Pinako is a browser extension for organizing tabs. The free version runs entirely on your computer. Paid tiers add cloud sync, library sharing, and AI features, all of which require an account and store data on our servers.
This page explains what data we handle, why, and what choices you have.
At a glance
- The free extension keeps everything local. No account, no cloud, no analytics.
- Pro tiers store your tree, libraries, notes, and account in Supabase so you can sync across devices and use the web portal.
- Card payments are handled by Stripe. We never see card numbers.
- AI Search sends the relevant context plus your query to xAI's Grok API. The Pinako AI Bridge runs only on your computer.
- We do not sell your data, read the contents of pages you visit, or use anything you store in Pinako to train AI models.
Permissions Pinako requests
Chromium browsers ask you to approve permissions before installing any extension. Here is what each one does in Pinako and why we need it.
| Permission | What we use it for |
|---|---|
tabs, tabGroups, sessions |
Read and arrange your open tabs and tab groups; restore recently closed tabs. |
bookmarks |
Two-way sync between Pinako and your browser's bookmark manager. |
storage, alarms |
Save your tree, settings, and scheduled snapshots in your browser's local storage. |
contextMenus |
Right-click actions inside Pinako and on web pages. |
clipboardWrite |
Copy URLs and exported data to your clipboard. |
downloads |
Export your tree as JSON or HTML. |
favicon |
Show the small site icons next to each tab. |
nativeMessaging |
Talk to the Pinako AI Bridge desktop app (Pro only). |
identity |
OAuth sign-in for a Pro account. |
If you choose to enable Pinako in incognito mode (a toggle in your browser's extension settings), private tabs appear in your tree alongside normal ones. Incognito tabs are excluded from cloud sync.
Pinako can also display tabs from your signed-in mobile devices
via Chrome's built-in browser sync. This relies on the
chrome.sessions browser API — Pinako reads from Chrome's
local cache of your sync data. We never make any server call to fetch
your phone's tabs, and we do not store mobile tab data on our servers.
The free extension
If you don't sign in, Pinako never sends your data anywhere. Everything you see in the extension (your tree, bookmarks, memos, tags, snapshots, theme, and settings) lives in your browser's local storage on your machine. If you've enabled Pinako in incognito mode, those tabs show up in your tree as well, but they stay local.
To wipe local data, uninstall the extension or use the in-app reset.
Pro tiers and cloud sync
Signing in to a Pro account stores additional data in our backend (Supabase, hosted in Oregon, USA):
- Your account: email and OAuth provider ID, or email and a hashed password
- Your subscription: tier, billing period, and the Stripe customer ID
- Your synced trees: groups, windows, tabs, memos, tags, and library structure
- Your notes: rich-text content attached to a tree or library
- Device identifiers and version numbers used to sync changes across devices
Sync runs both ways between the extension and the pinako.pro web portal. Incognito tabs are not synced.
Payments
Stripe processes all subscription payments. Card numbers, expiry dates, and CVCs go directly to Stripe and never touch our servers. We store the Stripe customer ID and the metadata Stripe sends back through webhooks (tier, billing period, status). See stripe.com/privacy for Stripe's policy.
AI features
AI Search (Pro tier 1 and above) lets you query your tree with natural language. When you run a search, the relevant tree, library, or bookmark context plus your query is sent through our backend to xAI's Grok API. We log the number of tokens used for credit metering, not the content of your queries or results. xAI's policy: x.ai/legal/privacy-policy. We do not grant xAI rights to train models on your data, and we do not train any models ourselves.
Pinako AI Bridge (Pro tier 1 and above) is a small desktop
app that exposes your tree to AI clients on your own computer (Claude Code,
Cursor, and similar) over a local server at localhost:37421.
All bridge traffic is local. Nothing is sent to Pinako or any third party.
WebMCP uses Chrome's in-browser model context API. Same story: local only.
Sharing libraries
When you share a library with someone, we store the recipient's email so you can manage and revoke access. They can see only the library you shared, at the access level you chose.
Optional cloud backups
Pinako lets you back up your tree to third-party services if you choose. When you do, your data is uploaded directly from the extension to the service you selected. Pinako never uploads to any of these automatically. Each service has its own privacy policy.
- Google Drive and Dropbox — private cloud storage in your own account, accessed via OAuth. Pinako only sees the files it creates.
- Arweave — a public blockchain. Anything you upload is permanent and publicly readable. Use only for backups you would be comfortable making public.
- Lighthouse and Filebase — IPFS storage. Files uploaded to IPFS are addressed by content hash and may be retrievable by anyone who has the hash.
What we don't collect
No analytics, telemetry, or tracking pixels. No third-party ad networks. No reading or parsing of page content (only tab metadata: title, URL, and favicon). No browsing history beyond the tabs you choose to organize. We do not sell or rent personal data to anyone.
Cookies
The pinako.pro site uses first-party cookies for authentication and the Stripe checkout flow. No tracking cookies.
Keeping or removing your data
Free users: uninstall or use the in-app reset to remove all local data.
Pro users: delete your account from the web portal. We remove your synced data within 30 days. Stripe retains billing records as required by tax and accounting law.
You can export your tree to JSON or HTML at any time from the extension.
International transfers
Our servers are in Oregon, USA. If you sign up from outside the US, your data is transferred and stored there. The same applies to data processed by Stripe and xAI.
Your rights
If you're in a jurisdiction with data protection laws (GDPR, CCPA, and similar), you have the right to access, correct, delete, and export your data. Most of these are self-serve in the extension or web portal. For anything else, email us.
Children's privacy
Pinako is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from children. If you believe a child has signed up, contact us at [email protected] and we'll delete the account.
Security
Cloud data is stored with row-level security so users can only access their own rows. All transit is over HTTPS. No system is perfectly secure, but we work to keep yours safe.
Changes
If we change this policy in a way that affects you, we'll bump the effective date at the top and post a notice in the extension.
Contact
Questions about this policy: [email protected]