LockInLockIn

Privacy Policy

Last Updated: March 22, 2026

1. Information We Collect

Account Information (via Google OAuth):

  • Display name
  • Email address
  • Profile picture URL

We use Google OAuth for sign-in. We do not store passwords or offer password-based sign-up in the app.

Productivity Data (synced to cloud when signed in):

  • Tasks: Task name, planned date, completion status, estimated and actual duration in minutes.
  • Focus Sessions: Start time, end time, duration, and session type (task or break).
  • Distractions: Domain name and timestamp when you attempt to access a blocked website during a focus session.
  • Daily Statistics: Aggregated daily totals for focus minutes, tasks completed, distraction count, and whether the day counts as a streak day (25+ minutes of focus).
  • Goals: Habit and milestone names, target values, and daily check-in records.

Settings:

  • Blocked domain list (e.g. "reddit.com", "twitter.com")
  • YouTube blocking mode (off, partial, or fully blocked)
  • AI personality setting (e.g. "drill sergeant", "supportive coach")
  • Timer durations and preferences

Payment Information:

Payment details are collected and stored by Stripe. We store your Stripe customer ID and subscription ID to manage your plan. We never see or store your full credit card number.

What We Do NOT Collect:

  • Browsing history (we only record the domain when you hit a blocked site)
  • Page content or keystrokes
  • Data from non-YouTube websites
  • Spotify listening history
  • Cookies for tracking or advertising

2. Chrome Extension: Local vs. Cloud Data

The Chrome Extension stores data in two places:

Local (chrome.storage.local) — stays on your device:

  • Current timer state and settings
  • Cached task list for offline use
  • Incomplete focus session data (synced when session ends)
  • Last sync timestamp

Cloud (Supabase) — synced when signed in:

  • Tasks, focus sessions, distractions, daily stats, goals, and settings (as listed above)
  • Sync happens on: sign-in, manual sync, task completion, and session end

If you use the extension without signing in, all data stays local on your device and is never transmitted.

3. YouTube Content Script

When YouTube partial blocking is enabled, the extension injects a content script on youtube.com pages. This script:

  • Hides recommendation feeds, comments, and sidebar suggestions by modifying the page's DOM
  • Does NOT read, collect, or transmit any YouTube page content
  • Does NOT access your YouTube account, watch history, or subscriptions
  • Only runs on youtube.com domains and only during active focus sessions

4. How We Use Your Information

  • Sync and display: Store your productivity data so it's accessible from both the extension and web dashboard across devices.
  • Statistics and insights: Calculate daily/weekly stats, streaks, and trends shown on your dashboard.
  • AI quotes: Send your current task name and AI personality setting to OpenAI to generate a motivational quote. No other data is sent.
  • Billing: Process payments and manage your Pro subscription through Stripe.
  • Service updates: Send important notifications about your account, subscription status, or policy changes via email.

5. Third-Party Data Sharing

We share data with the following services only as needed to operate the Service:

  • Supabase (database): Stores all synced account data, productivity data, and settings. Data is protected by PostgreSQL row-level security (RLS) policies — each user can only access their own data.
  • Google (optional auth): Provides sign-in. We receive your name, email, and profile picture during OAuth.
  • OpenAI (AI quotes): Receives only your current task name (e.g. "Write essay") and AI personality setting (e.g. "drill sergeant"). Does NOT receive your browsing history, blocked domain list, focus statistics, or any other account data.
  • Stripe (payments): Processes subscription payments. Stripe stores your billing details. See Stripe's privacy policy.
  • Spotify (optional): If you connect Spotify, we access your current playback state to show play/pause/skip controls. We do NOT access your listening history, saved songs, or playlists. Authorization is via Spotify OAuth and can be revoked at any time from your Spotify account settings.

We do not sell, rent, or trade your personal information to any third party.

6. Data Storage and Security

  • Cloud data is stored in Supabase (PostgreSQL) with row-level security ensuring you can only access your own data.
  • All data transmission between the extension, web app, and our servers uses HTTPS/TLS encryption.
  • Local extension data is stored in chrome.storage.local, which is sandboxed to the LockIn extension and inaccessible to other extensions or websites.
  • We do not use cookies for tracking. Authentication state is managed via Supabase session tokens stored in secure, httpOnly cookies.

7. Data Retention

Your data is retained while your account is active. Upon account deletion:

  • All cloud data (profile, tasks, sessions, stats, goals, settings, distraction logs) is permanently deleted within 30 days.
  • Stripe billing records are retained by Stripe per their data retention policy.
  • Local Chrome extension data remains on your device until you uninstall the extension or clear its data manually.
  • Anonymized, aggregated analytics data (e.g. subscription event counts with no user identifiers) may be retained.

8. Your Rights

  • Access: View all your data through the web dashboard at any time.
  • Export: Download all your data as a JSON file from Account Settings. Available to all users (free and Pro).
  • Delete: Permanently delete your account and all associated data from Account Settings. This is immediate and irreversible.
  • Revoke integrations: Disconnect Spotify from your Spotify account settings. If you used Google sign-in, you can revoke Google access from your Google account security page.

9. California Privacy Rights (CCPA)

California residents have the right to:

  • Know what personal information is collected (see Section 1 above).
  • Request deletion of their data (use Account Settings or email us).
  • Opt out of the sale of personal information. We do not sell personal information.

10. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect information from children under 13. If you are a parent and believe your child has provided us with personal information, contact us and we will delete it.

11. Changes to This Policy

We may update this policy. Changes will be posted on this page with an updated date. Material changes will be communicated via email at least 14 days before taking effect.

12. Contact

For privacy questions, data requests, or concerns, contact us at support@imsolockedin.com.