Last updated:
Privacy Policy
Hypnoter (“we”, “our”, or “the extension”) is an open-source browser extension for note-taking. This Privacy Policy explains what data Hypnoter accesses, how it is used, and what controls you have. This policy applies to the Hypnoter browser extension and the hypnoter.app website.
Our core principle: your data stays on your device. Hypnoter is designed as an offline-first application. All notes, images, and settings are stored locally in your browser’s IndexedDB. No data is transmitted to any server unless you explicitly enable an optional cloud integration.
1. Information Stored Locally on Your Device
The following data is created and stored entirely within your browser using IndexedDB and the browser’s extension storage. This data never leaves your device unless you explicitly enable a cloud integration (see Section 3).
- Notes and content — All text, formatting, embedded images, and attachments you create.
- Images — Stored as binary blobs in IndexedDB.
- Settings and preferences — Theme, language, editor configuration, and other user preferences.
- Search indices — Full-text search index generated locally for fast note lookup.
- AI embeddings — Vector embeddings for semantic search, generated locally on your device.
- Speech-to-text models — Whisper AI models downloaded and executed locally.
- OCR processing — Tesseract OCR models downloaded and executed locally.
2. Information Accessed Temporarily
The extension may temporarily access the following information to provide its features. This data is processed locally and is not stored on any remote server.
- Tab URLs and titles — Accessed via the
tabspermission when you use the sticky notes or screenshot features. Used only to associate notes with web pages. - Active page content — Accessed via the
activeTabpermission only when you explicitly trigger a content clipping action (e.g., right-click “Add to Note”). The selected content is saved to your local note. - Screen captures — The
tabCapturepermission (Chrome only) is used for the screenshot feature. Captured images are stored locally in your notes. - Microphone audio — Accessed only when you initiate speech-to-text recording. Audio is processed entirely by the local Whisper AI model and is never transmitted to any external service.
3. Information Shared with Third Parties (Opt-In Only)
The following integrations transmit data to external services only if you explicitly enable them. None of these are active by default.
3.1 Google Drive Sync
- What is shared: Note content and metadata are synced to your Google Drive account.
- OAuth scope:
drive.file— Hypnoter can only access files it has created. It cannot read or modify any other files in your Drive. - When it happens: Only when you enable Google Drive sync in Settings and explicitly authenticate.
- Data transmission: All communication uses HTTPS encryption.
3.2 Google Calendar Integration
- What is shared: Event titles, dates, and descriptions created from your notes.
- OAuth scope:
calendar.events— Read and write access to your Google Calendar events. - When it happens: Only when you enable Google Calendar integration and explicitly authenticate.
3.3 Gemini AI API
- What is shared: Note content or selected text sent for AI processing (summarization, translation, grammar correction).
- PII redaction: Before any text is sent to the Gemini API, Hypnoter automatically redacts personally identifiable information including email addresses, phone numbers, credit card numbers, social security numbers, IP addresses, and API keys.
- When it happens: Only when you explicitly use an AI feature that requires cloud processing. Local AI features (Chrome Nano AI) process data entirely on your device.
- API key: You provide your own Gemini API key or authenticate via Google OAuth. Hypnoter does not have its own API key that accesses your data.
3.4 Error Reporting (Disabled by Default)
- Status: Error reporting infrastructure exists but is disabled by default and is currently not active.
- If enabled: Only anonymized error data would be collected: error message, stack trace, browser version, and extension version. IP addresses are anonymized. No note content, browsing history, or personal information is ever included.
- Control: Error reporting can only be enabled through an explicit opt-in setting.
4. Information We Do NOT Collect
To be explicit, Hypnoter does not collect, store, or transmit:
- Analytics or usage statistics
- Tracking pixels or advertising identifiers
- Cookies (the extension uses no cookies whatsoever)
- Browsing history or web activity
- Personal profiles or demographic data
- Keystroke or input logs
- Any data for advertising purposes
- Any data sold to third parties
The hypnoter.app website does not use cookies, analytics scripts, or any form of user tracking.
5. Chrome Extension Permissions Explained
| Permission | Purpose | Data Impact |
|---|---|---|
storage | Store extension settings and sync preferences across devices | Settings data only; stored in browser’s extension storage |
contextMenus | Add “Add to Note” option to right-click menu | No data accessed |
tabs | Read tab URL and title for sticky notes and screenshots | Tab URL/title accessed locally; not transmitted |
activeTab | Access current page when you explicitly trigger a clip action | Page content accessed only on user action; saved locally |
tabCapture | Capture visible tab for screenshot feature (Chrome only) | Screenshot saved locally to your note |
scripting | Inject content scripts for sticky notes and content clipping | Scripts run locally; no data transmitted |
sidePanel | Open Hypnoter in the browser sidebar (Chrome only) | No data accessed |
identity | Google OAuth authentication for Drive/Calendar sync | OAuth tokens stored locally; used only for Google API auth |
Host Permissions
| URL Pattern | Purpose |
|---|---|
http://*/* and https://*/* | Required for content scripts (sticky notes, content clipping) to function on any web page |
googleapis.com/drive/* | Google Drive API calls (only when Drive sync is enabled) |
googleapis.com/calendar/* | Google Calendar API calls (only when Calendar integration is enabled) |
googleapis.com/oauth2/* | OAuth token validation and refresh |
generativelanguage.googleapis.com/* | Gemini AI API calls (only when AI features are used) |
6. Google API Services — Limited Use Disclosure
Hypnoter’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- Limited use: Hypnoter only requests access to the Google user data necessary to provide the features the user has explicitly enabled (Drive sync and Calendar integration).
- No advertising use: We do not use Google user data for serving advertisements.
- No unauthorized transfer: We do not transfer Google user data to third parties unless necessary to provide or improve the user-facing features, comply with applicable law, or as part of a merger/acquisition with adequate data protection.
- No unauthorized use: We do not use Google user data for purposes unrelated to the extension’s core functionality.
- User consent: We obtain affirmative user consent before accessing Google user data, and users can revoke access at any time.
7. Data Security
- All API communications use HTTPS/TLS encryption.
- Google authentication uses OAuth 2.0 with scoped permissions.
- A built-in PII redaction pipeline automatically strips sensitive information before any cloud AI processing.
- All note data is stored in the browser’s sandboxed IndexedDB, isolated from other extensions and websites.
- No server-side infrastructure stores your data — there is no server to breach.
8. Data Retention and Deletion
- Local data: Notes and settings persist in your browser until you delete them manually or uninstall the extension. You can clear all extension data at any time through your browser’s settings.
- Google Drive data: Synced files remain in your Google Drive according to your Drive storage settings. You can delete synced files from Drive at any time.
- Google Calendar data: Created events remain in your calendar. You can delete them at any time.
- Export: You can export all your notes as a JSON backup file at any time from within the extension.
9. Your Rights and Controls
You have full control over your data:
- Delete local data: Clear extension storage or uninstall the extension to remove all local data.
- Revoke Google access: Remove Hypnoter’s access from your Google Account permissions at any time.
- Export your data: Use the built-in JSON export to create a complete backup of all your notes.
- Disable cloud features: All cloud integrations can be individually disabled in Settings.
- Opt out of error reporting: Error reporting is off by default and can remain off.
- Inspect the code: Hypnoter is open source — review the complete source code at github.com/hypnoter/hypnoter.
10. Children’s Privacy
Hypnoter is not directed at children under the age of 13 (or the applicable age in your jurisdiction under laws such as COPPA or GDPR). We do not knowingly collect personal information from children. If you believe a child has provided personal information through the extension, please contact us so we can take appropriate action.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the extension after changes constitutes acceptance of the revised policy. For significant changes, we will update the extension’s changelog.
12. Contact Us
If you have questions about this Privacy Policy or your data:
- Email: contact@hypnoter.app
- Security issues: security@hypnoter.app
- GitHub Issues: github.com/hypnoter/hypnoter/issues
- GitHub Discussions: github.com/hypnoter/hypnoter/discussions