD | No |
| Chat exports (JSON, Markdown) | Your local filesystem | No |
| Browser workspace data (tabs, windows, groups, pinned states) | Local SQLite vault + chrome.storage.local cache | No |
| Tab URLs and window geometry for saved workspaces | Local SQLite vault | No |
| Local backup archives | Your local filesystem | No |
| Extension settings and preferences | chrome.storage.local / chrome.storage.sync | Only settings via chrome.storage.sync if enabled (Chrome-managed) |
Data Sent to Supabase (Cloud)
| Data type | Why | Contains private vault content? |
|---|---|---|
| Account email and Supabase user ID | Authentication and account identification | No |
| Google account ID (from OAuth) | Google login support | No |
| Auth session tokens | Maintaining signed-in state | No |
| Account / plan status (gulaq is currently free) | Feature access | No |
| Device registration (app/extension versions, OS) | Device management and version-aware features | No |
| Feature flag requests | Remote feature configuration | No |
| Privacy-safe event codes (e.g. save_chat_success) | Service reliability and feature usage tracking | No — event codes only, never chat text |
| Redacted error codes | Bug detection and reliability | No — error codes only, never private content |
Data We Do Not Collect
The following data is never collected or uploaded by gulaq:
| What is NOT collected | Details |
|---|---|
| AI chat text, prompts, and responses | All conversation content stays in your local vault |
| Full tab URLs or browser history | Tab URLs saved only locally; no URL history is sent to cloud |
| Tab titles or workspace names | Stored locally only |
| Browser cookies or session tokens for AI platforms | gulaq does not have the cookies permission and cannot access these |
| Passwords or form data | Not requested, not accessible by the extension |
| Local vault database file | SQLite file stays on your SSD; never uploaded |
| Exported JSON / Markdown chat files | Export files stay on your local filesystem |
| Screenshots | Not captured or sent anywhere |
| Google Gmail, Drive, or Calendar data | Google login requests only basic profile scopes |
| Data from websites outside the AI platform list | Content scripts only run on 6 explicitly listed AI platform domains |
Third Parties We Share Data With
gulaq shares only the account and operational data listed above with the service providers below. Your private vault content (AI chats, prompts, responses, workspaces, exports) is never shared with any of them.
| Third party | What is shared | Purpose |
|---|---|---|
| Supabase, Inc. | Account email, user ID, auth session tokens, device/version metadata, plan status, privacy-safe event/error codes | Authentication, accounts, device management, analytics |
| Google LLC (OAuth) | Google basic profile (name, email, account ID) at sign-in | “Sign in with Google” identity verification |
| Vercel Inc. | Standard web-request metadata (IP, user agent) when visiting the website | Hosting the public website and legal pages |
| Payment provider (future) | Billing/transaction data, only if paid tiers launch. Card details never touch gulaq | Processing payments for future paid features |
Optional desktop AI features (off by default) may send chat text you choose to your own AI provider using your own API key — see the Privacy Policy for details.
Is User Data Sold?
No. Project Golden Age does not sell user data to third parties. We do not share identifiable user data with advertisers or data brokers.
Advertising
gulaq does not use advertising networks within the Chrome extension. The extension does not run AdSense or any third-party ad SDK. If sponsored content is introduced in future versions, it will not use private vault content for targeting and will be clearly disclosed.
Security
- Supabase service role keys are never included in the client extension or desktop app.
- Row Level Security (RLS) ensures users can only access their own Supabase records.
- Local vault content is only accessible via native messaging to the local desktop app — it is not exposed to the internet.
- The extension Content Security Policy prevents external script injection.
Data Questions
Contact: backtothegoldenage@gmail.com
Full details: gulaq Privacy Policy · Delete Account & Data