Privacy Policy

Effective Date: June 10, 2026

This Privacy Policy describes how U Clipper ("the Extension") handles your data. We are committed to ensuring your privacy, security, and being completely transparent about how our tool operates.

The Core Principle: U Clipper is a privacy-first developer tool. Authentication is handled through ClickUp's official OAuth flow, with Supabase facilitating only the secure token exchange and handshake — no user data is stored on our servers. Once authenticated, all ClickUp API calls are made directly from your browser. Your workspace data, screenshots, and emails are never routed through any external server. We only collect anonymized, non-personal usage metrics to improve the extension.

1. Data Collection and Usage

To function seamlessly, the Extension interacts with the following types of data:

ClickUp Authentication (OAuth): U Clipper uses ClickUp's official OAuth 2.0 flow to authenticate your account. During this process, Supabase acts solely as a secure intermediary to facilitate the token exchange and complete the OAuth handshake with ClickUp. Once the handshake is complete, the resulting access token is stored locally on your device.
Webpage & Gmail Content: When you clip a webpage or extract a Gmail thread, U Clipper reads the page's title, URL, or email body to draft a task. This data is only sent to your designated ClickUp workspace when you click "Save."
Screenshots: When utilizing the canvas editor, your visible tab or full-page captures are processed entirely locally on your device before being uploaded directly to your ClickUp task as an attachment.
Time Tracking Data: The persistent background timer logs durations locally and syncs them exclusively to your targeted ClickUp tasks.
Usage Data and Analytics: To understand how our extension is used and to improve your experience, we collect anonymous usage data. We use Google Analytics to track general interactions with the extension, such as opening the popup, switching between tabs, using the screenshot editor, and successfully saving tasks. We do not track your general web browsing history, and we do not capture the specific content of the tasks, emails, or notes you save. The data sent to Google Analytics is strictly limited to feature interactions and is completely anonymized.

2. How Authentication Works

To keep the OAuth flow secure and compliant with ClickUp's standards, the following steps occur when you connect your account:

Step 1 — OAuth Redirect: You are redirected to ClickUp's official login and authorization page, where you grant U Clipper permission to access your workspace.
Step 2 — Token Exchange via Supabase: Supabase securely handles the server-side OAuth token exchange with ClickUp on behalf of the Extension. This is a one-time handshake required by ClickUp's OAuth protocol and does not involve the storage of your personal data on Supabase's infrastructure beyond what is necessary to complete the exchange.
Step 3 — Local Storage: The resulting access token is returned to your browser and stored locally on your device using Chrome's secure storage. All subsequent API calls to ClickUp are made directly from your browser using this locally stored token.

3. Local Storage

The Extension relies heavily on Chrome's secure local storage (chrome.storage.local) to provide a blazing-fast, cache-driven experience. We store the following data locally on your device:

OAuth Access Token: Your ClickUp OAuth access token, obtained after a successful authentication handshake, is safely stored in your browser's local storage.
Workspace Cache: Your ClickUp spaces, lists, and tasks are cached locally so dropdowns load instantly without laggy API calls.
Notepad Data: The persistent scratchpad auto-saves your notes directly to your local browser storage.

4. Permissions

U Clipper requests the following browser permissions. Each permission is used exclusively to power a specific feature — nothing more. We do not use any permission to collect, transmit, or store your data on external servers.

Permission	Why It Is Needed
`activeTab`	Reads the current tab's title and URL to auto-fill the task creation form, and detects Gmail pages to activate the email-to-task feature.
`storage`	Saves your OAuth token, workspace cache, timer state, user preferences, and notepad content locally on your device so the extension works across sessions without repeated logins.
`scripting`	Injects a script into the active Gmail tab to extract the open email's subject and body, which is then used to create a ClickUp task with the full email content attached.
`contextMenus`	Adds a right-click "Create ClickUp Task" option so you can instantly turn any selected text on any webpage into a ClickUp task without opening the popup.
`identity`	Launches ClickUp's official OAuth 2.0 authorization page and securely receives the auth code to complete the login flow — required to authenticate without embedding secrets in the extension.
Host Permission `<all_urls>`	Required so the extension's content script can run on any page for context menu task creation, Gmail detection, and web clipping — since the extension is designed to work on any website the user visits.

5. Data Sharing and Third Parties

We absolutely do not sell, trade, or share any of your information. Supabase is used exclusively as a technical facilitator for the OAuth handshake with ClickUp and does not receive, store, or process any of your personal workspace data, tasks, emails, or usage patterns. We use Google Analytics to collect anonymized usage data (such as which features are clicked) to improve the extension. After authentication, your personal workspace data flows only between your personal device and the official ClickUp servers.

6. Changes to This Policy

We may update this policy occasionally as new features are added. Any changes will be reflected by updating the "Effective Date" at the top of this page.

7. Contact

If you have any questions regarding this policy or the Extension's security practices, please contact the developer via our official support channels on the Chrome Web Store.