Last updated: January 31, 2026
Privacy Policy
Overview
Tabby ("the Extension") is a Chrome extension for intelligent tab management. This privacy policy explains what data we access, how we use it, and your rights regarding your data.
Summary: Tabby processes your tab data locally on your device. We do not operate servers, collect analytics, or transmit your browsing data externally (except optionally to AI providers you explicitly configure).
Data We Access
To provide tab management functionality, Tabby accesses:
| Data Type | Purpose | Stored? |
|---|---|---|
| Tab URLs | Organization, duplicate detection, grouping suggestions | Session snapshots only (local) |
| Tab Titles | Display, AI analysis for grouping | Session snapshots only (local) |
| Favicons | Visual display in UI | No |
| Tab Groups | Display and management | Session snapshots only (local) |
| Form State | Warn before closing tabs with unsaved data | No (checked transiently) |
| Page Metadata | Headings, descriptions, OG tags, and content summary for AI chat assistant | No (extracted transiently on request) |
| Bookmarks | Save/restore tab groups | Only Tabby-created folders |
Data We Store
All data is stored locally on your device using Chrome's storage APIs:
Chrome Sync Storage
- Your settings and preferences
- Saved group metadata (references to bookmark folders)
- Dismissed suggestion IDs
- Auto-suspend rules
Chrome Local Storage
- Usage metrics for heatmap visualization
- Analysis cache for performance
IndexedDB
- Session snapshots for recovery (configurable retention, default 3 days)
- Per-tab navigation history
- Chat conversations and token usage records
Data We Do NOT Collect
- Browsing history beyond session snapshots
- Full page content (only public metadata such as headings and descriptions is extracted transiently for the AI assistant)
- Form data, passwords, or personal information entered on websites
- Analytics or usage telemetry
- Device identifiers or fingerprinting data
We do not operate any servers. There is nowhere for your data to be sent.
Third-Party Services
AI Providers (Optional, User-Configured)
Tabby supports optional AI-powered features. If you choose to enable them:
| Provider | Data Sent | When |
|---|---|---|
| Gemini Nano | None (runs locally in Chrome) | Default AI provider |
| Gemini | Sanitized tab titles, URLs, group names | Only if you enter an API key |
| OpenAI | Sanitized tab titles, URLs, group names | Only if you enter an API key |
| Anthropic | Sanitized tab titles, URLs, group names | Only if you enter an API key |
| Grok | Sanitized tab titles, URLs, group names | Only if you enter an API key |
| OpenRouter | Sanitized tab titles, URLs, group names | Only if you enter an API key |
| Custom Endpoint (user-provided) | Sanitized tab titles, URLs, group names | Only if you configure an endpoint URL |
URL Sanitization: Before sending any data to cloud AI providers, Tabby sanitizes URLs by stripping 40+ tracking parameters (utm_*, fbclid, gclid, etc.) and replacing personal identifiers in URL paths with placeholders. This minimizes the personal information shared with third-party services.
Important:
- AI features are entirely optional
- You must explicitly provide API keys to use cloud AI
- The Custom Endpoint option sends data to a server URL you configure — Tabby does not control or operate that server
- Without API keys or a custom endpoint, Tabby uses Gemini Nano (local) or heuristic fallbacks only
- Each provider's own privacy policy applies to data sent to them
Chrome Bookmark Sync
If you save tab groups and have Chrome Sync enabled, saved groups sync via Google's infrastructure as part of normal bookmark synchronization. This is Chrome's native behavior, not something Tabby controls.
Data Security
- API Key Encryption: If you provide API keys for cloud AI providers (Gemini, OpenAI, Anthropic, Grok, OpenRouter) or a custom endpoint, they are encrypted using Web Crypto API with AES-GCM encryption and PBKDF2 key derivation before storage
- Local Storage: All session data uses IndexedDB with same-origin isolation
- No External Transmission: We do not send data to any servers (we don't have any)
- Content Script Isolation: Form state detection and page metadata extraction run in isolated content script context
Your Rights and Controls
Access Your Data
All Tabby data is viewable via Chrome DevTools:
chrome.storage.sync.get()— settings and preferenceschrome.storage.local.get()— usage data- IndexedDB "tabby-sessions" database — session snapshots
Delete Your Data
- Remove the extension: Clears all Tabby data automatically
- Settings: Clear session history from within the extension
- Manual: Use Chrome DevTools to delete specific storage
Control Features
All data-using features can be disabled in Settings:
- Disable AI suggestions
- Disable form state checking
- Adjust snapshot frequency
- Set retention period for session history
Permissions Explained
| Permission | Why We Need It |
|---|---|
tabs | Read tab URLs/titles to display, organize, and detect duplicates |
tabGroups | Create and manage Chrome Tab Groups |
storage | Save settings and session data locally |
bookmarks | Save/restore tab groups as bookmarks |
sidePanel | Display the management interface |
alarms | Schedule periodic snapshots and cleanup |
notifications | Alert when memory budget thresholds are exceeded |
<all_urls> (optional host permission) | Detect unsaved form data to prevent data loss |
Content Script
Tabby includes a content script that runs on all pages. This is separate from the optional <all_urls> host permission above.
What the content script does:
- Monitors navigation events (pushState, replaceState, popstate) to track per-tab browsing history for session recovery
- Sends throttled interaction signals (scroll, click, keypress) to compute tab usage heat scores
- Responds to on-demand requests from the extension to check form state or extract page metadata
What the content script does NOT do:
- Does not read or store passwords, form data, or personal information
- Does not access cookies, localStorage, or sessionStorage of websites
- Does not modify page content or inject any visible elements
- Does not send any data to external servers
Children's Privacy
Tabby does not knowingly collect personal information from children under 13. The extension does not collect personal information from anyone.
Changes to This Policy
We may update this policy to reflect changes in the extension. When we do:
- The "Last Updated" date will change
- Significant changes will be noted in the extension's changelog
- Continued use of the extension constitutes acceptance of the updated policy
Contact
For privacy questions or concerns:
- Discord: Join our Discord
- GitHub: Submit feedback
- Website: https://get-tabby.ca