Privacy Policy for TimeOnChrome

Last Updated: June 14, 2026

TimeOnChrome is a browser extension for family-managed Chrome usage. It helps parents and guardians manage study, composite, rest, and restricted browsing, review website classification requests, view usage statistics, and diagnose sync or timing issues.

Prominent Disclosure: TimeOnChrome processes browsing usage metadata so it can provide its core family time-management features. This includes visited domains or configured site targets, usage start and end times, duration, current mode, website classification requests, device sync status, media usage metadata, diagnostic logs, and account/session data for optional cloud sync. Parents or guardians associated with a child profile can view and manage that profile's rules, device state, classification requests, usage statistics, and diagnostics.

TimeOnChrome does not sell user data, does not use user data for advertising, and does not share user data with data brokers or advertising platforms. It does not collect page body content, form input, private messages, comments, passwords, payment details, site cookies, Google OAuth tokens, or raw Chrome profile identity values.

1. User Consent And When Collection Starts

Installing and enabling TimeOnChrome means the extension may begin processing local browsing usage metadata that is required for its user-facing time-management, access-management, reminder, statistics, and diagnostic features. The Chrome Web Store listing and this Privacy Policy provide the disclosure before installation.

Cloud sync is optional and starts only after a parent or guardian signs in and binds a child terminal to a cloud profile. After cloud sync is enabled, selected configuration, usage, request, device, and diagnostic records are sent to the TimeOnChrome cloud service so the parent or guardian can manage the child profile from the cloud console.

Users can stop future local collection by disabling or uninstalling the extension. Parents or guardians can stop cloud sync for a terminal by unbinding the device in the cloud console. Clearing Chrome extension data removes local TimeOnChrome data from that Chrome profile, but it may also remove local binding state and require reconfiguration or recovery.

2. Data We Collect Or Process

TimeOnChrome collects or processes the minimum data needed to provide its user-facing functionality.

Data category	Examples	When collected	Purpose	Storage and sharing
Browsing and usage activity	Domain names, configured site targets, normalized website or YouTube playlist/video rules, usage start and end times, usage duration, current mode, and access-control result.	When Chrome tabs are used while the extension is enabled.	To calculate usage time, apply study/rest/composite rules, enforce quotas and schedules, and show usage analysis.	Stored locally in Chrome extension storage. If cloud sync is enabled, selected records may be uploaded to the TimeOnChrome cloud service and shown to the parent or guardian for the child profile.
Website classification requests	User-submitted website, domain, subdomain, URL, or canonical YouTube playlist/video URL; approval status; parent decision.	When a child submits a classification request or when a parent reviews it.	To let a child request classification of an unclassified website and let a parent approve, reject, or classify it.	Stored locally and, when cloud sync is enabled, in the cloud profile so the parent or guardian can review and decide the request.
Configuration data	Study/composite/restricted/blocked site lists, URL rules, quotas, mode time windows, logging policy, and import/export configuration.	When a parent or guardian configures TimeOnChrome locally or in the cloud console.	To provide access management, quota management, time-window control, and configuration backup/restore.	Stored locally and, when cloud sync is enabled, in the cloud profile. Exported configuration files are created only when the user chooses to export them.
Device and profile data	Parent account email, child profile name, device name, device ID, platform/browser label, device binding status, last sync/heartbeat time, and a non-reversible hash of the Chrome profile account identifier when available.	When a parent signs in, creates or selects a child profile, binds a terminal, or when a bound terminal sends heartbeat/sync/recovery requests.	To authenticate parent access, bind child terminals, sync configuration, show device connection status, and help recover a macOS or Windows child terminal binding after the extension is reinstalled.	Stored locally for the bound terminal and in the cloud account/profile. The raw Chrome profile account identifier is not stored; only a server-side keyed non-reversible hash is used for recovery matching.
Media usage metadata	Media usage class such as foreground/background audio or video, source domain or configured target, duration, and timing information.	When media playback state is observed while the extension is enabled.	To separate media usage from ordinary foreground web usage and show media statistics.	Stored locally. If cloud sync is enabled, selected media usage records may be uploaded for parent-visible usage analysis.
Diagnostic logs	Error codes, checkpoint health, ledger-gap status, mode-transition audit IDs, sync endpoint category, app version, request ID, and sanitized details.	When TimeOnChrome detects sync, timing, access, mode-switching, or recovery events that need troubleshooting.	To diagnose timing settlement, sync, mode switching, access control, and device connection problems.	Stored locally. Warning/error summaries may be uploaded if cloud diagnostics are enabled. Logs are sanitized and are not intended to contain passwords, tokens, full page content, form input, or raw Chrome identity.
Authentication and session data	Account access tokens, refresh tokens, device tokens, and token status.	When a parent signs in, a device is bound, a session is refreshed, or a bound terminal syncs.	To keep parent sessions and device bindings working securely. Passwords are not stored in reversible form by new clients.	Stored locally for session/device operation and stored server-side as token records or token hashes as needed. Tokens are not shared with third parties and are not shown in logs or UI.

3. Data We Do Not Collect

TimeOnChrome does not intentionally collect or store:

Page content, comments, private messages, form contents, or typed text.
Passwords or payment information from websites visited in Chrome.
Cookies from visited websites.
Advertising identifiers.
Personalized advertising data.
Google OAuth access tokens or raw Chrome profile identity values.

4. How We Use And Process Data

TimeOnChrome uses collected data only for the following product purposes:

Classifying websites and applying parent-defined access rules.
Measuring foreground web usage and media usage.
Applying study, composite, rest, locked, and paused modes.
Applying daily quotas and time-window restrictions.
Showing usage analysis, device status, and diagnostics to the parent or guardian.
Syncing configuration and usage data between a child terminal and the parent cloud console when cloud sync is enabled.
Diagnosing sync failures, timing settlement failures, and device connection problems.

TimeOnChrome does not use user data for advertising, user profiling for advertising, sale of data, creditworthiness, or unrelated analytics.

5. Local Storage And Cloud Storage

Local storage

The extension stores configuration, device binding state, usage ledgers, usage statistics, media statistics, and diagnostic logs in Chrome extension storage on the local device.

When Chrome profile identity is available, the extension may read the Chrome profile account identifier to support device binding recovery. The raw identifier is not stored in the cloud; the cloud service stores only a keyed, non-reversible hash for matching a previously bound macOS or Windows device.

Optional cloud sync

If cloud sync is enabled, TimeOnChrome transmits selected configuration, usage, media, device, request, and diagnostic records to the TimeOnChrome cloud service so a parent can review and manage the child profile from the cloud console.

The cloud service is hosted on Cloudflare infrastructure, including Cloudflare Workers and Cloudflare D1. Cloudflare acts as an infrastructure service provider for hosting, database, and network delivery.

Retention

Configuration, profile, device, usage, and request data are retained while the parent account/profile is active or until the user deletes or replaces the relevant data. Diagnostic logs and device access audit records may be kept on a limited rolling basis for troubleshooting and abuse prevention.

Parents or guardians can delete or replace configuration through the product UI, unbind devices, export or import configuration, and request deletion by using the support channel listed on the Chrome Web Store item or project repository. Local Chrome extension data can also be removed by clearing extension data or uninstalling the extension from the Chrome profile.

6. Data Sharing

TimeOnChrome does not sell, rent, or trade user data. TimeOnChrome does not share user data with advertising networks, data brokers, or information resellers.

User data may be shared only in these limited situations:

Service providers: Cloudflare provides hosting, compute, database, and network infrastructure for the optional cloud sync service.
Parent/guardian access: The parent or guardian account associated with a child profile can view configuration, device status, usage statistics, classification requests, and diagnostics for that profile.
Legal or security reasons: Data may be used or disclosed if required by law, to protect against abuse, or to protect the security of users and the service.
User-directed export/import: A parent may export configuration or backup data and later import it. The user controls where exported files are stored or shared.

7. Human Access To User Data

TimeOnChrome is designed so ordinary product operation is automated. Human access to user data is limited to cases where it is necessary for support requested by the user, security investigation, abuse prevention, legal compliance, or operation of the service.

8. Incognito Handling

In incognito windows, TimeOnChrome may briefly read the current URL or domain at runtime to apply existing access rules. For unclassified, unmanaged, or fallback incognito browsing, persistent records are sanitized before durable local storage or cloud upload so the real domain, URL, title, YouTube resource, and media source are not saved. Approved or explicitly configured managed targets may still be attributed to their configured target where needed to enforce parent-defined rules.

9. Security

Cloud communication uses HTTPS.
Device sync uses device tokens; parent account sessions use account and refresh tokens.
Chrome profile identity, when used for device recovery, is converted to a keyed non-reversible hash before cloud storage. TimeOnChrome does not use Google OAuth access tokens for this feature.
New clients do not store reversible account passwords locally.
Diagnostic logs are sanitized and are not intended to store passwords, tokens, cookies, or full private page content.

10. Chrome Permissions

TimeOnChrome requests the following Chrome permissions for its core features:

<all_urls>: Needed to observe the current website, apply access-management rules, show reminders, and calculate usage time across arbitrary browsing destinations.
tabs: Needed to identify the active tab, URL, window, and tab lifecycle for time accounting and access decisions.
storage: Needed to store local configuration, device binding, usage ledgers, statistics, and diagnostics.
alarms: Needed for periodic checkpoint, sync, and maintenance tasks.
declarativeNetRequest: Needed for access-management support.
webNavigation: Needed to observe navigation boundaries relevant to access management and time accounting.
idle: Needed to pause or adjust timing when Chrome/user activity is inactive.
notifications: Needed to show reminders or fallback notices when in-page notices are unavailable.
identity / identity.email: Needed to read the Chrome profile account identifier via chrome.identity.getProfileUserInfo() so a macOS or Windows child terminal can recover its existing device binding after extension reinstall. TimeOnChrome does not call chrome.identity.getAuthToken(), does not request OAuth scopes, and does not store Google OAuth tokens.

TimeOnChrome does not request the scripting, management, or declarativeNetRequestFeedback permissions.

11. User Controls

Users can disable or remove the extension from Chrome.
Parents can edit website rules, quotas, time windows, and child profile settings.
Parents can unbind devices from the cloud console.
Parents can delete or replace profile configuration and request deletion through the support channel.
Parents can export and import configuration data.
Users can clear local extension data through Chrome, but doing so may remove local binding and configuration state.

12. Limited Use Statement

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

13. Changes To This Policy

We may update this Privacy Policy from time to time. The updated policy will be posted at the privacy policy URL provided in the Chrome Web Store Developer Dashboard and may also be included in the extension package.

14. Contact

If you have questions about this Privacy Policy, please contact the developer through the support channel listed on the Chrome Web Store item or the project's repository.