1. Overview
2px (formerly 2px) is a Chrome Extension that captures visual feedback on web pages. This policy explains what data we collect, why, and how we protect it.
Operator: 2px ([email protected])
2. Data We Collect
2.1 Free Plan (Local Only)
On the Free plan, all data stays on your device. We do not collect, transmit, or store any data on our servers. Data is stored in your browser's IndexedDB under the extension origin.
2.2 Paid Plans (Cloud Sync)
When you upgrade to Solo, Team, or Growth and explicitly opt in to cloud sync, the following data is transmitted to our servers (Supabase, hosted on AWS):
- Marker data: Title, description, feedback type, priority, status, tags
- Page context: Page URL, page title, element fingerprint (CSS selector + XPath)
- Position: X/Y coordinates of markers on the page
- DOM snapshot: Partial HTML of the targeted element only (truncated to 1KB — never the full page)
- Computed CSS styles: 9 CSS properties (fontSize, color, backgroundColor, position, display, width, height, margin, padding)
- Screenshots: An optional screenshot of the visible viewport, captured only when you attach one (it may include page content near the marked element)
- Source code reference: Component file path (if available)
- Export history: Records of when and how marker data was exported (format, timestamp, included data types)
2.3 Data We Do NOT Collect
- Passwords or form input data
- Cookies or authentication tokens from visited websites
- Browsing history beyond the pages where you create markers
- Personal files from your device
- Full page HTML or complete DOM trees
3. How We Use Your Data
- Cloud sync: Synchronize markers across your devices on Solo, Team, and Growth
- Prompt quality scoring: Evaluate completeness of feedback for LLM-assisted bug fixing (computed locally)
- Export audit: Track export history for security compliance
We do not sell, share, or use your data for advertising. We do not train AI models on your data.
4. Chrome Extension Permissions
| Permission | Why We Need It |
|---|
activeTab | Access the current tab to capture markers and screenshots |
storage | Save markers and settings locally |
scripting | Inject the marker overlay UI onto web pages |
downloads | Export data as JSON files |
tabs | Get page URL and title for marker context |
http://*/*, https://*/* | Allow markers on any http/https website (including localhost). We intentionally declare these instead of <all_urls> to exclude file://, ftp://, and browser-internal pages. |
4.5 Cloud Checks Beta (Extension v3.4.0+, opt-in)
Starting with extension v3.4.0, clicking the "Diagnose" button in the marker feedback form can optionally run design-consistency and SEO checks on our server. This is opt-in only — without explicit consent, only client-side checks run (as in earlier versions).
Sent (allow-list)
- URL hostname and SHA-256 hash of the path (no full URL, no query, no fragment)
- Page
<title>, meta description, canonical hostname, robots, lang, OG/Twitter card tags - Heading text (h1–h6, up to 80 chars, max 30 items), image alt text (100 chars, max 50), link anchor text (60 chars, max 100) — PII regex-masked
- Page colour palette (top 50), font families/sizes (max 20), grid snapshot (30), CSS variable names
- For the marker target element only: tag name, computed style subset (color/bg/font/padding/margin/border-radius), aria-label (50 chars, masked), text sample (50 chars)
NOT sent (deny-list)
<input>/<textarea>/<select> value / defaultValue- Cookies, localStorage, sessionStorage
- Authorization headers, Bearer tokens, API keys
- URL query string, URL fragment (e.g.
#access_token=…) - Full page HTML, screenshots, base64 images
- Regex-matched email / phone / national ID → replaced with
[REDACTED] data-* attribute values (except those on the allow-list)
Processing
- Server processes the payload in memory only.
- Raw payloads are not stored in the database, logs, or files. Access logs keep only hostname and response code.
- Response cache key is the SHA-256 hash of the payload; the original payload is not retained (TTL 1 hour).
- Payload is discarded immediately after the response is returned.
Consent
- First "Diagnose" click shows a modal requesting explicit consent.
- Consent is recorded per-origin in
chrome.storage.sync and re-confirmed every 30 days. - Withdraw: extension Options page → toggle "Cloud Checks Beta" off, or choose "Don't use on this site" in the per-origin modal.
- Server-side audit log stores only the consent token hash for GDPR Art. 7(1) compliance.
Rate Limit
Daily limits per plan: Free 30, Solo 100, Team 300, Growth 1000 calls/day. Anonymous calls use the Free limit.
5. Data Storage & Security
- Local storage: Browser IndexedDB (encrypted by the browser)
- Cloud storage: Supabase (PostgreSQL on AWS), with Row Level Security (RLS) — you can only access your own data
- Screenshots: Stored in a private Supabase Storage bucket, accessible only by the uploading user
- Transit: All API communication uses HTTPS/TLS
6. Data Retention & Deletion
- Free plan: Data exists only in your browser. Clear it anytime from Settings > Clear All Data
- Paid plans: Cloud data is retained while your account is active. Soft-deleted markers are purged after 30 days
- Account deletion: Request deletion via [email protected]. All cloud data will be permanently deleted within 30 days
- Export: You can export all your data as JSON at any time from Settings
7. Your Rights (GDPR / CCPA)
You have the right to:
- Access: Export all your data as JSON
- Rectification: Edit or update your markers anytime
- Erasure: Delete individual markers or request full account deletion
- Portability: Export data in standard JSON format
- Object: Opt out of cloud sync at any time by switching to Free plan
8. Third-Party Services
- Supabase: Database and authentication (Solo, Team, and Growth plans)
- LemonSqueezy: Payment processing (paid plan purchases)
We do not use analytics, tracking pixels, or advertising SDKs.
9. Children's Privacy
2px is not directed at children under 13. We do not knowingly collect data from children.
10. Changes to This Policy
We may update this policy. Changes will be posted on this page with an updated date. For significant changes, we will notify users via the extension.
Last updated: 2026-06-01 (added section 4.5 — Cloud Checks Beta for extension v3.4.0).
© 2026 2px. All rights reserved.