Privacy – Cabeza

**Privacy Policy — Cabeza Chrome Extension**
*Last updated: April 14, 2026*

**What Cabeza does:**
Cabeza is a Chrome extension that captures your AI conversations on ChatGPT (chatgpt.com), Claude (claude.ai), and Gemini (gemini.google.com) and stores them as markdown files in your own Google Drive or Dropbox account.

**What we collect:**
Nothing. Cabeza has no backend server, no database, and no analytics. Your conversation data flows directly between your browser and your chosen storage provider (Google Drive or Dropbox). We never see, store, process, or have access to your conversations.

**Where your data is stored:**
Your data is stored exclusively in your own Google Drive or Dropbox account, in a folder called “Cabeza.” You own it. You can read, edit, move, or delete it at any time using Drive or Dropbox directly.

**Local processing:**
Cabeza uses on-device machine learning models (via Transformers.js) for semantic search and weekly digest summarization. These models run entirely in your browser — no data is sent to any server for processing. Model weights are downloaded from HuggingFace on first use and cached locally in your browser.

**OAuth and authentication:**
Cabeza uses Google’s OAuth 2.0 and Dropbox’s OAuth 2.0 (with PKCE) to connect to your storage accounts. OAuth tokens are encrypted with AES-GCM and stored locally in Chrome’s extension storage. Tokens are never transmitted to any Cabeza server.

**Optional API keys:**
Users may optionally provide their own Anthropic, OpenAI, or Gemini API key for enhanced weekly digest quality. These keys are encrypted and stored locally. They are used to make API calls directly from your browser to the respective provider — never routed through Cabeza infrastructure.

**License validation:**
If you purchase an unlock key, license validation is performed via Lemon Squeezy’s API directly from your browser. The only data sent is the license key itself.

**Third-party services:**
– Google Drive API (googleapis.com) — if you choose Drive as your storage provider
– Dropbox API (dropboxapi.com) — if you choose Dropbox as your storage provider
– HuggingFace (huggingface.co) — one-time ML model data download
– Lemon Squeezy (lemonsqueezy.com) — license key validation (optional)

**Data deletion:**
Uninstall the extension to stop all activity. Your conversation files remain in your Drive/Dropbox — delete the “Cabeza” folder to remove them. No data persists on any Cabeza server because no such server exists.

**Children’s privacy:**
Cabeza is not directed at children under 13 and does not knowingly collect information from children.

**Changes to this policy:**
We may update this policy from time to time. The latest version will always be available at cabeza.cc/privacy.

**Contact:**
Questions? Email [email protected]