Privacy Policy
Last updated: May 22, 2026 · Version 2.1
Limited Use Disclosure
2px’s collection, use, and transfer of user data adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. This page is the authoritative privacy policy for the 2px Chrome Extension and related services.
1. Overview
2px is a Chrome Extension and web dashboard for visual UI feedback. Users place markers on web pages, add notes, and optionally sync them to a cloud workspace for collaboration.
Operator: 2px ([email protected])
2. Plans & Data Flow
2px offers four tiers. The data flow differs by plan:
2.1 Free
- Markers and settings stay on your device (IndexedDB within the extension origin).
- AI classification requests are sent to
api.2px.dev/api/ai/classify(see §4). If the server is unreachable, classification is skipped (“AI 제안 일시 불가”) and you can still save the marker.
2.2 Solo ($9 / mo)
- Everything in Free, plus: license verification, cloud sync of markers to Supabase.
2.3 Team ($29 / mo, 5 seats)
- Everything in Solo, plus: team workspace, collaboration sync via Supabase Realtime, optional voice/video collab via LiveKit.
2.4 Growth ($79 / mo, 20 seats)
- Everything in Team, plus: extended analytics, audit logs, customer-configured webhooks.
3. Data We Collect
3.1 On-device (all plans)
- Markers (title, description, CSS selector, position, optional screenshot)
- User settings (language, shortcut, export format)
3.2 Cloud sync (Solo / Team / Growth)
- Marker data + page URL + page title + element CSS selector
- Optional screenshots of the marked area
- Account email and team identifiers
- License key (verified against
api.2px.dev)
3.3 Data we do NOT collect
- Passwords or form input values
- Cookies or authentication tokens from third-party websites
- Browsing history beyond pages where you create a marker
- Files from your device (outside of exports you trigger)
- Full page HTML or complete DOM trees
- Screenshots, images, or video of the visited page
- Local storage, session storage, or IndexedDB contents from the visited page
3.4 Cloud Checks Beta (optional, snippet/embed installs only — v1.0.1+ for extension)
When you click “Cloud Checks Beta” and accept the per-domain consent dialog, the snippet sends a strictly sanitized payload to our analysis server:
- Sent: DOM structure (tag + first class only), 6 CSS properties (color, font-size, margin, padding, etc.), URL hostname + path hash (no query/fragment)
- NOT sent: cookies, localStorage, sessionStorage, form values, file uploads, full HTML, screenshots, images, authentication tokens, API keys
- Consent storage: per-domain, 30-day TTL, stored in your browser localStorage. You can revoke at any time.
- High-risk paths blocked: banking, healthcare, government, authentication pages are automatically excluded.
- Server response: JSON issue data only (rule id, severity, message). No executable code is ever returned or executed.
- Retention: sanitized payload is processed in-memory and not retained after the analysis completes. No raw payload is logged.
Cloud Checks Beta is currently available for snippet/embed installs only. The Chrome extension v1.0 does not include this UI; integration is planned for v1.0.1+ with a separate listing update.
4. AI Classification — What Is Sent and Why
When a marker needs automatic categorization, the extension sends the following payload to api.2px.dev/api/ai/classify over HTTPS:
| Field | Purpose | Sent to OpenAI? |
|---|---|---|
title | Classification input | Yes |
description | Classification input | Yes |
cssSelector | Element identification (selector only) | Yes |
elementContext | Tag / role / class names (no text content) | Yes |
pageUrl | Previously used for context; now stripped on the server | No |
Explicitly NOT sent to OpenAI or persisted:
- Screenshots, full page DOM, or
innerHTML - Form input values, cookies, localStorage, or session data
- URLs of any kind (origin, path, query, hash are all stripped at the server boundary)
- Personal identifiers beyond the account email (Solo / Team / Growth only)
Server-side retention and human access:
- Raw classify payloads are never persisted. The server forwards the request to OpenAI (GPT-4o-mini) and discards the payload.
- Only aggregate counters (total, matches, mismatches, error counts, rule × GPT type matrix) are retained. All entries are integers — no user-authored text.
- The admin endpoint
GET /api/ai/classify/logsreturns aggregates only. No human-readable path to raw requests exists. - Aggregates reset on server restart (no durable disk storage for classification data).
5. Third-Party Subprocessors
| Service | Purpose | Data |
|---|---|---|
| Supabase | Cloud sync, auth (Solo/Team/Growth) | Markers, screenshots, account email |
| OpenAI | AI classification boost | Title, description, selector, elementContext |
| LiveKit | Voice / video collab (Team/Growth, optional) | Audio / video streams (TLS in transit) |
| Lemon Squeezy | Payment processing | Email, billing info |
| api.2px.dev | License verification, AI classify proxy | License key, classify payload (see §4) |
6. Your Rights
- Export all local and cloud data in JSON format at any time from Settings.
- Delete cloud data by deleting your account (contact [email protected]). Cloud data is deleted within 30 days of request.
- GDPR (EU / EEA) and CCPA (California) rights (access, rectification, erasure, portability, opt-out of sale — we do not sell data) apply.
7. Changes
We will revise the “Last updated” date above when this policy changes. For material changes, we will notify users via the dashboard.
8. Contact
Email: [email protected]
Web: https://2px.dev