← Back to Home

Privacy Policy

Last updated: May 22, 2026 · Version 2.1

Limited Use Disclosure

2px’s collection, use, and transfer of user data adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. This page is the authoritative privacy policy for the 2px Chrome Extension and related services.

1. Overview

2px is a Chrome Extension and web dashboard for visual UI feedback. Users place markers on web pages, add notes, and optionally sync them to a cloud workspace for collaboration.

Operator: 2px ([email protected])

2. Plans & Data Flow

2px offers four tiers. The data flow differs by plan:

2.1 Free

  • Markers and settings stay on your device (IndexedDB within the extension origin).
  • AI classification requests are sent to api.2px.dev/api/ai/classify (see §4). If the server is unreachable, classification is skipped (“AI 제안 일시 불가”) and you can still save the marker.

2.2 Solo ($9 / mo)

  • Everything in Free, plus: license verification, cloud sync of markers to Supabase.

2.3 Team ($29 / mo, 5 seats)

  • Everything in Solo, plus: team workspace, collaboration sync via Supabase Realtime, optional voice/video collab via LiveKit.

2.4 Growth ($79 / mo, 20 seats)

  • Everything in Team, plus: extended analytics, audit logs, customer-configured webhooks.

3. Data We Collect

3.1 On-device (all plans)

  • Markers (title, description, CSS selector, position, optional screenshot)
  • User settings (language, shortcut, export format)

3.2 Cloud sync (Solo / Team / Growth)

  • Marker data + page URL + page title + element CSS selector
  • Optional screenshots of the marked area
  • Account email and team identifiers
  • License key (verified against api.2px.dev)

3.3 Data we do NOT collect

  • Passwords or form input values
  • Cookies or authentication tokens from third-party websites
  • Browsing history beyond pages where you create a marker
  • Files from your device (outside of exports you trigger)
  • Full page HTML or complete DOM trees
  • Screenshots, images, or video of the visited page
  • Local storage, session storage, or IndexedDB contents from the visited page

3.4 Cloud Checks Beta (optional, snippet/embed installs only — v1.0.1+ for extension)

When you click “Cloud Checks Beta” and accept the per-domain consent dialog, the snippet sends a strictly sanitized payload to our analysis server:

  • Sent: DOM structure (tag + first class only), 6 CSS properties (color, font-size, margin, padding, etc.), URL hostname + path hash (no query/fragment)
  • NOT sent: cookies, localStorage, sessionStorage, form values, file uploads, full HTML, screenshots, images, authentication tokens, API keys
  • Consent storage: per-domain, 30-day TTL, stored in your browser localStorage. You can revoke at any time.
  • High-risk paths blocked: banking, healthcare, government, authentication pages are automatically excluded.
  • Server response: JSON issue data only (rule id, severity, message). No executable code is ever returned or executed.
  • Retention: sanitized payload is processed in-memory and not retained after the analysis completes. No raw payload is logged.

Cloud Checks Beta is currently available for snippet/embed installs only. The Chrome extension v1.0 does not include this UI; integration is planned for v1.0.1+ with a separate listing update.

4. AI Classification — What Is Sent and Why

When a marker needs automatic categorization, the extension sends the following payload to api.2px.dev/api/ai/classify over HTTPS:

FieldPurposeSent to OpenAI?
titleClassification inputYes
descriptionClassification inputYes
cssSelectorElement identification (selector only)Yes
elementContextTag / role / class names (no text content)Yes
pageUrlPreviously used for context; now stripped on the serverNo

Explicitly NOT sent to OpenAI or persisted:

  • Screenshots, full page DOM, or innerHTML
  • Form input values, cookies, localStorage, or session data
  • URLs of any kind (origin, path, query, hash are all stripped at the server boundary)
  • Personal identifiers beyond the account email (Solo / Team / Growth only)

Server-side retention and human access:

  • Raw classify payloads are never persisted. The server forwards the request to OpenAI (GPT-4o-mini) and discards the payload.
  • Only aggregate counters (total, matches, mismatches, error counts, rule × GPT type matrix) are retained. All entries are integers — no user-authored text.
  • The admin endpoint GET /api/ai/classify/logs returns aggregates only. No human-readable path to raw requests exists.
  • Aggregates reset on server restart (no durable disk storage for classification data).

5. Third-Party Subprocessors

ServicePurposeData
SupabaseCloud sync, auth (Solo/Team/Growth)Markers, screenshots, account email
OpenAIAI classification boostTitle, description, selector, elementContext
LiveKitVoice / video collab (Team/Growth, optional)Audio / video streams (TLS in transit)
Lemon SqueezyPayment processingEmail, billing info
api.2px.devLicense verification, AI classify proxyLicense key, classify payload (see §4)

6. Your Rights

  • Export all local and cloud data in JSON format at any time from Settings.
  • Delete cloud data by deleting your account (contact [email protected]). Cloud data is deleted within 30 days of request.
  • GDPR (EU / EEA) and CCPA (California) rights (access, rectification, erasure, portability, opt-out of sale — we do not sell data) apply.

7. Changes

We will revise the “Last updated” date above when this policy changes. For material changes, we will notify users via the dashboard.

8. Contact

Email: [email protected]
Web: https://2px.dev