Infinite Tabs Privacy Policy
Last updated: 2026-07-17
Infinite Tabs is a Chrome extension that replaces the new-tab page with an AI-organized workspace. This policy describes the data paths implemented by the current bring-your-own-key (BYOK) only release. There is no active hosted-AI service, subscription, checkout, or payment data path in this release.
Consent and default state
Before Infinite Tabs reads or stores the visible content of eligible pages, the first-run screen explains the local and optional cloud processing and requires the user to consent. AI cloud processing is off by default and remains off when the user chooses Set up later.
When the user completes a BYOK setup, the extension enables cloud processing only for HTTPS pages allowed by the selected privacy policy. Work-insight time tracking is a separate opt-in and is also off by default.
Both choices can be changed later in Settings. Disabling cloud processing stops new AI-provider requests. Disabling Work insights stops new foreground-time intervals. Neither action can retract information already processed by a third-party provider.
Data handled in the Chrome profile
Depending on the features the user enables, Infinite Tabs may store the following data in the Chrome profile where it is installed:
- normalized page URLs, hostnames, titles, favicons, extracted visible text, content fingerprints, access timestamps, visit counts, and local lifecycle state for allowed pages;
- topics, page-to-topic membership, AI-generated labels, summaries and tags, clustering confidence, user feedback, queue state, and bounded response caches;
- the chosen AI provider, model, optional base URL, budget settings, and an AES-GCM-encrypted representation of the API key, with the installation-local material needed to decrypt it;
- privacy preset, language, theme, wallpaper, onboarding, start-page, commercial-surface, and retention preferences;
- a persistent list of recent-page URLs and frequent-site hostnames the user explicitly removes from the start-page shortcuts;
- when Work insights is enabled, bounded daily estimates of foreground-visible time by page, topic, and coarse page type; and
- bounded, device-local product diagnostics such as onboarding, settings, AI-search, support, Hosted AI status-page, and sponsored-card interaction event types and timestamps.
Tab and window identifiers are used for browser coordination. They are not retained as durable Work-insight history. Incognito pages are excluded from the start-page shortcuts and Work insights.
The normal release build does not send this local workspace, configured credentials, settings, or diagnostics to an Infinite Tabs analytics server.
Recent tabs, frequent sites, and default web search
The new-tab page can show a small set of currently open recent tabs and Chrome's frequent-site list. These candidates are read from Chrome while the new-tab page is open and kept in that page's in-memory UI state. Website icons for frequent sites are rendered using Chrome's local favicon facility.
Removing a shortcut stores only the exact recent-page URL or the frequent-site hostname in local extension storage so it stays hidden and the next candidate can be shown. The user can undo the current removal in the UI. These persistent removal preferences survive Level 1 and Level 2 cleanup and are removed by a Level 3 full reset.
Start-page web search is separate from workspace and AI search. Search text is
passed through Chrome's search API to the user's configured default search
engine. If the input is an HTTP or HTTPS destination, the new-tab page navigates
directly to it. The destination search engine or website handles that request
under its own terms and privacy policy. Infinite Tabs does not send this search
text to its own server.
BYOK AI processing
The current provider choices are OpenAI, Anthropic, Gemini, and OpenAI-compatible endpoints configured through the OpenAI option. The included DeepSeek preset uses DeepSeek's OpenAI-compatible endpoint. A custom base URL means the API key and applicable requests are sent to that user-selected endpoint, so users should configure only a provider they trust.
The API key can be decrypted temporarily inside trusted extension contexts when the user opens or edits the saved connection, explicitly tests it, and when the extension authenticates a provider request. It is not sent to Infinite Tabs. Local encryption reduces accidental disclosure from plain storage but should not be treated as a hardware-backed password vault.
Every AI-provider request requires completed, current page-processing consent and enabled direct AI-provider access. Page-content requests are subject to the active privacy gate before cache lookup and again before network transmission:
- Connection test: only the explicit Test connection action sends the
selected model a very short
pingrequest. First-run setup performs no provider request; after setup, the saved connection can be tested in Settings only while direct AI-provider access remains enabled. Leaving or blurring the key field and saving an already-tested connection do not make a network request. - Page enrichment: sends the allowed page title, a bounded semantic excerpt of visible text, and an HTTPS URL representation containing only origin and pathname. Query strings and fragments are omitted.
- Topic clustering: sends bounded page labels, summaries, tags, and the relevant existing topic context needed to group pages.
- Ask AI: sends the user's AI-search question plus one compact structured context containing at most four relevant topics and up to three sources per topic. That context can include topic/page titles, summaries, tags and source hostnames. Ask AI does not send the full local workspace or Work-insight aggregates.
Model answers and AI-derived metadata return directly to the extension and are stored locally. Exact request caches are bounded and may retain derived text for up to 30 days for enrichment, 24 hours for automatic clustering, and 10 minutes for Ask AI; they are cleared when the privacy configuration changes and by Level 1 cleanup.
The provider receives and processes these requests under its own terms and privacy policy. The user is responsible for provider charges and account requirements associated with the user's key.
Privacy presets, isolation, and fail-closed behavior
The first-run and Settings โ Privacy screens provide these presets:
- Conservative blocks all built-in sensitive-site categories.
- Balanced blocks selected email, banking, and payment sites.
- Minimum filtering disables every built-in sensitive-site category block and therefore permits the broadest eligible HTTPS coverage.
The built-in list covers selected email, banking, payment, and health-portal hosts. It is not an exhaustive classification of sensitive websites, and this release does not expose a custom host-rule editor. Users should review the selected preset before enabling a provider, prefer Conservative for cautious use, and turn cloud AI off before browsing sensitive services not covered by the built-in list.
When a privacy change newly blocks a stored page, Infinite Tabs removes its
extracted body, enrichment, judgment, topic membership, relevant Work-insight
rows, and cached AI context. It can retain privacy-safe local metadata such as
the normalized URL, a URL-derived title, favicon, access/lifecycle state, and an
isolated marker so the action remains explainable and the page is not silently
processed again. AI topic metadata that may have been derived from blocked
content is quarantined from future cloud context until rebuilt from safe pages.
In-flight work from the prior policy revision is fenced from writing stale
results.
Work insights
Work-insight tracking begins only after a separate explicit opt-in. When enabled, it estimates time only while an allowed HTTPS page is the active tab in the focused Chrome window. Changing tabs, navigating, closing the tab, or Chrome losing focus ends that interval.
The extension stores daily aggregates, session counts, and first/last activity timestamps. It does not retain a permanent raw activity-event stream, keystrokes, pointer movement, scroll history, or tab/window identifiers in these aggregates. Coarse page types are derived locally from the page host and path. Charts and trend summaries are computed locally and are not included in AI-provider requests.
These values estimate foreground visibility, not attention, reading, productivity, or the presence of a person. Browser suspension, device sleep, checkpoint timing, and short tab switches can affect the estimate.
Local product diagnostics
The release build keeps bounded local event lists to explain setup and optional commercial-surface behavior. They can include event type, timestamp, selected provider class or privacy preset, settings source, UI placement, sponsored item identifier, and a coarse feedback reason. They do not contain page text, AI questions or answers, full browsing URLs, or API keys. The extension keeps at most 200 activation events and 100 commercial-surface events, lets the user view/export or clear these diagnostics in Settings, and does not upload them.
An explicit development-only build can additionally send redacted,
allow-listed diagnostics to a collector on the developer's own machine at
127.0.0.1:17392. The Chrome Web Store release does not include that local
collector permission. Repository-local developer logs are outside extension
storage and are governed by the local development environment.
Built-in sponsored, support, and Hosted AI status surfaces
When an active workspace can show a sponsored recommendation, the extension may
request a small JSON feed from
https://toolgrid.help/infinite-tabs/sponsored.json. The request naturally
exposes ordinary network metadata such as the user's IP address and user agent
to the website host, but does not contain page content, workspace state, AI
questions, API keys, or extension diagnostics. The response is treated as data,
not executable code; it is schema-bounded and checked against a fixed HTTPS
destination allowlist before a link is shown. The selected feed, per-item
dismissals, and interaction events remain local. The currently published feed
contains an empty picks array and therefore supplies no sponsored item.
Self-service Support, Hosted AI status, and the reviewed sponsored-recommendation slot are built into the default experience and do not have global visibility switches. Someone can mark an individual sponsored item as not relevant, which keeps that item out of the local rotation and lets the next candidate appear. Opening a sponsored link adds transparent campaign/placement identifiers to the destination URL. Opening a Support or Hosted AI status link can similarly add a placement reference and then leaves the extension. The destination site handles that visit under its own policies.
Hosted AI is unavailable. Its status page does not collect registrations, email addresses, product interest, or feedback, and it does not provide a hosted model, checkout, payment path, or entitlement. The public Support page provides self-service guidance and an optional public email channel; it does not provide a web form.
For product support, privacy questions, terms questions, or feedback, a user may voluntarily email infinite-tabs@outlook.com. The email service providers involved in delivery process the sender and recipient addresses, message headers, body, attachments, and delivery metadata needed to route, secure, and deliver the message. The developer receives only the information the user voluntarily chooses to send. The extension does not automatically attach or upload workspace data, diagnostics, browsing history, page content, AI questions or answers, or API keys. Users should not send an API key, private page content, full browsing URLs, a complete browsing history, an unreviewed diagnostic export, or other sensitive information. No response time, individual reply, or service level is guaranteed.
Retention and deletion
Settings โ Privacy โ Data cleanup provides three separately confirmed levels for the current Chrome profile:
- Level 1 โ Light cleanup permanently removes all regenerable AI caches, the cached sponsored feed, expired terminal jobs/decisions, inactive page bodies eligible for pruning, and Work-insight rows older than 90 days. It preserves the workspace, current Work insights, API-key material, settings, diagnostics, and start-page removal preferences.
- Level 2 โ Workspace reset permanently removes pages, topics, enrichments, memberships, jobs, decisions, AI caches, Work insights, and local interaction diagnostics. It preserves API-key and installation material, privacy, budget, crawl, language/appearance, onboarding, commercial-surface, and start-page removal preferences. Eligible pages still open in Chrome may be processed again under those preserved settings.
- Level 3 โ Full reset clears all extension IndexedDB records and Chrome local-storage values, including API-key material, diagnostics, removal lists, and user settings. Only a new privacy fence and privacy-safe defaults are recreated, and the extension returns to first-run setup.
Additional bounded lifecycle rules include:
- completed pipeline jobs are scheduled for removal after 7 days;
- page-linked failed or blocked jobs are removed after the last matching tab closes, and remaining terminal failures are scheduled for removal after 30 days;
- a closed, unpinned page leaves the main workspace after 7 days and remains in local History;
- a topic moves to the local Put away view after 30 days without a qualifying interaction unless it has protected work or is marked Always keep;
- extracted bodies for closed, unpinned pages are cleared after 30 days of inactivity; and
- Work-insight daily aggregates are removed after 90 days.
Automatic lifecycle transitions retain lightweight page/topic metadata so they remain recoverable. The archive/delete controls and Level 2 or Level 3 cleanup provide deliberate broader removal. Uninstalling the extension instructs Chrome to remove its profile-local extension storage.
Deletion cannot remove data already processed or retained by a BYOK provider, data in another Chrome profile/device, destination-site logs, or repository developer logs.
Chrome Web Store Limited Use and data sharing
Infinite Tabs uses Chrome user data only to provide or improve the extension's prominent user-facing workspace, search, privacy, reliability, and local diagnostic features. The use and transfer of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including its Limited Use requirements.
Infinite Tabs does not sell user data. It does not use or transfer user data for personalized advertising, creditworthiness, lending, or purposes unrelated to the extension's single purpose. It does not transfer data to data brokers. The content transfers in the current release are the user-directed BYOK requests to the configured AI provider or endpoint, ordinary browser navigation and optional website/feed requests, and any support email a user voluntarily sends through the email service providers described above.
Security, children, and changes
The extension uses Manifest V3, packages its executable code with the extension, and does not download or execute remote code. No safeguard can make local storage, third-party providers, or network transport risk-free. Users should protect their Chrome profile and revoke a provider key if they believe it has been exposed.
Infinite Tabs is a general productivity tool and is not directed to children under 13. Material changes to implemented data paths will be reflected in this policy before release.
For current privacy and product-support information, use the public Infinite Tabs Support page. It provides self-service information and the optional email address above. Email does not carry a response-time, individual-reply, or service-level guarantee.

