gulaq

gulaq Privacy Policy

gulaq is a local-first Chrome extension and desktop app. This policy explains exactly what data stays on your device and what is sent to our cloud services.

Effective: June 24, 2026

Summary: gulaq uses Supabase for authentication, account management, device registration, feature flags, and privacy-safe analytics/error metadata. gulaq does not upload saved AI chat contents, prompts, responses, tab titles, full URLs, browser history, cookies, passwords, auth tokens, local vault files, or exported chat/workspace files to Supabase by default.

1. What is gulaq?

gulaq is a Chrome browser extension (Manifest V3) and Tauri desktop application. Together they form a local-first vault for saving browser workspaces (tabs, windows, tab groups) and AI conversations from platforms including ChatGPT, Claude, Gemini, Perplexity, and Microsoft Copilot.

gulaq is designed so that your private data — saved chats, workspace files, exported documents — lives on your own machine by default. Cloud services are used only for the account and operational reliability features described in this policy.

2. Data Stored Locally on Your Device

The following data is stored on your local device and is not uploaded to Supabase or any remote server by default:

Saved AI conversations (chat messages, prompts, and responses captured from AI platforms)
Chat exports in JSON and Markdown format
Browser workspace data (saved tabs, windows, tab groups, pinned states, window geometry)
Tab and window metadata used to restore saved sessions
The local SQLite vault database file on your SSD
Local backup archives created by the desktop app
Extension local cache (stored in chrome.storage.local)
Workspace bundle export files

This local data is stored on your device and remains under your control. You can view, export, or delete it at any time using the desktop app or by removing the local vault folder manually.

3. Data Sent to Supabase (Cloud)

gulaq uses Supabase as its backend service for the following purposes only:

Category	What is collected	Why
Authentication	Email address, Google account ID, Supabase user ID, auth session metadata	Required to sign in and identify your account
Account / Plan	Plan status (gulaq is currently free; Pro features may be introduced later)	To check whether a feature is available to your account
Device Registration	App version, extension version, OS platform, desktop app version, device count	To manage multi-device access and enforce device limits
Feature Flags	Feature flag request/response (flag name and on/off value only)	To roll out or disable features remotely without a software update
Analytics & Error Metadata	Privacy-safe event codes and redacted error codes. Examples: `save_chat_success`, `native_host_connected`, `license_check_failed`. May include: platform name, app version, size bucket (e.g. “large”, not raw size), error code.	To understand service reliability, feature usage, and catch critical errors

4. How We Share Your Data (Third Parties)

gulaq shares the limited account and operational data described in Section 3 with the third-party service providers listed below, solely to operate the service. We never share your private vault content — your saved AI conversations, prompts, responses, tab URLs, workspace files, or exported documents — with any of them.

Third party	What is shared with them	Purpose
Supabase, Inc. (backend & database host)	Account email, Google account ID, Supabase user ID, auth session tokens, device registration metadata, plan status, feature-flag requests, and privacy-safe event/error codes	Authentication, account management, device registration, feature flags, and reliability analytics
Google LLC (Google OAuth, via Supabase Auth)	Your Google basic profile (name, email, Google account ID) at the moment you choose “Sign in with Google”	To verify your identity for sign-in. gulaq requests only basic OpenID Connect scopes — no Gmail, Drive, or Calendar access
Vercel Inc. (website hosting / CDN)	Standard web-request metadata (IP address, user agent) when you visit the gulaq website or these legal pages	Serving the public website and policy pages. The Chrome extension itself does not route your data through Vercel
Payment provider (future — only if paid tiers launch)	Billing and transaction data handled by the provider. Payment card details and payment secrets never touch the gulaq extension or desktop app	Processing payments for any future paid features

Optional desktop AI features (your own AI provider)

The gulaq Desktop app includes optional AI features that are turned off by default and are not part of the Chrome extension. If you choose to enable them, you supply your own third-party AI provider API key (for example, Google Gemini), and only the specific chat text you choose to process is sent directly from your device to that provider under your own account and their privacy policy. gulaq never sends this content to its own servers, and this never happens unless you explicitly enable and configure the feature.

We do not sell your personal data. We do not share your data with advertising networks or data brokers, and we do not use your data for advertising. Your private vault content (AI chats, prompts, responses, workspaces, and exports) stays on your device and is never shared with Supabase, Google, or any other third party.

5. What gulaq Does NOT Upload by Default

The following data is never uploaded to Supabase or any remote server by default:

The text of your saved AI conversations (prompts, responses, chat messages)
Full tab URLs or browser history
Tab titles or workspace names
Browser cookies, passwords, or authentication tokens for third-party websites
Your local SQLite vault database file
Exported JSON or Markdown chat files
Workspace files or bundle exports
Screenshots
Any raw content you have saved or typed

Analytics events that mention AI platforms (e.g. save_chat_success) contain only metadata such as the platform name and a size bucket. Raw chat text, prompts, and responses are never included in analytics events.

6. Authentication

gulaq uses Supabase Auth, which supports Google OAuth sign-in. When you sign in:

Google returns a basic profile (name, email, Google account ID) to Supabase.
gulaq does not request access to your Gmail, Google Drive, Google Calendar, or other Google services.
gulaq only requests the basic OpenID Connect scopes needed to identify your account.
Your Supabase session is stored locally on your device and is used to authenticate future requests.

Sign-in is currently required to use the app. gulaq is currently free; Pro features may be introduced later.

7. Analytics in Detail

gulaq sends privacy-safe analytics events to Supabase to help us understand whether the product is working correctly. These events are designed to contain no private vault content.

Example safe events

save_workspace_success — a workspace was saved successfully
save_chat_failed — a chat capture attempt failed
native_host_connected — the extension connected to the desktop vault
license_check_ok — license verification succeeded
export_markdown_complete — a Markdown export was completed

Event metadata may include

Platform name (e.g. “chatgpt”, “claude”) — not the URL or content
Size bucket (e.g. “small”, “medium”, “large”) — not the raw byte count or content
App and extension version numbers
Error codes (e.g. “DOM_NOT_FOUND”) — not error messages containing private text
OS platform (e.g. “win32”, “darwin”)

Analytics are used to track service reliability and understand which features are working. They do not include private chat content, prompts, responses, URLs, or workspace files.

8. Device Registration

When you install and sign in to gulaq on a device, a device registration record is created in Supabase. This record includes:

A device identifier (hashed or pseudonymous, not raw machine secrets)
The extension version, desktop app version, and native host version
OS platform
Registration timestamp

Device registration is used to enforce device limits and provide version-aware feature flags. It does not include hardware serial numbers, MAC addresses, or raw system identifiers.

9. Native Messaging and Local Communication

gulaq uses Chrome’s native messaging API to communicate between the browser extension and the local desktop vault application. This is a local, on-device connection — it is not a network connection and data exchanged via native messaging does not leave your device.

Native messaging is used to save large data (such as AI chats and workspace files) to the local SQLite vault on your SSD. It is not used to upload data to any remote server.

10. Content Scripts and Host Permissions

gulaq’s content scripts are injected only into the following AI platform domains, for the sole purpose of capturing conversation content at the user’s request:

chatgpt.com and chat.openai.com (ChatGPT)
claude.ai (Anthropic Claude)
gemini.google.com (Google Gemini)
perplexity.ai (Perplexity)
copilot.microsoft.com (Microsoft Copilot)

Content scripts read the visible DOM of those pages to extract conversation text. They do not access browser cookies, passwords, or authentication tokens for those platforms. Captured content is saved to your local vault and is not uploaded to our servers.

The Supabase host permission (kjbwoyawzfnxlxzgvpvm.supabase.co) is used for authentication and the cloud metadata described above. No private vault content is sent via this connection.

11. Payments

gulaq is currently free and requires no payment. Paid tiers (such as a Pro version) may be introduced in the future. If that happens, payment processing will be handled by a third-party payment provider, and payment card details and payment secrets will never be stored in the gulaq client application or extension.

12. Data Retention

Local data remains on your device until you delete it manually, via the desktop app, or by uninstalling the application and removing the vault folder.
Cloud account data (auth profile, device records, plan status, analytics) is retained while your account exists and for a reasonable period afterward as required for legal or operational reasons.
You may request deletion of your cloud account data at any time. See Section 13 and the Delete Account page.

13. Your Controls and Rights

Action	How to do it
Sign out	Use the Sign Out button in the gulaq side panel or desktop app
Delete cloud account / metadata	See the Delete Account page or email us
Delete local vault	Delete via desktop app settings, or manually remove the vault folder from your SSD
Export your data	Use the export features in the gulaq desktop app (JSON, Markdown)
Revoke Google access	Visit Google Account → Security → Third-party apps and remove gulaq
Uninstall extension	Chrome menu → Extensions → Remove gulaq
Uninstall desktop app	Uninstall the gulaq desktop app via your OS, then manually delete the vault folder if desired

14. Security

Supabase service role keys are never included in the Chrome extension or desktop app client code.
The extension uses Row Level Security (RLS) on the Supabase database — users can only read or write their own records.
Local vault content remains on your device and is only accessible to the gulaq desktop app via native messaging.
The extension Content Security Policy restricts script execution to trusted sources only.
If you discover a security vulnerability, please report it to backtothegoldenage@gmail.com.

15. Children’s Privacy

gulaq is not directed at or designed for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

16. Changes to This Policy

We may update this policy as gulaq evolves. Material changes will be reflected by an updated effective date. We encourage you to review this policy periodically.

These documents are provided for transparency and Chrome Web Store review purposes and may be updated as Project Golden Age and gulaq evolve.

Privacy Contact

Privacy questions, data requests, or security reports:

backtothegoldenage@gmail.com

Related pages: Data Safety · Delete Account · Permissions