Privacy Policy

To Do Focused (“we”, “us”) is a Chrome extension that replaces your new tab with a focus cockpit. This policy explains what data the extension and our website (todofocused.com) collect, why, and what you can do about it.

• Account info from Google Sign-In: your email, display name and profile picture URL. Used solely to authenticate and identify your data.
• Your content: tasks, projects, Pomodoro history, preferences (theme, wallpaper, blocker rules). Stored in your own row of our Supabase database and only readable by you (Row-Level Security).
• Authentication tokens: short-lived session tokens issued by Supabase Auth, stored locally in your browser.

• Browsing history. The blocker uses Chrome's declarativeNetRequest API which evaluates rules locally — we never see the URLs you visit.
• Page content. The YouTube/Twitter content scripts run locally and do not send anything off your device.
• Analytics or behavioural tracking. The site uses no third-party analytics scripts.

• identity — Google Sign-In via Chrome Identity API.
• storage — local preferences (theme, wallpaper, timer state) and offline task cache.
• alarms / notifications — fire Pomodoro phase transitions when the new tab is closed or in the background.
• declarativeNetRequest — block user-selected sites without inspecting any traffic.
• offscreen — host Web Audio for soundscapes (Manifest V3 requirement).
• sidePanel — provide the always-on tasks/timer panel.
• Host: *.supabase.co — sync your own data with your account.
• Content scripts on youtube.com, twitter.com, x.com — user-opt-in cleanup that hides feeds/recommendations/comments.

Only to provide the extension's functionality: authenticating you, storing and syncing your tasks/preferences, and delivering Pomodoro notifications. We do not sell, rent or share your data with third parties. We do not use your data for advertising, credit, insurance, employment or any unrelated purpose.

Tasks and preferences live in Supabase (Postgres) under your user ID, protected by Row-Level Security. Authentication is handled by Supabase Auth + Google OAuth. Static assets are served from Vercel.

• Export: the “My Account” section in the extension exports a complete JSON of your data.
• Delete: sign out and request account deletion via the contact email below. We remove your row within 7 days.
• Disable site blocking: uninstall the extension or toggle categories off in the Blocking tab.

Questions or deletion requests: hello@todofocused.com.