At a glance
- Guest mode (logged out): all data stays on your device in
chrome.storage.local. Nothing is sent to our servers.
- Signed in: your notes, tasks, and highlights sync to your QuickAsk account so you can access them across browsers.
- AI features: only the content you explicitly choose to send — such as selected text, highlighted content, or a transcript/page summary you request — is sent to the AI provider you choose (ChatGPT, Gemini, or Claude). Nothing is sent in the background.
- Sensitive sites: the extension limits or disables content features on banking, crypto, cloud-admin, payment, and other sensitive domains by default.
- No advertising tracking: we do not use advertising SDKs, third-party trackers, or fingerprinting. If we use privacy-friendly analytics on our website or app, it will be described in this policy.
What we collect
2.1 When you are not signed in
Nothing leaves your browser. Highlights, notes, tasks, and preferences are stored locally
via chrome.storage.local. Clearing extension data or uninstalling removes them entirely.
2.2 When you sign in with Google
To create your QuickAsk account we receive — only what Google's standard sign-in
returns to us:
- Email address
- Display name
- Profile picture URL
- Google account ID (subject identifier)
We do not request access to Gmail, Drive, Calendar, Contacts, or any other Google scope
beyond basic profile.
We may also store basic account metadata needed to operate the service, such as your account
creation date, current plan, subscription status, app settings, and login/session information.
2.3 Content you create inside the extension
Once signed in, the following — and only the following — is synced to our servers so it is
available across your devices:
- Notes you type into the QuickAsk side panel.
- Tasks (title, description, due date) you add to the to-do panel.
- Highlights you create with the highlight tool — selected text, optional note,
page title, and page URL or page reference needed to help you find the highlight again.
- Preferences (whitelist/blacklist domains, theme, sync rate, language).
Sync traffic uses HTTPS and is authenticated using secure session mechanisms appropriate to the
web app and extension. We avoid storing sensitive authentication tokens in extension storage
unless required for the signed-in experience.
2.4 Minimal operational logs
Our backend writes server-side logs containing request timestamps, your user ID, resource IDs,
and technical metadata for debugging and abuse-prevention purposes. We design our logging to avoid
storing the body of your notes, highlights, or tasks. Logs are retained for up to 30 days.
What we do not collect
- We do not read, scan, or transmit page content in the background. We only access content that is necessary for a feature you explicitly use, such as selected text, highlighted content, or page/transcript content you choose to summarize.
- We do not collect your browsing history, tab list, search queries, or form inputs.
- We do not use cookies, local storage, fingerprinting, or any other technique to track you across sites.
- We do not embed third-party analytics SDKs (no Google Analytics, Mixpanel, Segment, Amplitude, etc.).
- We do not sell, rent, or share your data with advertisers or data brokers — ever.
Chrome permissions — why each is needed
Chrome may show you a list of permissions when you install or update the extension. The permissions
we request are used for specific product features and are not used for tracking.
| Permission |
Why it is needed |
storage |
Persist your preferences, guest highlights, and offline cache via chrome.storage.local. |
clipboardWrite |
Copy selected text when you explicitly use a copy/paste-style action, or prepare text for insertion into the AI provider you choose. |
tabs |
Open or reuse a supported AI provider tab or popup window when you click "Ask AI" or choose an AI action. |
scripting |
Inject the highlight toolbar and "Ask AI" button into the current page when you select text. |
sidePanel |
Show the Notes / Tasks / Highlights panel on the side of the browser window. |
windows |
Open or reuse a supported AI provider tab or popup window in the right size and position on your screen when you click "Ask AI" or choose an AI action. |
system.display |
Read screen size so popup windows and floating UI elements can be positioned and sized appropriately on your screen. |
alarms |
Schedule periodic background sync and task-due reminders. |
idle |
Pause sync when your computer is idle to save bandwidth and battery. |
host_permissions: http://*/*, https://*/* |
Required because the extension needs to show QuickAsk UI and make highlights, the "Ask AI" toolbar, notes, tasks, and page-summary features available on pages where you choose to use QuickAsk AI. Content scripts may load on supported pages, but we do not read page content in the background; content is accessed only when needed for a feature you explicitly use. |
All permissions are used locally in your browser. None of them are used to track,
profile, or monetise you.
Automatic protection on sensitive sites
To minimise risk on pages where sensitive information may appear, the extension limits or disables
content features on a built-in list of sensitive domains. This includes:
- Banking and online-banking portals (Vietcombank, Techcombank, Wise, Revolut, …)
- Payment gateways (PayPal, Stripe, Adyen, Klarna, MoMo, ZaloPay, …)
- Cryptocurrency exchanges and wallets (Binance, Coinbase, MetaMask, Phantom, Ledger, …)
- Cloud and developer admin consoles (AWS, GCP, Azure, Cloudflare, GitHub, GitLab, Vercel, …)
- Stock-trading platforms (Robinhood, Fidelity, SSI, VNDirect, …)
- Localhost and private IPs by default
You can override this list at any time from the extension settings (whitelist / blacklist),
but the defaults err strongly on the side of safety.
AI provider integrations
QuickAsk does not run its own large language model for these direct-provider features. When you
click "Ask AI" or use the radial menu with content selected, the extension opens or reuses the
AI provider you have chosen and sends or inserts the content you selected into that provider's
interface:
Once your selected content is sent or inserted into one of those provider interfaces, the prompt
and any subsequent conversation are governed by that provider's privacy policy,
not ours. We do not proxy AI traffic through our servers and we do not see your prompts or AI
responses.
If available, the optional YouTube/video summary feature may read the public transcript or
visible transcript content of the video you are watching and send only the transcript text
to the AI provider you choose — only when you click the summary button.
Security
- Sync traffic uses HTTPS.
- Authentication uses secure session mechanisms such as HttpOnly cookies where applicable.
- We apply input validation and output escaping to reduce risks such as cross-site scripting.
- The extension is built on Chrome Manifest V3 and uses a Content Security Policy.
- For payment processing, if paid plans are available, we use third-party payment providers and do not store your full card number.
Your controls and rights
- Access & export. You can access your notes, tasks, and highlights in the extension or web app. If an export feature is available, you can download your data from the app; otherwise you may contact us to request a copy.
- Edit & delete. Every note, task, and highlight can be edited or deleted directly
in the extension or web app. Deletions are reflected across synced devices and may remain in backups
or soft-delete storage for a limited period as described below.
- Account deletion. Email vietanhbkaaa@gmail.com with the subject "Delete my account" from the email tied to your account. We will delete your active account data within 7 days, while limited backup or soft-deleted records may remain for a short period as described in the Data retention section below.
- Sign out. Sign out at any time from the extension menu — local data remains on your device until you clear it.
- Whitelist / blacklist. Choose which domains the extension may run on, including overriding the sensitive-site defaults.
- Uninstall. Uninstalling the extension removes all locally cached data immediately. Synced data on our servers can be removed via account deletion above.
If you are in the EU/UK, you also have GDPR rights of access, rectification, erasure, restriction,
portability, and objection — exercised through the same email address.
Data retention
- Account data (notes, tasks, highlights, preferences): kept for as long as your account exists, then deleted within 7 days of account deletion.
- Server logs: up to 30 days, then permanently deleted.
- Soft-deleted records (deleted by you): purged from our database within 30 days.
- Expired or revoked sessions: cleaned up regularly by automated jobs.
Children's privacy
QuickAsk AI is not directed to children under 13. If the laws of your jurisdiction require a
higher minimum age or parental consent for services like ours, you may use QuickAsk AI only
if you meet that requirement. We do not knowingly collect personal data from children who are
not allowed to use the service. If you believe a child has provided us with data, please
contact us and we will delete it.
Changes to this policy
If we make material changes, we will update the "Last updated" date at the top of this page and,
where appropriate, provide notice in the app, extension, or by email. We encourage you to
review this policy periodically.
Contact
Questions, concerns, or data-subject requests:
vietanhbkaaa@gmail.com
We aim to respond within 5 business days.