Privacy Policy
Your privacy is fundamental to how KopyFeed is built. This policy explains exactly what data we collect, how we use it, and how you control it.
Last updated: February 21, 2026
Overview
KopyFeed.com ("KopyFeed," "we," "our," or "us") operates a browser extension and web application that captures, organizes, and enriches clipboard content using artificial intelligence. This Privacy Policy describes how we collect, use, store, and protect your information.
Our core privacy principle is local-first. On the free tier, all your data stays on your device and never leaves your browser. Cloud features are only available to paid subscribers who explicitly opt in. We do not sell your data, and we do not use it for advertising.
This policy is effective as of February 21, 2026. By using KopyFeed, you acknowledge that you have read and understood this policy. If you do not agree, please uninstall the extension and stop using the web application.
Information We Collect
Automatically Captured Content
When you copy or cut content in your browser, the KopyFeed extension captures the following:
- Clipboard content — the text, code, URL, or image you copied
- Source URL — the web page where the copy event occurred
- Timestamp — when the content was captured
- Content type — whether the content is text, code, an image, or a URL
The extension also detects programmatic clipboard writes (e.g., when a website's "Copy to Clipboard" button is used). This ensures comprehensive capture regardless of how content reaches your clipboard.
Important: KopyFeed only captures clipboard events within your browser. It does not monitor your system clipboard, read files on your computer, or capture content from other applications.
Account Information
If you create an account (required for paid tiers), we collect:
- Email address and name — provided via Google OAuth or email/password registration through our authentication provider, Clerk
- Account identifier — a unique ID assigned by Clerk
Payment Information
If you subscribe to a paid tier (Advanced or Pro), payment is processed entirely by Stripe. We store:
- Stripe customer ID — to link your subscription to your account
- Subscription status — active, canceled, or past due
We never receive, process, or store your credit card number, CVV, or billing address. All payment card data is handled exclusively by Stripe under their privacy policy.
Usage Metrics
For paid-tier users, we track AI feature usage to enforce monthly quotas:
- Count of each AI feature used per calendar month (summaries, categorizations, image descriptions, etc.)
- Total AI tokens consumed
- Timestamp of last AI request (for rate limiting)
This data is used solely for quota management and is deleted when you delete your account.
Local Storage (Your Device)
KopyFeed stores your data locally using your browser's IndexedDB database. This includes:
- All captured clips (text, code, URLs, images)
- Content hashes for deduplication
- Custom feeds, feed groups, and layout preferences
- Comments and notes you add to clips
- AI-generated metadata (categories, summaries, tags)
- Feed summaries and processing queues
- Sync status for cloud backup
Your local database is isolated per user account. If you sign in with different accounts, each has a completely separate database. Anonymous (free-tier) usage has its own isolated database.
Local data is managed entirely by your browser and encrypted at the operating system level. For free-tier users, this data never leaves your device. We cannot access, read, or retrieve your local data.
Cloud Storage (Paid Tiers Only)
Cloud storage is available only to Advanced ($6.99/month) and Pro ($11.99/month) subscribers. When enabled, the following data is synced to our cloud database powered by Convex:
- Clips with AI-generated metadata (categories, summaries, tags)
- Custom feeds, feed groups, and layout configuration
- Comments and notes
- User settings and preferences
- AI usage quotas
All cloud data is strictly isolated per user. Every database query is scoped to your account — it is architecturally impossible for one user to access another user's data. Data is encrypted in transit using HTTPS/TLS.
AI Data Processing
KopyFeed uses AI to enhance your content with summaries, categories, image descriptions, and more. AI processing works differently depending on your tier:
Free Tier (Local AI Only)
The free tier uses algorithmic categorization that runs entirely on your device in under 10 milliseconds. This assigns categories and tags using pattern matching — no data is sent to any external service.
Paid Tiers (Cloud AI)
Advanced and Pro subscribers can use cloud AI features. When you use these features, the following data may be sent to AI providers:
- Clip content (text, code snippets, URLs)
- Source URL context
- Images (compressed, base64-encoded)
- YouTube video URLs for analysis
- Web page content for link analysis
Data that is NEVER sent to AI providers:
- Content flagged as sensitive (see Sensitive Content Protection)
- Your authentication credentials or tokens
- Payment information
- Your IndexedDB database contents in bulk
AI Service Providers
We use the following AI providers:
- Google Gemini 2.5 Flash — for summarization, categorization, YouTube analysis, link analysis, and Kopy AI assistant responses (direct API)
AI providers process your data according to their respective privacy policies. We do not grant them rights to use your content for model training.
Sensitive Content Protection
KopyFeed automatically detects sensitive content in your clipboard using local pattern matching. The following types are detected entirely on your device:
- API keys and tokens (sk_, pk_, api_, key_, token_ prefixes)
- AWS access keys (AKIA format)
- Private keys (PEM-encoded)
- Credit card numbers
- Social Security numbers
- GitHub, GitLab, Slack, Google Cloud, and npm tokens
- Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
- High-entropy password-like strings
When sensitive content is detected:
- It is masked in the display (partial redaction)
- It auto-expires after 10 minutes
- It is never uploaded to cloud storage
- It is never sent to AI services for processing
Browser Extension Permissions
The KopyFeed Chrome extension requests the following permissions. Each is used solely for the stated purpose:
| Permission | Why We Need It |
|---|---|
clipboardRead | Core functionality — reading clipboard content when you copy |
storage | Storing your settings and preferences locally |
cookies | Managing your authentication session with Clerk |
activeTab | Detecting the source URL of the page where you copied content |
scripting | Injecting content scripts that capture clipboard events |
sidePanel | Displaying the KopyFeed side panel interface |
notifications | Alerting you when AI processing completes |
contextMenus | Adding a right-click menu option for manual capture |
offscreen | Required by Chrome Manifest V3 for clipboard operations |
alarms | Scheduling background tasks (sync, cleanup, retry queues) |
Host Permissions
The extension connects to these domains:
- kopyfeed.com — our web application
- *.convex.cloud — our cloud database (Convex)
- *.clerk.accounts.dev — authentication (Clerk)
Content Scripts
Content scripts run on all web pages you visit, but only to capture clipboard events (copy and cut). These scripts do not read page content, track your browsing, inject advertisements, or modify web pages in any way.
Third-Party Services
We use the following third-party services to operate KopyFeed. Each processes data only as needed to provide its specific function:
| Service | Purpose | Data Shared |
|---|---|---|
| Clerk | Authentication | Email, name, OAuth profile |
| Convex | Cloud database | Clips, settings, usage (paid tiers only) |
| Stripe | Payment processing | Email, subscription status (card data stays with Stripe) |
| Google (Gemini) | AI processing | Clip content, images (never sensitive data) |
| Cloudflare | Web hosting & CDN | Standard web traffic |
We also use public oEmbed APIs from YouTube, X (Twitter), TikTok, Spotify, Reddit, GitHub, Bluesky, and Vimeo to fetch publicly available metadata (titles, thumbnails, author names) for URLs you copy. These requests contain only the URL and do not require authentication.
Cookies & Tracking
KopyFeed uses minimal cookies, exclusively for authentication:
- Clerk session cookies — to maintain your signed-in state across the web application
We do not use:
- Advertising or marketing cookies
- Analytics tracking cookies or pixels
- Cross-site tracking of any kind
- Fingerprinting or device identification
The browser extension stores settings using chrome.storage.local, which is an extension-specific storage API separate from browser cookies.
International Data Transfers
KopyFeed.com is operated from the European Union (Czech Republic). Our cloud infrastructure and AI providers may process data in the United States and other countries. These transfers are protected by:
- Service providers' standard contractual clauses (SCCs) and data processing agreements
- Encryption in transit (HTTPS/TLS) for all data transfers
- Provider certifications and compliance frameworks
Free-tier users: No data transfers occur. All your data stays on your device, in your browser's local storage.
Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right to access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate personal data
- Right to erasure — request deletion of your personal data (account deletion cascades to all stored data)
- Right to data portability — receive your data in a structured, machine-readable format
- Right to restrict processing — request that we limit how we process your data
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at support@kopyfeed.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection supervisory authority.
Legal basis for processing: We process your data based on (a) contractual necessity — to provide the KopyFeed service, (b) legitimate interests — to improve and secure the service, and (c) consent — for optional cloud AI features that you explicitly enable.
Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to know — what personal information we collect, use, and disclose
- Right to delete — request deletion of your personal information
- Right to opt-out of sale — we do not sell your personal information to third parties
- Right to non-discrimination — exercising your privacy rights will not affect your service quality or pricing
You or your authorized agent may submit a request by contacting us at support@kopyfeed.com. We verify your identity through your Clerk account email before processing requests.
Categories of personal information collected: Identifiers (email, name), internet activity (clipboard content, source URLs), commercial information (subscription status). We do not collect biometric data, geolocation, or protected characteristics.
Data Retention
| Data Type | Retention Period |
|---|---|
| Local data (IndexedDB) | Entirely user-controlled — no forced deletion |
| Cloud clips | User-configurable auto-delete (7, 14, 30, or 90 days) with a 30-day default cleanup |
| Sensitive content | 10 minutes (automatic expiry, never synced to cloud) |
| AI usage records | Deleted when you delete your account |
| Account data | Until you delete your account |
Account deletion is immediate and cascades across all cloud data: clips, feeds, feed groups, comments, settings, AI usage records, subscriptions, sync state, and any other associated data. Your local data in IndexedDB is not affected by account deletion — you control it independently through your browser.
Data Security
We implement multiple layers of security to protect your data:
- Encryption in transit — all data transfers use HTTPS/TLS. HTTP Strict Transport Security (HSTS) is enabled.
- Content Security Policy — strict CSP headers prevent unauthorized code execution on our web application.
- Per-user database isolation — both locally (separate IndexedDB per user) and in the cloud (user-scoped queries).
- Content hashing — SHA-256 hashing for deduplication, preventing data corruption.
- Rate limiting — 500ms minimum between clipboard captures to prevent abuse.
- Origin validation — the extension only communicates with whitelisted domains (kopyfeed.com, localhost for development).
- Session nonce — cryptographic nonce prevents replay attacks on extension-to-web-app communication.
- Webhook verification — all incoming webhooks (Clerk, Stripe) are verified using cryptographic signatures.
While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
Children's Privacy
KopyFeed is not intended for use by children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under the applicable age, we will promptly delete that information. If you believe a child has provided us with personal data, please contact us at support@kopyfeed.com.
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify registered users via email. The updated policy will be posted at this URL with a new "Last updated" date. Continued use of KopyFeed after notification constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
- Email: support@kopyfeed.com
- Contact page: kopyfeed.com/contact
For GDPR-related requests, we aim to respond within 30 days. For CCPA-related requests, we aim to respond within 45 days as required by law.