Privacy Policy

Last updated: April 30, 2026 · Effective: April 30, 2026

This Privacy Policy describes how Screenshot Annotate ("we", "our", or "us") collects, uses, stores, and shares your information when you use the Screenshot Annotate Chrome Extension and related web services (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.

      Summary — How We Handle Your Data
      We collect only the minimum data needed to provide the Service: your email (for sign-in), uploaded screenshots/audio (only when you choose to upload), and your license status.
Your data is used solely to operate Screenshot Annotate. We do not use it for advertising, behavioral profiling, or any purpose unrelated to the extension's core functionality.
We do not sell, rent, or trade your personal data to any third party.
Data is shared only with the service providers listed in Section 6, solely to deliver the Service's features.
All screenshot annotation and editing happens entirely on your device — no image data is sent to our servers unless you explicitly click Upload or Share.

    

Table of Contents

Information We Collect
How We Use Your Information
How We Process Your Data
How We Store Your Data
How We Share Your Data
Third-Party Services
Browser Permissions & Local Storage
Data Security
Data Retention
Your Rights & Choices
Children's Privacy
International Data Transfers
Changes to This Policy
Contact Us

1. Information We Collect

1.1 Information You Provide

Google Account Information — When you sign in with Google, we receive your email address, Google account ID, and public profile information (display name and profile photo URL) via Google OAuth (Chrome Identity API). We do not receive your Google password, and we do not access any other Google services.
Screenshots and Images — Images are processed locally in your browser. Images are only transmitted to our servers when you explicitly click "Upload", "Share", or use the GIF Export feature.
Voice Notes — Audio recordings are captured locally and uploaded to our servers only when you explicitly save or share a voice note.
OCR Content — When you use the OCR (Text Scan) feature, the selected screenshot region is sent to our backend, which forwards it to OCR.space for text extraction. The image data is not stored after processing.
Google Drive Files (optional) — If you choose to enable the "Save to Google Drive" option, screenshots you upload are sent directly from your browser to your own Google Drive folder. We do not receive, store, or have access to the file contents — the upload bypasses our servers entirely. We only record the resulting Drive share URL and basic metadata (file size, content type, upload time) so the History panel can display your uploads. The Drive integration is fully optional and disabled by default.

1.2 Information Collected Automatically

License & Plan Status — We store your plan type (free, premium_trial, or premium) and expiry date linked to your user ID.
File Metadata — When you upload files, we record file size, content type, creation timestamp, and expiry date alongside the file URL.
Server Logs — Our Cloudflare Worker backend may log request timestamps, IP addresses, and HTTP status codes for operational and security purposes. These logs are retained for a short period and are not used for advertising.

1.3 What We Do NOT Collect

      We do not collect, store, transmit, or have access to any passwords. Authentication is handled exclusively via Google OAuth — your Google password is entered only on Google's own sign-in page (accounts.google.com) and is never visible to Screenshot Annotate. See Section 1.4 below for full details.
We do not track your browsing history or the URLs of pages you visit.
We do not collect screenshots unless you explicitly choose to upload or share them.
We do not collect annotations made locally — drawing and editing happens entirely in your browser and is never sent to our servers.
We do not collect payment card details — all payments are processed by PayPal directly.
We do not sell, rent, or trade your personal data to any third party.
We do not use your data for advertising or behavioral profiling.

    

1.4 Authentication & Password Handling

Screenshot Annotate uses Google OAuth 2.0 exclusively for sign-in. We do not operate or maintain any email/password authentication system. Specifically:

We do not display any password input field anywhere in the extension.
We do not receive, transmit, or store user passwords of any kind.
We do not have access to your Google account password — Google's OAuth flow exchanges a one-time consent grant for an access token on Google's own domain. Your password never touches our servers, the extension, or any third party we work with.
The only credentials we store are short-lived OAuth tokens (access token, refresh token, and an optional Google Drive token if you enable that integration) issued by Google or Supabase. These tokens are kept locally in chrome.storage.local, used solely to authenticate API calls on your behalf, and are cleared when you log out or disconnect.
Earlier versions of the extension briefly included an email/password login form. That form, its handlers, and all related credential-collection code have been fully removed. The extension's only sign-in path is the "Sign in with Google" button.

2. How We Use Your Information

We use the information we collect for the following purposes:

Authentication — To identify you when you sign in and associate your account with your license.
Service Delivery — To store and serve your uploaded screenshots, voice notes, and history.
License Management — To verify your plan (free vs. premium) and enforce feature access accordingly.
Payment Processing — To activate or renew your premium license after a successful payment via PayPal.
OCR Processing — To forward screenshot regions to the OCR service on your behalf and return extracted text to you.
Security & Abuse Prevention — To detect unauthorized access attempts and enforce rate limits.
Service Improvement — Aggregated, anonymized usage patterns (e.g., error rates) may be reviewed to improve the Service. No individual user is identified in this process.

2.1 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

Contractual necessity — Processing your authentication data, license/plan status, and uploaded files is necessary to provide the Service you signed up for.
Legitimate interest — We process server logs and use license caching to maintain security, prevent abuse, and improve Service performance. These interests are not overridden by your data protection rights.
Consent — We process screenshot regions for OCR and audio recordings for Voice Notes only upon your explicit action. You can withdraw this consent at any time by not using these features or by revoking microphone permission in Chrome Settings.
Legal obligation — We may process or retain data where required by applicable law.

3. How We Process Your Data

Data processing occurs in the following ways:

Local processing (in-browser) — Screenshot capture, all annotation tools (draw, text, blur, crop, resize, etc.), undo/redo, and local downloads are performed entirely within your browser using the HTML5 Canvas API. No data leaves your device during these operations.
Server-side processing — When you upload a file, our Cloudflare Worker receives the file, authenticates your identity and plan, forwards the file to the appropriate storage provider (Cloudinary for images, Cloudflare R2 for audio), and records the metadata in our database.
OCR processing — The selected image region is Base64-encoded in the browser, sent over HTTPS to our backend, which then sends it to OCR.space's API. The result (extracted text and word coordinates) is returned to your browser. The image is not retained by our backend after the API call completes.
Payment processing — Payment transactions are handled by PayPal. We receive a webhook notification from PayPal confirming payment, which we use to activate or extend your premium license. We do not process card details ourselves.

4. How We Store Your Data

Account & license data — Stored in a Supabase (PostgreSQL) database hosted on Supabase's infrastructure. Row-Level Security (RLS) is enforced so that each user can only access their own records.
Uploaded images — Stored on Cloudinary's CDN infrastructure.
Uploaded audio (voice notes) — Stored in Cloudflare R2 object storage.
Local extension data — Authentication tokens, license cache, editor preferences, pinned colors, upload history thumbnails, the optional ImgBB API key, and temporary screenshot data are stored in chrome.storage.local on your device. See Section 7 for the complete list. This data is not synced to our servers unless you are signed in and the Cloud Sync feature is active.
All data in transit is encrypted using TLS (HTTPS). Data at rest is protected by the security controls provided by each storage provider.

5. How We Share Your Data

We do not sell your personal data. We share data only in the following limited circumstances:

With service providers — We share data with third-party services solely to operate the Service (see Section 6). These providers act as data processors and are contractually restricted from using your data for any other purpose.
When you share a link — If you use the Share feature, the uploaded screenshot URL becomes publicly accessible via a share link. You control when and with whom you share that link.
Legal requirements — We may disclose information if required by law, court order, or government authority, or to protect the rights, property, or safety of our users or the public.
Business transfer — In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify affected users before data is transferred and becomes subject to a different privacy policy.

6. Third-Party Services

The following third-party services receive user data solely to operate Screenshot Annotate. No third party receives your data for advertising, marketing, or any purpose other than delivering the Service. Each provider acts as a data processor under a data processing agreement or equivalent terms.

Supabase (supabase.com) — Data shared: email address, Google user ID, plan/license status. Purpose: user authentication and license management. Data stored in the United States. Privacy Policy
Cloudinary (cloudinary.com) — Data shared: screenshot images you explicitly upload. Purpose: image hosting and CDN delivery. Privacy Policy
Cloudflare (cloudflare.com) — Data shared: API request metadata (IP address, timestamps); audio files you explicitly upload. Purpose: backend compute (Workers) and audio file storage (R2). Privacy Policy
PayPal (paypal.com) — Data shared: none directly from us. You provide payment details directly to PayPal; we receive only a payment confirmation webhook. Purpose: payment processing. Privacy Policy
OCR.space (ocr.space) — Data shared: the specific screenshot region you select when using the OCR tool (not stored after processing). Purpose: optical character recognition. Sent only upon your explicit action. Privacy Policy
Google (google.com) — Data shared: OAuth sign-in request only. We receive your email address, Google user ID, and public profile name/avatar (via openid, email, profile scopes). For sign-in, we do not access any other Google data (Gmail, Calendar, etc.). Purpose: account sign-in via Google OAuth. Privacy Policy
Google Drive (drive.google.com) — Optional, opt-in only. Activated only when you click "Connect Drive" in the extension popup. Data shared: screenshot files you choose to upload, sent directly from your browser to your own Drive account; we never see the file contents. Scope requested: drive.file (the extension can only see, edit, and delete files it has created in your Drive — it cannot access any other files in your Drive). Purpose: let you save screenshots to storage you control. You can revoke access anytime via the "Disconnect Drive" button or at myaccount.google.com/permissions. Privacy Policy

Google API Limited Use Disclosure: Screenshot Annotate's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Google user data (email, user ID, profile) is used solely to authenticate your identity and is not shared, sold, transferred, or used for advertising, profiling, or any purpose beyond providing the Screenshot Annotate service.

We do not share user data with any parties other than those listed above.

7. Browser Permissions & Local Storage

Chrome Extension Permissions

Screenshot Annotate requests the following Chrome permissions, each used strictly for the stated purpose:

activeTab — To capture a screenshot of the currently active browser tab when you click the extension icon or use a keyboard shortcut. We read the tab's visual content only at the moment of capture; we do not monitor tab activity in the background.
scripting — To inject the area-selection overlay into the current page so you can drag-select a region to capture. The injected script does not read or transmit page content.
storage / unlimitedStorage — To save your preferences (pinned colors, last-used tool, authentication token) locally on your device via chrome.storage.local. unlimitedStorage allows storing larger annotation data without hitting the default quota. No data is synced to our servers without your action.
identity — Used for two separate, optional Google authorizations: (1) sign-in via Google OAuth (openid, email, profile scopes — your email, Google user ID, profile name/avatar; no access to Gmail/Calendar/Drive); and (2) the optional "Connect Drive" feature (drive.file scope) which lets the extension save screenshots to a folder it creates in your own Drive. Drive scope is requested only when you click "Connect Drive" in the popup, never silently or at install time.
host_permissions (<all_urls>) — Required to inject the area-selection overlay on any page you choose to screenshot, and to upload images to our backend API. We do not read, collect, or transmit the content of web pages you visit. This permission is used solely to enable the screenshot capture overlay and cloud upload functionality.
Microphone access (Voice Note feature) — Microphone is not declared as a manifest permission. The Voice Note tool (Premium feature) uses the standard Web getUserMedia() API, which causes Chrome to display a microphone prompt the first time you click Record. You can deny it and the rest of the extension will continue working normally. Audio is recorded locally and uploaded to our servers only when you explicitly save the note. We do not record audio passively or in the background. You can revoke microphone access at any time from Chrome Settings → Privacy & Security → Site Settings.

Local Storage

The extension stores the following data locally in chrome.storage.local on your device. This data is stored only on your device and is never sent to our servers unless explicitly described below:

authToken, authExpires — Your Supabase/Google access token and its expiry timestamp, used to authenticate API calls. Stored only while you are signed in; cleared on logout.
refreshToken — A Supabase refresh token used to silently renew your session when the access token expires. Stored only while you are signed in; cleared on logout.
userEmail — Your email address, displayed in the account section of the popup. Cleared on logout.
licenseCache — A locally cached copy of your plan type (free / premium_trial / premium) and expiry date, used to avoid repeated API calls. Refreshed every 5 minutes while the extension is in use.
imgbbKey — The ImgBB API key you optionally enter in the Cloud Storage section of the popup. This key is stored locally on your device and is sent only to api.imgbb.com when you upload via ImgBB. We never transmit it to our own servers.
storageProvider — Your selected cloud storage destination (cloudinary, drive, or imgbb). Stored locally so the extension remembers your preference between sessions.
driveConnected, driveFolderId, driveToken, driveTokenExpires — Set only if you connect Google Drive. driveConnected is a boolean flag; driveFolderId is the ID of the "Screenshot Annotate" folder created in your Drive so the extension can re-locate it on subsequent uploads. driveToken and driveTokenExpires hold the OAuth access token returned by Google during the Drive sign-in flow and its expiry timestamp, so the extension can upload to your Drive without re-prompting until the token expires (typically one hour). All four keys are cleared when you click "Disconnect Drive", and the access token is also revoked at Google at that time.
cloudHistory — A local cache of metadata (URL, thumbnail, creation date, expiry) for files you have uploaded. Used to display your History without repeated API calls. Thumbnails are stored as compressed WebP data URLs.
workspace — Your editor preferences: default annotation tool, stroke size, font size, color palette, and auto-upload setting. Synced to our servers only if you are signed in and the Cloud Sync feature is active.
pinnedColors — Your custom pinned color swatches (hex color codes). Stored locally; never transmitted to our servers.
screenshotData, cropRect, scrollPieces, scrollInfo — Temporary screenshot pixel data held in local storage while the editor window opens. Deleted automatically once the editor has loaded the image (typically within a few seconds).

No cookies are set by the extension itself. The backend website may use standard browser session behavior but does not set tracking or advertising cookies.

8. Data Security

We take reasonable technical and organizational measures to protect your data:

All data in transit is encrypted via TLS/HTTPS.
Our database uses Row-Level Security (RLS) to ensure users can only access their own data.
API endpoints require a valid Bearer token for all authenticated operations.
Cloudinary and Cloudflare R2 files are stored using the security controls provided by those platforms.
Payment handling is fully delegated to PayPal — we never receive or store card numbers, CVVs, or bank details.

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Data Retention

Uploaded files (images & audio) — Automatically deleted 30 days after upload. You can delete files earlier from the History panel at any time.
Account & license data — Retained while your account is active. Deleted upon your request (see Section 10).
Server logs — Retained for up to 30 days for operational purposes, then purged automatically.
OCR image data — Not stored. The image region is forwarded to OCR.space and the response is returned to your browser; nothing is persisted on our servers.
Local storage data (chrome.storage.local) — Authentication tokens are cleared when you log out. Temporary screenshot data (screenshotData, scrollPieces, cropRect) is deleted automatically within seconds of the editor opening. All remaining local data (preferences, cached history, pinned colors) persists on your device until you log out, uninstall the extension, or clear Chrome extension storage via Chrome Settings.

10. Your Rights & Choices

You have the following rights regarding your personal data:

Access — You can view your uploaded files at any time via the History panel in the extension.
Deletion — You can delete individual files from the History panel, or request full account deletion by emailing us (see Section 14). We will delete your account and all associated data within 30 days.
Portability — You can download any uploaded screenshot directly from the History panel or via the shared link.
Opt-out of cloud features — Cloud upload and History are optional premium features. You can use all local annotation tools without creating an account or uploading any data.
Withdraw consent — You may uninstall the extension at any time. Uninstalling typically removes locally stored extension data, subject to browser behavior and system settings. To remove your cloud data, contact us before uninstalling.

If you are in the European Economic Area (EEA) or United Kingdom, you may have additional rights under GDPR, including the right to lodge a complaint with your local data protection authority.

11. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. International Data Transfers

Your data may be stored and processed in the United States and other countries where our service providers operate. By using the Service, you consent to the transfer of your information to these countries, which may have different data protection laws than your country of residence. We rely on standard contractual clauses and the privacy policies of our service providers to safeguard transferred data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. For material changes, we may also notify you via a notice in the extension popup. We encourage you to review this policy periodically. Continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: phuonglabs.dev@gmail.com

Product: Screenshot Annotate Chrome Extension (ID: lipdnlgdjlbihadpagjpphbkaandhbim)

We aim to respond to all privacy-related requests within 30 days.