We don’t collect your data.

Summary

SaveSync is a personal bookmark backup tool. It comes in three pieces — a Chrome extension, an iOS app, and this web uploader. None of them sell, share, or look at your data. The Chrome extension transmits nothing off your device. The iOS app and the web uploader store your bookmarks in a Supabase project owned by you, accessible only via your Sign in with Apple identity.

Chrome extension — SaveSync Bookmarks

What the extension does

The extension reads bookmark / saved-post pages on x.com, twitter.com, xiaohongshu.com, rednote.com, and youtube.com that you are already viewing while logged in. When you click Export, it bundles those bookmarks into a single JSON file and saves it to your computer’s Downloads folder. That’s the entire feature surface.

What data the extension collects

None. Nothing leaves your browser. No analytics, no telemetry, no remote logging, no user accounts, no third-party SDKs.

What data the extension transmits

None. The exported JSON is written to disk only. Sending it anywhere (e.g. uploading it to the SaveSync web uploader) is a separate, deliberate action you take afterward.

Permission justifications

• scripting — injects the bookmark-reading script into the bookmark page on the five supported sites only.
• downloads — saves the resulting JSON file to your local Downloads folder.
• tabs — reads the URL of the active tab to know which platform’s scraper to run.
• storage — stores your local UI preferences (e.g. last-used export options). Stays on your device.
• host_permissions — limited to the five sites whose bookmarks the extension can export. The extension never touches any other site.

Logins, cookies, passwords

The extension does not request the cookiesChrome permission and never asks for your account passwords. It runs inside the page you are already viewing, using the same credentials your browser already has open.

For X / Twitter specifically, the extension reads thect0 CSRF cookie fromdocument.cookie and the public bearer token from the X page, then calls X’s own /i/api/graphql/Bookmarksendpoint — the same call X.com’s own JavaScript makes when you scroll your bookmarks page. These tokens are used in-browser only, never written to disk, and never transmitted anywhere except back to x.com. Closing the X tab or signing out of X stops the extension immediately.

For RedNote and YouTube, the extension reads page state directly (Pinia store and ytInitialData respectively) — no token extraction is needed.

iOS app & web uploader

What we store

When you Sign in with Apple, we create a record in our hosted Supabase database keyed to your Apple-provided user identifier. When you upload a bookmark JSON file via the web uploader, the parsed bookmarks are stored in that database under your account, and the raw JSON file is archived in private object storage scoped to your user ID.

For RedNote bookmarks, we additionally fetch each thumbnail image and cache it in our object storage so the picture survives even after the original CDN URL expires (typically 24 hours).

What we never do

• We never sell, rent, or share your bookmark data with anyone.
• We do not run advertising or analytics on the bookmark contents.
• We do not have access to your Apple ID password or your relay email’s underlying address.
• We do not read or scrape your accounts on X, RedNote, or YouTube ourselves — you initiate every export by hand using the Chrome extension.

Row-level security

Every row in the database is tagged with your user ID, and Supabase row-level security policies enforce that only your authenticated session can read or write your rows. No other user can see your bookmarks.

Sub-processors

• Supabase — database, authentication, and object storage. Hosted in us-west-1.
• Vercel — hosts this website and the image-cache function. Logs are retained for 30 days for operational debugging.
• Apple — only for Sign in with Apple identity verification.

Your rights

Email us at zephrimio@gmail.com to:

• Export every row of your data as JSON (or download it yourself via the iOS app at any time).
• Delete your account and every associated row, image cache entry, and uploaded JSON file.

Account deletion completes within 7 days. Backups are purged within 30 days.

Children

SaveSync is not directed at children under 13 and we do not knowingly collect their data.

Changes to this policy

Material changes will be announced on this page with the “Last updated” date above. The historical text is preserved in the project’s git repository.

Contact

Questions, deletion requests, or security reports: zephrimio@gmail.com.