Privacy Policy

Last updated: 2026-05-25

About this policy

Readback is a Chrome extension operated by Osel House LLC, an Alabama limited liability company doing business under the trade name Readback. This document explains, in plain English, what user data Readback collects, how we use and handle it, where it is stored, and who we share it with.

Single purpose. Readback captures readable text from web pages the user actively engages with, indexes them locally for semantic and keyword search, and lets the user ask AI questions across their own reading with cited answers.

Contact. For any privacy question or request, email support@getreadback.com.

1. Data we collect

Readback collects only the following categories of user data:

• Personally identifiable information — your email address, provided during sign-in via 6-digit code (Supabase email-OTP). No name, profile, or payment information is collected.
• Authentication information — a short-lived Supabase JWT issued after sign-in, stored locally on your device in Chrome extension storage and attached to backend requests so we can identify your account.
• Web history — collected only if you explicitly opt into the one-time history backfill from the first-run prompt or Settings. Used solely to import pages you have previously visited into your local index. The history permission is optional and is never requested otherwise.
• User activity — dwell time and scroll depth, measured per page on your device to determine engagement (the engagement gates: at least 25 seconds of dwell time, at least 25% scroll, and at least 1,500 characters of body text). This data is never transmitted off your device.
• Website content — readable text of web pages that pass the engagement gates, or that you manually save with Alt+Shift+M, the right-click menu, or the sidebar button. The text is extracted on your device. When you click Ask, the relevant text excerpts are transmitted along with your question to generate an answer; they are not stored on our servers. See also section 7 ("Sites we never capture").

Readback does not collect: health information, financial information, personal communications, location, advertising identifiers, browsing history outside of the optional backfill, cookies, or any third-party analytics.

2. How we use and handle data

Each category in section 1 is used for exactly one purpose:

• Email address — account identification and sign-in via email-OTP; enforcement of the monthly Ask limit per account.
• Authentication token (JWT) — authenticating backend requests from your extension instance.
• Web history (opt-in only) — one-time backfill of your previously-visited pages into the local index.
• User activity (dwell, scroll) — determining on your device whether a page qualifies for capture. Never leaves the device.
• Website content (page text) — indexed locally on your device for semantic and keyword search. Excerpts are sent to our backend (and forwarded to Anthropic's Claude API) only when you click Ask. They are not retained on our servers.

Readback does not use any data for advertising, profiling, behavioral tracking, or for any purpose unrelated to the single purpose stated above.

3. Data storage

Where each category lives, and for how long:

• On your device (Chrome extension storage) — captured page text, vector embeddings, search queries, user activity, settings, the user-added denylist, and the locally cached JWT. This storage is sandboxed by Chrome and is only accessible to Readback. Retained for as long as you keep the extension installed; uninstalling Readback removes it. You can also delete individual pages or wipe the entire local index from settings at any time.
• Supabase Inc. (US) — your email address, a unique user ID, and sign-in timestamps. Retained for as long as your account exists. For Pro subscribers who have enabled Cloud Sync: also stores captured page text, title, URL, and timestamps; retained until you delete it or close your account (see section 12).
• Upstash Inc. (US) — a per-account monthly Ask counter (a number keyed by your user ID; no question content, no excerpts). Resets at the start of each calendar month.
• Anthropic, PBC (US) — your question and the page excerpts sent with each Ask request. Anthropic's retention is governed by their privacy policy linked in section 4.
• Vercel Inc. (US) — our backend runs on Vercel's infrastructure, so Ask requests and sign-in requests pass through Vercel servers in transit. We do not maintain a server-side database of user content on Vercel.

We do not store the content of Ask requests on our own servers. Each request exists on our backend only for the few seconds it takes to forward it to Anthropic and return the response.

4. Data sharing

Readback shares user data with the following four service providers, each strictly for the purpose described:

• Supabase Inc. — Hosts our email-OTP authentication and (for Pro subscribers with Cloud Sync enabled) synced page content. Receives: your email address, user ID, sign-in timestamps, and — if Cloud Sync is on — captured page text, title, URL, and timestamps. Privacy policy: supabase.com/privacy.
• Upstash Inc. — Hosts the per-account monthly Ask counter. Receives: a number keyed by your user ID. Privacy policy: upstash.com/trust/privacy.pdf.
• Anthropic, PBC — Generates AI answers for the Ask feature. Receives: your question and the relevant page excerpts. Privacy policy: anthropic.com/legal/privacy.
• Vercel Inc. — Hosts our backend. Receives: the data described above, in transit. Privacy policy: vercel.com/legal/privacy-policy.

We make the following certifications:

• We do not sell user data.
• We do not use or transfer user data for purposes unrelated to the extension's single purpose.
• We do not use or transfer user data to determine creditworthiness or for lending purposes.

We do not share user data with advertisers, data brokers, analytics vendors, or any third party other than the four service providers listed above.

5. Limited Use compliance

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

In practice, this means:

We use user data only for:

1. Providing or improving Readback's single purpose described above.
2. Complying with applicable laws.
3. Protecting against malware, spam, phishing, fraud, or abuse.
4. A future merger, acquisition, or asset sale — and only with your explicit prior consent.

We transfer user data to third parties only when:

1. Necessary to provide or improve the single purpose (the four service providers listed in section 4 above).
2. Required to comply with applicable laws.
3. Needed to protect against malware, spam, phishing, fraud, or abuse.
4. Part of a business transition, and only with your explicit prior consent.

We do not, under any circumstances:

• Transfer, use, or sell user data for personalized advertising.
• Sell user data to advertising platforms, data brokers, or resellers.
• Use user data to determine creditworthiness or for lending purposes.
• Use user data for any purpose beyond the single purpose disclosed above.

No human at Osel House LLC accesses your captured pages, your Ask questions, or any other user content, except (a) with your explicit consent, (b) when strictly necessary to investigate a specific security incident or abuse report, or (c) when required by law.

6. Data security

• All data sent to our servers is encrypted in transit using TLS (HTTPS).
• Local data is stored inside Chrome's sandboxed extension storage and is only accessible to Readback on your device.
• By default, we do not maintain a server-side database of user content (page text or Ask requests), which substantially reduces the breach surface area. If you enable Cloud Sync (Pro), captured page text is stored on our servers as described in section 12.
• In the event of a security incident affecting user data, we will notify affected users via the contact channels then available.

7. Your rights and controls

• Export. Export your captured corpus at any time from the extension's settings.
• Delete local data. Delete individual pages or wipe the entire local index from settings. Deletion is immediate and local.
• Delete your account. Email support@getreadback.com to delete your account and all associated server-side data (email, user ID, monthly Ask counter, and any page content synced via Cloud Sync). We will complete deletion within 30 days.
• Uninstall. Removing the extension from Chrome deletes all locally stored data. To also remove your server-side account, send a deletion request as described above.
• Pause capture. You can pause capture entirely or per-domain from the extension.

8. Sites we never capture

Readback maintains a built-in denylist of sensitive sites that are never captured, even if they pass the engagement gates:

• Email: Gmail, Outlook
• Chat: Slack, Discord, WhatsApp, Telegram
• Social feeds: Twitter/X, Facebook, Instagram, TikTok, Reddit, LinkedIn, YouTube
• Banks and brokerages: Chase, Bank of America, Wells Fargo, Citi, Capital One, Fidelity, Schwab, Vanguard, E*Trade, Robinhood
• Payments: Plaid, PayPal, Venmo, Cash App
• Personal docs: Google Docs, Notion, Figma
• Health: MyChart

You can extend this list. You cannot shrink it below these defaults.

9. International data transfers

Supabase, Upstash, Anthropic, and Vercel are US-based companies. If you use Readback from outside the United States, the Ask and sign-in requests you send will be processed on servers located in the US. By default, if you never sign in or click Ask, no data leaves your device. If you are a Pro subscriber and have turned on Cloud Sync, captured page data is also uploaded as described in section 12.

10. Cookies and tracking

The extension does not set cookies. It does not embed third-party trackers, pixels, or analytics SDKs.

11. Children

Readback is not intended for use by anyone under 13. We do not knowingly collect data from children. If you are a parent and believe a child has installed the extension, uninstalling it will remove the local data.

12. Cloud Sync (optional, Readback Pro)

By default, everything you capture stays on your device. If you are a Readback Pro subscriber and explicitly turn on Cloud Sync in Settings, the text and metadata of your captured pages are uploaded to our servers (hosted on Supabase) so you can restore them on another device or after clearing your browser.

• Sync is off by default and available only to Pro subscribers.
• When enabled, we store the captured page text, title, URL, and timestamps.
• We do not upload your search index (AI embeddings) — those are rebuilt locally on each device.
• Your data is encrypted in transit (TLS/HTTPS) and protected by per-account access controls so only your signed-in account can read it.
• Turning Cloud Sync off stops further uploads. To delete already-synced data, use Delete everything in Settings or email support@getreadback.com.

13. Changes to this policy

If we change this policy, we will update the "Last updated" date at the top and post the new version at getreadback.com/privacy. For material changes (anything that expands what we collect or send), we will notify you in the extension before the change takes effect.

Contact

Questions, concerns, or requests: support@getreadback.com.

Readback is operated by Osel House LLC, an Alabama limited liability company doing business as Readback.