Privacy Policy

Last updated: April 10, 2026

Boba ("we", "the extension") is a Chrome extension for aesthetic note-taking with optional Google sign-in, cloud sync, and AI-powered study features. This policy explains exactly what data Boba collects, how it is used, where it is stored, and who it is shared with. We do not sell your data, we do not run ad trackers, and we do not collect analytics about how you use the extension.

1. Data We Collect

1.1 Google account information (only if you sign in)

Boba uses Chrome's built-in chrome.identity API to let you sign in with your Google account. Sign-in is optional and only required if you want to sync your notes to the cloud. When you sign in, Boba receives:

Your Google account email address
Your display name and profile picture URL
A Google-issued OAuth access token used to authenticate with Firebase

Boba requests the userinfo.email and userinfo.profile scopes only. We do not request access to Gmail, Drive, Calendar, or any other Google service.

1.2 Note content you create

The text and formatted (HTML) content of notes you write
Note titles, labels, and course identifiers you assign
Creation and last-modified timestamps
A short edit-history buffer (last five snapshots) used for undo
Images you paste or drag into a note

1.3 AI feature inputs (only when you use them)

When you explicitly ask Boba's study assistant a question or generate a quiz from a section of notes, the relevant note text and your question are sent to Google's Gemini API through a Firebase Cloud Function that we operate. This transmission happens only in response to a direct action you take (clicking "Ask Boba" or "Generate Quiz"). No note content is sent to any AI service in the background.

1.4 Payment information (only if you purchase a paid plan)

If you purchase a paid plan, payment is processed by ExtensionPay, which in turn uses Stripe. Boba itself never sees or stores your payment card details. We receive only a subscription status flag from ExtensionPay indicating whether your account is active.

1.5 What we do NOT collect

We do not collect your browsing history
We do not collect the contents of web pages you visit
We do not collect analytics, telemetry, or usage metrics
We do not use cookies or third-party advertising trackers
We do not collect IP addresses for tracking purposes

2. How We Use Your Data

To provide the core note-taking features: storing and displaying the notes you create.
To sync notes across devices (only if you sign in): uploading and downloading your notes via Firebase Firestore so they appear on every browser where you sign in.
To power AI study features (only when you trigger them): forwarding the relevant note text to Google's Gemini API to generate an answer or quiz.
To gate paid features: checking your subscription status with ExtensionPay.

We do not use your notes, questions, or account information to train any machine learning model, and we do not use your data for advertising.

3. Where Your Data Is Stored

3.1 On your device

By default, all notes — including images — are stored locally on your computer in chrome.storage.local, the Chrome extension storage area. If you never sign in, your notes never leave your device.

3.2 In the cloud (only if you sign in)

If you sign in with Google, your notes are synced to Google Firebase Firestore under a document path keyed to your Google user ID (users/{uid}/notes). Firestore security rules restrict access so that only you, authenticated with your Google account, can read or write your notes. We strip embedded images from note HTML before uploading — images remain on your local device only.

3.3 AI request proxy

AI requests are routed through a Firebase Cloud Function that we operate. The function forwards your prompt to Google's Gemini API and returns the response. We do not log or persist prompts or responses on our servers.

4. Who We Share Data With

We share data only with the third-party service providers listed below, and only as strictly necessary to operate the features described above. We do not sell, rent, or trade your data with anyone.

Google (Firebase Authentication, Firestore, Cloud Functions): stores your synced notes and processes sign-in. Subject to the Google Privacy Policy.
Google (Gemini API): receives note text and your questions when you use AI features. Subject to the Google Privacy Policy.
ExtensionPay and Stripe: process payments and manage subscription status if you purchase a paid plan. Subject to the ExtensionPay Privacy Policy and the Stripe Privacy Policy.

5. Data Retention and Deletion

Local notes remain on your device until you delete them or uninstall the extension. Synced notes remain in Firestore until you delete them or request account deletion. You can delete individual notes at any time from within the extension, and you can sign out at any time to stop further syncing.

To request deletion of all cloud-stored data associated with your account, email us at the address below. We will delete your Firestore data within 30 days of receiving the request.

6. Children

Boba is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided data through Boba, please contact us and we will delete it.

7. Security

Data in transit is encrypted with HTTPS/TLS. Cloud data is protected by Firebase security rules that restrict access to the authenticated account owner. No system is perfectly secure, so we encourage you to use a strong Google account password and enable two-factor authentication.

8. Changes to This Policy

If we make material changes to this policy we will update the "Last updated" date above and, where practical, notify users through the extension itself before the changes take effect.

9. Contact

Questions, deletion requests, or privacy concerns can be sent to:
boba.extension@gmail.com