Vynl Browser Extension — Privacy Policy
Effective Date: April 5, 2026
Applies to: Vynl Chrome Extension · Vynl Firefox Add-on
Entity: VYNL by The Studio Meraki
Contact: team@vynl.in
1. Single Purpose
The Vynl browser extension does one thing: it captures an HTML snapshot of the web page currently open in your active tab and uploads that snapshot to your Vynl project. Nothing else is collected, monitored, or transmitted.
The extension never runs in the background, never monitors your browsing activity, and never accesses any tab other than the one you are actively viewing at the moment you click Capture.
2. Permissions Requested and Why
The table below lists every permission the extension requests. No permission is requested beyond what is strictly required for the single capture workflow.
| Permission | Why it is required | Scope |
|---|---|---|
| activeTab | Grants temporary access to the tab you are currently viewing, only while the extension popup is open. Used to read the page URL, title, and rendered HTML. | Active tab only · User-initiated |
| scripting | Required to inject the capture function into the active tab to serialize the live DOM (including shadow DOM) and assign vynl-id attributes before upload. | Active tab only · User-initiated |
| storage | Stores your selected default project and a short-lived authentication token locally on your device so you do not have to re-select them on every capture. | Local device only |
| host_permissions (app.vynl.in) | Required to read the Clerk session token from the Vynl web app tab (if open) so the extension can authenticate API calls on your behalf. No data is read from any other origin. | vynl.in domain only |
3. Data Collected
The extension collects only what is needed to perform the capture you explicitly trigger. The following data is transmitted to Vynl servers:
- Page HTML — the fully rendered HTML of the active tab at the moment you click Capture. This is the snapshot that is saved to your project.
- Page title — used as the default file name. You may override this before submitting.
- Page URL — recorded in the file metadata so collaborators know the origin of the snapshot. If the URL is a local address (localhost, 127.0.0.1, file://, or a private IP range), a synthetic URL derived from the title is stored instead; the real local URL is never sent.
- Your Vynl user identity — a short-lived JWT issued by Clerk, read from your active Vynl session. Used only to authenticate the upload API call. No password or credential is ever read or stored.
The following data is stored locally on your device only (via chrome.storage.local):
- Your last selected Vynl project ID (so it pre-fills on the next capture).
- A cached authentication token (expires automatically; refreshed from your Vynl session when needed).
4. Data We Do Not Collect
- Browsing history or any URLs you visit.
- Content of any tab other than the one you explicitly capture.
- Keystrokes, form inputs, or passwords.
- Persistent cookies, fingerprinting data, or device identifiers beyond what Clerk's standard session mechanism uses.
- Any data while the popup is closed. The extension is entirely dormant between captures.
5. How Data Is Used
- The captured HTML is stored in your Vynl project in Supabase Storage so you and your collaborators can view and annotate it inside the Vynl app.
- The page title and URL are stored as file metadata in the Vynl database (PostgreSQL via Prisma/Supabase).
- The JWT is used for a single authenticated API call and is never logged, shared, or stored on Vynl servers.
- Locally cached data (project ID, token) is used solely to make subsequent captures faster and is never transmitted to any third party.
6. Data Sharing
Captured HTML and metadata are stored on infrastructure operated by the following sub-processors, each bound by a Data Processing Agreement:
- Supabase — file storage and relational database.
- Clerk — authentication; issues the JWT the extension reads.
- Vercel — hosts the Vynl API that receives the upload request.
No captured page content is ever sold, rented, shared with advertisers, or used to train machine-learning models.
7. Data Retention
- Captured snapshots are retained as long as the corresponding Vynl project exists or until you delete the file from within the Vynl app.
- Locally stored data (chrome.storage.local) is cleared when you sign out of the extension or uninstall it.
- Authentication tokens expire automatically and are never persisted beyond a single browser session on the Vynl server side.
8. Security
- All data transmitted from the extension to Vynl servers travels over HTTPS/TLS.
- The extension does not execute any remotely hosted code. All logic ships with the extension package itself.
- The extension's host permission is scoped strictly to app.vynl.in. It cannot read data from any other domain.
9. Your Rights
Because the extension uploads data to your Vynl account, your rights under GDPR, CCPA, and applicable data protection laws apply to that data. You may:
- Delete individual captured files at any time from within the Vynl app.
- Request full account deletion and erasure of all associated data by emailing team@vynl.in.
- Clear locally cached data at any time via your browser's extension management page (Clear data / Remove extension).
10. Changes to This Policy
We may update this policy when the extension's functionality changes. The effective date at the top of this page will reflect the latest revision. Continued use of the extension after an update constitutes acceptance of the revised policy.
11. Contact
For any privacy questions related to the extension, contact us at team@vynl.in.