Privacy

Privacy Policy

Effective May 26, 2026 Version 1.1

Depth is a Chrome extension that summarizes the page you're reading. To do that, it has to send the page text to a language model. This policy explains exactly what data Depth collects, where it goes, how long it's kept, and what you can do about it. Nothing in this policy is buried; if a section feels like it's missing, it probably isn't relevant.

The short version

Depth stores your settings, cached results, and saved deck items on your own device. When you ask for a level, the active page's text is sent to a language model — either Depth Hosted (our managed backend, the default) or a third-party provider you've configured with your own API key. Depth Hosted needs an account identifier and (if you pay) a Stripe customer ID; that's the extent of the personal data we hold. We do not sell, rent, or share your data with advertisers, data brokers, or analytics vendors.

01Who we are

"Depth," "we," and "us" refer to the developers of the Depth Chrome extension and the marketing site at depth.productivities.fyi. The extension source is published under the MIT License at github.com/zachzwy/depth. For privacy questions, contact support@productivities.fyi.

02What Depth collects, and where it goes

The table below is the complete list of data the extension handles. Each row names the data, where it is stored, why we have it, and (for anything that leaves your device) which parties see it.

Data Stored where Purpose Shared with
Page text and titlein-use RAM on your device while a level is rendering; the prompt+result pair is cached in chrome.storage.local for 7 days Sent to the model provider so it can return a summary, quiz, or Socratic reply for that page The model provider you selected — Depth Hosted (default) or the third-party provider whose API key you configured
Settings (provider, model, language, API keys) chrome.storage.local on your device Remember your configuration between sessions Nobody. API keys are used only to authenticate your direct requests to the provider you chose; they never reach our servers
Cached results and per-page session state chrome.storage.local on your device (cache 7 days, session state 24 hours) Avoid regenerating the same level and remember which tab you were on if you close and reopen the panel Nobody
Saved deck items (cards you explicitly save) chrome.storage.local on your device Power the in-extension flashcard deck Nobody, unless you publish one to the community share feature (see §4)
Account identifierDepth Hosted Our backend (Supabase, hosted in the United States) and your local extension storage Route generation requests, enforce the daily free-tier quota, and let you sign in across devices Supabase, our backend hosting provider. If you sign in with Google, Google sees the standard OAuth flow (email, name, profile picture)
Email addressif you sign in Our backend (Supabase) Convert an anonymous account to a permanent one so the account survives a reinstall Supabase; Google identity provider during the sign-in flow
Stripe customer and subscription IDsif you pay Our backend; Stripe Process subscription payments and let you manage billing Stripe. Card numbers are entered into Stripe's hosted checkout — we never see or store them
Generation request metadataDepth Hosted Our backend (transient request logs, retained up to 30 days for abuse prevention and debugging) Apply rate limits, debug failures, and detect abuse of the free tier Nobody outside our backend hosting providers (Supabase, Cloudflare)
Published community summariesopt-in Our backend; visible at depth.productivities.fyi/community and /s/<slug> Let other users discover summaries of the same URL The public internet. See §4 for what's published and how to delete

03Browser permissions

Chrome shows you the permissions Depth requests at install time. Here's what each one is actually used for:

04The community share feature

Community share is opt-in. Nothing is published unless you press "Share" on a level. When you do, we send to our backend:

Published shares are world-readable. To remove one, open it from your account, hit "Unshare," or email support@productivities.fyi with the slug. We also accept takedown requests for shares published by others — see the DMCA page.

05Bring-your-own-key mode

In BYOK mode, the extension talks directly to the third-party provider whose key you entered. Depth Hosted is not involved — we don't see the request, the response, or the page text. Each provider has its own privacy policy and data-retention practices; we recommend reading the one for the provider you actually use:

Before any first-time use of a provider, model, or language, Depth shows a consent screen naming the third party your page text is about to be sent to. Changing provider, model, or language re-triggers that consent screen.

06What we do not collect

07Children

Depth is not directed to children under 13, and we do not knowingly collect data from them. If you believe a child has created a Depth Hosted account, email support@productivities.fyi and we'll delete it.

08Security

Local data lives in chrome.storage.local and is protected by Chrome's own profile isolation. Account data on the Depth Hosted backend is stored in Supabase (encrypted at rest, accessed over TLS) with row-level security enforcing per-user isolation. Payment data is handled exclusively by Stripe under their PCI-DSS Level 1 program. No system is perfectly secure; if you discover a vulnerability, please email support@productivities.fyi before disclosing it.

09Your rights

Whether or not your jurisdiction grants them by law, you can:

Residents of the EEA, UK, California, and other regions with comprehensive privacy statutes have additional rights under those laws (including the right to lodge a complaint with a supervisory authority). We honor all of them on request.

10International transfers

Our backend infrastructure (Supabase, Cloudflare, Stripe) is hosted in the United States. If you use Depth from outside the U.S., personal data described above is transferred to and processed in the United States under standard contractual clauses with each sub-processor.

11Retention

12Changes to this policy

We will update this policy when the data flows change. Material changes — anything that expands what we collect, who sees it, or how long we keep it — are announced in-extension and on the marketing site at least 14 days before they take effect. The "Effective" date at the top of this page always reflects the current version; prior versions are kept in the public Git history of the marketing-site repository.

13Contact

Questions, complaints, requests: support@productivities.fyi. We do our best to respond within five business days.