Privacy Policy

Last updated: March 2026

1. Overview

Scroll ("the Extension") is a browser extension that helps you navigate, search, and manage conversations across AI chat interfaces (ChatGPT, Claude, and Gemini). It is operated by Asker Kurt-Elli, trading as Scroll, based in Australia.

This Privacy Policy explains what data we collect, how we handle and store it, who we share it with, and your rights. It applies to the browser extension and the associated cloud services at tryscroll.app.

2. Data We Collect

Automatic Local Data Collection

When you visit a supported AI chat page (ChatGPT, Claude, or Gemini), the Extension automatically reads the conversation content available on the page. For Claude and Gemini, this is read from the visible page content. For ChatGPT, the Extension also intercepts ChatGPT's internal API responses to capture the full conversation reliably. This includes:

  • The full text of every user prompt and AI response in the chat
  • Chat identifiers extracted from the page URL
  • Chat titles from the page
  • The order and timestamps of messages
  • The URL of the chat page

This happens automatically whenever you are on a supported page, without requiring you to click or interact with Scroll. The data is read from the page and stored locally in your browser's IndexedDB database. No data leaves your device unless you opt in to cloud sync by creating an account and bookmarking a conversation.

The Extension also stores locally: search indexes built from your conversation content (for local search), preference settings, and onboarding state.

Account Data (if you create an account)

If you create an account and bookmark conversations, the following additional data is collected and stored in our cloud database:

  • Account information: Email address and hashed password (via Supabase Auth)
  • Bookmarked conversations: Full chat transcripts (all user prompts and AI responses), chat titles, URLs, provider name, and timestamps
  • AI-generated enrichment: When you bookmark a conversation, we automatically generate summaries, topic tags, suggested questions, and a project name using AI (see Section 5 for details)
  • Embedding vectors: Mathematical representations of your conversation content, used to power semantic search
  • Usage data: Daily count of AI-powered questions asked and cloud bookmark count (for plan limits)
  • Subscription data: Plan type and billing period (managed by Stripe)

Data We Do NOT Collect

  • We do not read or store your AI provider credentials (ChatGPT, Claude, Gemini passwords)
  • We do not collect phone numbers. The Extension uses the Supabase authentication SDK, which includes phone number authentication as one of many built-in SDK capabilities. We only use Supabase for email and password authentication. No phone number is ever requested, stored, or transmitted by Scroll.
  • We do not track your browsing history
  • We do not collect analytics or telemetry
  • We do not sell any data to third parties

3. How We Handle Your Data

We process your data for the following purposes:

  • Local navigation and search: Conversation content is indexed locally to power the command palette search, sidebar navigation, and turn-by-turn scrolling. This processing happens entirely on your device.
  • Cloud sync: When you bookmark a conversation, its full content is synced to our cloud database so you can access it across browsers. Sync runs automatically in the background for bookmarked content, with multi-tab coordination to prevent duplicate operations.
  • AI enrichment: When you bookmark a conversation, excerpts of its content are sent to an AI model to generate a summary, topic tags, and suggested questions. This runs automatically and the results are stored alongside your bookmark.
  • Semantic search: When you search your library, your search query is converted to a mathematical vector and compared against vectors generated from your bookmarked conversation content.
  • Ask features: When you ask a question about a bookmark or across your library, relevant conversation excerpts and your question are sent to an AI model to generate an answer.
  • Subscription management: Your email and plan information are used to manage your account and enforce usage limits.
  • Storage management: Unbookmarked conversations are subject to automatic cleanup to stay within local storage limits. Bookmarked conversations are exempt from cleanup.

4. How We Store Your Data

Your data is stored in the following locations:

Local storage (on your device)

  • IndexedDB: All conversation content (both bookmarked and unbookmarked) is stored in your browser's IndexedDB database, managed by the Extension's service worker. This database is accessible only to the Extension.
  • Chrome extension storage: Authentication session tokens, sync timestamps, and preference settings are stored in Chrome's extension storage API.

Cloud storage (if you create an account)

  • Supabase (hosted in the EU): Account data, bookmarked conversation transcripts, AI enrichment results, embedding vectors, and usage counters are stored in a PostgreSQL database hosted by Supabase in the European Union.
  • Stripe (for premium subscribers): Payment card details are handled entirely by Stripe and are never stored by Scroll. Only your plan type and billing period are stored in our database.

Local data is subject to a storage cap. When limits are approached, the oldest unbookmarked conversations are automatically removed. Bookmarked conversations are never automatically deleted.

5. How We Share Your Data

We share your data with the following third-party services, only as described below. We do not sell your data to any third party.

OpenAI (United States)

Your conversation content is sent to OpenAI's API in the following situations, all of which require you to have an account:

  • Chat enrichment (automatic when you bookmark): Excerpts from your bookmarked conversations (first 10 turns, with prompts truncated to 300 characters and responses to 500 characters) are sent to OpenAI to generate summaries, topic tags, and suggested questions.
  • Embedding generation (automatic when you bookmark): The text of each turn (truncated to 6,000 characters) is sent to OpenAI to generate search vectors for semantic search.
  • Semantic search queries: When you search your library, your search query text is sent to OpenAI to generate a query vector.
  • Ask Bookmark: When you ask a question about a specific bookmark, the full chat transcript and your question are sent to OpenAI to generate an answer.
  • Ask Library: When you ask a question across your library, your question and relevant retrieved excerpts are sent to OpenAI to generate an answer.

OpenAI's API data usage policy states that API inputs are not used for model training. See: OpenAI's API data usage policy.

All data sent to OpenAI is routed through our Supabase Edge Functions (server-side). The Extension never sends data directly to OpenAI from your browser.

Supabase (European Union)

Database hosting, authentication, and serverless edge functions. All bookmarked conversation data, user accounts, and AI processing are managed through Supabase infrastructure hosted in the EU.

Stripe (United States)

Payment processing for premium subscriptions. Scroll shares your email address with Stripe to create a checkout session. Stripe handles all payment card data directly; Scroll never receives or stores card numbers.

We do not share your data with any other third parties.

6. Browser Permissions

The Extension requests the following browser permissions:

  • storage: Used to store authentication tokens and user preferences in Chrome's extension storage API.
  • tabs: Used for cross-tab communication (e.g., coordinating sync across multiple open tabs) and navigating to conversation URLs from search results.

The Extension also requests access to the following websites:

  • chatgpt.com: To read and index ChatGPT conversations.
  • claude.ai: To read and index Claude conversations.
  • gemini.google.com: To read and index Gemini conversations.
  • Our Supabase endpoint: To communicate with cloud services for sync, search, and AI features.

The command palette shortcut is available on all pages, but conversation reading only activates on the three supported AI chat providers listed above.

7. Cookies and Similar Technologies

The Extension does not use cookies. It uses the following browser storage mechanisms:

  • Chrome extension storage: Stores authentication session tokens, sync timestamps, and the last signed-in user ID.
  • IndexedDB: Stores conversation data as described in Section 4.

No third-party tracking scripts, analytics, or advertising trackers are included in the Extension.

8. Data Retention

Local data is retained on your device until you uninstall the Extension or clear your browser data. You can clear local data at any time using the /wipe command within the Extension. Unbookmarked conversations may be automatically removed by the Extension's storage management to stay within storage limits (oldest conversations are removed first).

Cloud-synced data is retained as long as your account is active. Upon account deletion, all cloud data — including conversation transcripts, enrichment data, embedding vectors, and usage history — is permanently removed within 30 days. Local data remains on your device and is unaffected by account deletion.

9. International Data Transfers

If you create an account, your data may be transferred internationally:

  • Your bookmarked conversation data is stored by Supabase in the European Union.
  • When AI features are used (enrichment, search, Ask), conversation excerpts and queries are processed by OpenAI, whose servers are located in the United States. This transfer is necessary to provide the AI-powered features you have opted in to by bookmarking a conversation or using the Ask feature.
  • Payment processing by Stripe may involve servers in the United States.

For users in the European Economic Area and the United Kingdom, these transfers rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, as incorporated into our agreements with OpenAI and Stripe, and on the necessity to perform the contract for subscription services.

10. Your Rights

  • Access: View your data through the Extension or account page
  • Export: Export your conversations in multiple formats
  • Delete: Delete your account and all associated cloud data
  • Local only: Use the Extension without an account for fully local-only operation

Legal basis for processing (EEA and UK users)

  • Consent: Cloud sync, AI enrichment, and Ask features are opt-in. You choose to create an account and bookmark conversations. You can withdraw consent by unbookmarking conversations or deleting your account.
  • Legitimate interest: Local data processing (reading conversations from the page and storing them in your browser) is based on our legitimate interest in providing the core functionality of the Extension that you installed. You can disable this by uninstalling the Extension.
  • Contract: Processing related to account management and subscription billing is necessary to perform our contract with you.

If you are located in the European Economic Area or the United Kingdom, you have additional rights under GDPR including the right to access, rectification, erasure, and data portability. You may also lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO). To exercise these rights, contact privacy@tryscroll.app.

11. Children

Scroll is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

12. Security

All cloud communications use HTTPS/TLS encryption in transit. Authentication tokens are stored securely within Chrome's extension storage API, which is isolated from web pages. Passwords are hashed by Supabase Auth and are never stored in plaintext.

Local conversation data in IndexedDB is accessible only to the Extension and is isolated from web page JavaScript by Chrome's extension security model.

Cloud data is protected by Supabase's infrastructure security, including encryption at rest, row-level security policies that ensure users can only access their own data, and token-based authentication for all API requests.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. Changes will also be posted on this page with an updated date.

14. Contact

For privacy-related questions or data requests, contact us at privacy@tryscroll.app.

Data Controller: Asker Kurt-Elli, trading as Scroll, Australia.

14 sections Esc close