# Privacy Policy — X Thread Summary **Effective date:** 2026-04-29 **Contact:** [YOUR_CONTACT_EMAIL] This is the privacy policy for the **X Thread Summary** browser extension ("the Extension"). The Extension is published as a self-contained client-side tool that runs entirely inside your browser — there is no first-party server. --- ## 1. What data the Extension processes | Category | What | When | Where it goes | | --- | --- | --- | --- | | Page content | Text of the currently focused web page (article body / X thread / comments) | Only when **you** trigger summarization (toolbar click, keyboard shortcut, in-page widget button) | Sent **only** to the LLM endpoint URL you configured in Settings | | API key | The OpenAI-compatible API key you typed into Settings | On every summarization request | Sent **only** to the same LLM endpoint URL, as an HTTP `Authorization: Bearer …` header | | Reader profile | Free-text role, tags, and extra instructions you typed into Settings | On every summarization request, included in the prompt | Sent **only** to the same LLM endpoint URL | | Preferences | Output language, length, key-points toggle, UI mode | Read locally to assemble the prompt | Stored locally on this device only | Nothing else is collected. --- ## 2. What the Extension does NOT do - It does **not** maintain any first-party server. There is no backend the Extension talks to. - It does **not** collect telemetry, analytics, crash reports, or usage metrics. - It does **not** sync your settings, API key, or persona across devices via Chrome Sync. - It does **not** transmit your data to any third party other than the LLM endpoint you configured yourself. - It does **not** sell user data, share data with advertisers, or use data for unrelated purposes. - It does **not** read pages in the background. Extraction only runs when you explicitly invoke a summary. --- ## 3. Where your data is stored - Your API key, reader profile, and preferences are stored in `chrome.storage.local`, which is local browser storage tied to your current device and your current browser profile. - Anyone with physical access to your browser profile (or another extension you grant comparable permissions to) can read the stored API key. This is a property of all browser-stored secrets — treat it accordingly. - You can wipe all stored data at any time using the **"Clear all settings"** button on the Extension's options page. --- ## 4. Third parties The Extension transmits data **only** to the LLM endpoint you configure in Settings (`baseUrl`). That endpoint is operated by whichever provider you chose: OpenAI, DeepSeek, Together, Groq, Mistral, your employer's internal gateway, your own self-hosted Ollama proxy, etc. We have no control over how that provider processes the data — please review the provider's own privacy policy. The Extension does not communicate with any other third party. --- ## 5. Permissions used | Permission | Why | | --- | --- | | `activeTab` | Read the active tab's DOM when you trigger a summary | | `scripting` | Inject the extraction script into the active tab when needed | | `storage` | Persist your settings locally on this device | | `sidePanel` | Open Chrome's native side panel (only if you enable that mode in Settings) | | Host permission for `x.com` / `twitter.com` | Detect and assemble X thread structure | | Optional host permission for your LLM endpoint | Send chat-completion requests to it (requested when you save settings) | | Optional `` | Allow summarizing on hosts other than x.com / twitter.com (only requested if you opt in) | --- ## 6. Children's privacy The Extension is not directed to children under 13 and does not knowingly collect data from children. --- ## 7. Changes to this policy If this policy meaningfully changes, the new effective date will be updated above and the change announced in the Extension's release notes. Continued use after such changes constitutes acceptance. --- ## 8. Contact Questions about this policy: **[YOUR_CONTACT_EMAIL]** --- # 隐私政策(简体中文) **生效日期:** 2026-04-29 **联系方式:** [YOUR_CONTACT_EMAIL] 本文是 **X Thread Summary** 浏览器扩展(下称"本扩展")的隐私政策。本扩展完全在你浏览器本地运行,没有任何第一方服务器。 ## 1. 本扩展会处理哪些数据 | 类型 | 内容 | 何时 | 去向 | | --- | --- | --- | --- | | 页面内容 | 当前聚焦页面的正文 / X thread / 评论文本 | 仅在**你**主动触发总结时(点工具栏图标、按快捷键、点页面内按钮) | 仅发送到你在设置中填写的 LLM 端点 URL | | API key | 你在设置里输入的 OpenAI 兼容 API key | 每次总结请求 | 仅发到上述同一个 LLM 端点,作为 `Authorization: Bearer …` 头 | | 阅读者画像 | 你设置的角色、标签、附加指令 | 每次总结请求时拼进 prompt | 仅发到上述同一个 LLM 端点 | | 偏好 | 输出语言、长度、是否附 key points、UI 模式 | 仅本地读取以拼 prompt | 仅本地存储 | 除以上之外,不收集任何信息。 ## 2. 本扩展不做的事 - 没有第一方服务器,也不调用任何自己的后端 - 不收集埋点 / 用量统计 / 崩溃日志 - 不通过 Chrome Sync 同步你的设置、API key、画像到其他设备 - 不把你的数据发给除你配置的 LLM 端点之外的任何第三方 - 不出售用户数据、不给广告平台用、不用于其他无关用途 - 不会在后台读取页面——只有你主动触发时才提取内容 ## 3. 数据存储位置 - 你的 API key、画像、偏好存在 `chrome.storage.local`,只在你当前设备 + 当前浏览器 profile 里 - 拥有你浏览器 profile 物理访问权限的人(或被你授予同等权限的其他扩展)能读到本机存的 API key——这是所有浏览器内置存储的共同属性 - 在选项页点 **"Clear all settings"** 可一键清空全部本地数据 ## 4. 第三方 本扩展只把数据发到你在设置里配置的 LLM 端点(`baseUrl`)。该端点由你选的服务商运营(OpenAI / DeepSeek / Together / Groq / Mistral / 公司内部网关 / 自托管 Ollama 等)。该服务商如何处理数据由其自身隐私政策规定,请自行查阅。 除此之外,本扩展不与任何其他第三方通信。 ## 5. 使用的权限 | 权限 | 用途 | | --- | --- | | `activeTab` | 你触发总结时读取当前 tab DOM | | `scripting` | 必要时把内容脚本注入当前 tab | | `storage` | 把你的设置存在本机 | | `sidePanel` | 当你在设置里启用了侧边栏模式时打开 Chrome 原生侧边栏 | | `x.com` / `twitter.com` 主机权限 | 识别并组装 X thread 结构 | | 你配置的 LLM 端点的主机权限(可选) | 调用 chat completions 接口(保存设置时申请) | | `` 可选权限 | 仅当你打开"允许在所有网站使用"时申请 | ## 6. 儿童隐私 本扩展不针对 13 岁以下儿童,亦不会有意收集儿童的数据。 ## 7. 政策变更 若本政策有实质修改,将更新页首生效日期并在版本发布说明中公示。继续使用即视为接受。 ## 8. 联系 任何关于本政策的问题:**[YOUR_CONTACT_EMAIL]**