Privacy Policy for Card Tab

Last updated: April 20, 2026

Overview

Card Tab is a new tab extension for managing shortcuts, categories, workspaces, and optional cloud sync. We do not run analytics, advertising, or tracking services, and we do not send your data to our own servers.

Data Stored by the Extension

Shortcut data: shortcut names, URLs, categories, sort order, and icon settings that you create.
Workspace settings: theme, background, view mode, search preference, and related UI settings.
Optional cloud connection settings: Supabase and Cloudflare connection information you enter in settings.
Optional setup credentials saved locally: if you choose to save them, Cloudflare API Token, Supabase Service Role Key, and Supabase Personal Access Token used for initialization may be stored locally on your device.

Local Storage

By default, Card Tab stores data locally using Chrome storage APIs.

chrome.storage.local: local cache, workspace data, sync configuration, and optional saved setup credentials.
chrome.storage.sync: synchronized configuration data where applicable.

Optional Cloud Sync

Cloud sync is optional. If you enable it, your data is stored in infrastructure that you control.

Supabase: data is stored in your own Supabase project.
Cloudflare: data is stored in your own Cloudflare Worker / D1 / R2 resources.
We do not own, receive, or store your synced shortcut data on our servers.

Website Data Access

Card Tab does not inject scripts into all pages by default. A temporary script is injected only when you explicitly use the right-click “Add to Card Tab” action on a page or link.

When that happens, the extension may access only the minimum data needed to create the shortcut:

current page URL or clicked link URL
current page title or link label
page favicon URL if available

The extension does not read passwords, form inputs, page content, or browsing history for tracking.

Search

Local search: searching your saved shortcuts and categories happens locally inside the extension.
Default browser search: when you use the default search option, the extension uses Chrome's Search API and respects your browser's default search engine.
Other search engines: if you choose Google, Bing, 百度, or DuckDuckGo, your query is opened through that search engine's public URL.

Favicon Requests

To display shortcut icons, Card Tab may request favicon images from:

Card Tab may first use Chrome's built-in Favicon API to display icons for saved shortcuts and search results. If that is unavailable, it may fall back to the website itself or the public favicon services listed below.

the website itself, such as /favicon.ico
Google favicon service
DuckDuckGo favicon service
Favicon Kit

These requests include only the website domain or page URL needed to retrieve the icon.

Permissions

storage: save your shortcuts, workspaces, settings, and optional cloud configuration.
activeTab: access the current tab after your explicit action, used for right-click quick add.
contextMenus: provide the “Add to Card Tab” right-click menu.
search: use Chrome's Search API for the default search option.
scripting: inject the quick-add script into the current page only when you trigger the right-click add action.
favicon: use Chrome's built-in Favicon API to display website icons for saved shortcuts and search results.

Host Permissions

The extension also requests access to these remote APIs only for optional cloud sync features:

https://api.cloudflare.com/*
https://api.supabase.com/*
https://*.supabase.co/*

What We Do Not Collect

analytics data
advertising identifiers
tracking cookies
personal information such as name or email
your full browsing history
page content unrelated to your explicit quick-add action

Your Control

You can export, import, or clear your data at any time.
You can disable cloud sync at any time.
You can remove locally saved cloud setup credentials from the settings page.
Uninstalling the extension removes local extension data from Chrome storage.

Contact

If you have any questions, contact: edaorenchan@gmail.com