Short version: We collect the minimum data required to run each extension. We never sell your data, never read your personal browsing content without your explicit action, and never store screenshots or page content on our servers. You can delete all your data at any time by emailing hello@shelfnest.in.
ShelfNest ("we", "us", "our") is an independent developer of browser productivity extensions. We publish extensions including Shelf Nest, Wick, and Graft on the Chrome Web Store. Our contact email is hello@shelfnest.in and our website is www.shelfnest.in.
We are not affiliated with Google LLC, Anthropic, OpenAI, or any trading platform mentioned in our extension descriptions.
This Privacy Policy applies to all Chrome extensions published by ShelfNest and the website at shelfnest.in. It describes what personal data we collect, how we use it, and your rights regarding that data.
This policy does not apply to websites or services linked from within our extensions (for example, trading platforms, Google services, or payment processors). We encourage you to review the privacy policies of those services independently.
When you install any of our extensions without signing in, we generate a random UUID and store it in chrome.storage.local on your device. This ID is used solely to enforce daily free-tier usage limits. It:
We store a server-side count of daily feature uses associated with your device ID (or email if signed in). This is a number only — for example, "device X performed 3 analyses today". We do not log which websites you analysed, what questions you asked, or what content you captured beyond the count itself.
Sign-in is optional for all extensions. If you choose to sign in with Google, we receive from Google's OAuth 2.0 service:
We do NOT receive or request:
The OAuth token is used with the minimum-required Google OAuth scope: email and openid only.
If you subscribe to a paid plan, billing is handled by Lemon Squeezy (our payment processor). We never see or store your credit card number, CVV, or full billing address. After a successful payment, Lemon Squeezy notifies our server, and we update your account tier (e.g. "standard" or "pro") in our database. We store:
Wick injects a sidebar into trading platform websites. When you click "Analyse", it captures a screenshot of the chart area visible on your screen and sends it to our AI API for analysis.
scripting API when you explicitly click "Analyse".Wick's content script is declared in the manifest for all supported trading platforms so the sidebar UI can be injected. The script only becomes active when a user opens one of these sites. It does not run on any other website.
Graft lets you capture web pages to a local Markdown vault on your own device. You can then ask AI questions about your collected notes. Graft uses the activeTab and scripting permissions to read the content of a page only when you explicitly trigger a capture.
All your captured notes are Markdown files stored on your own device, in a folder you control. We have no access to these files. You can move, edit, or delete them like any file on your computer.
The <all_urls> content script is required because users can capture any web page — news articles, documentation, research, etc. The script is dormant until you click the Graft icon and trigger a capture. It does not run continuously or report anything passively.
Shelf Nest reads the titles and URLs of your currently open tabs, sends them to our AI API, and organises them into Chrome tab groups.
The <all_urls> host permission is required to read tab titles and URLs from all open tabs, regardless of which website they are on. Without it, Chrome restricts access to tab metadata on certain domains. We use this solely for reading tab titles/URLs on demand — never for injecting content into pages or reading page content.
We only request permissions that are strictly necessary. Below is a plain-English explanation of every Chrome permission used across our extensions.
| Permission | Extension(s) | Why it's needed |
|---|---|---|
storage |
All | Stores your preferences, device ID, sign-in state, and cached tier info locally in Chrome. Never used to store page content. |
identity |
All | Powers the "Sign in with Google" button using Chrome's built-in OAuth flow. No credentials are handled by the extension code directly. |
scripting |
Wick, Graft | Injects the sidebar UI (Wick) or capture script (Graft) into supported pages. Only runs when you're on a relevant page or trigger a capture. |
tabs |
Graft, Shelf Nest | Reads tab titles and URLs. For Shelf Nest: to organise tabs. For Graft: to get the URL and title of the page you're capturing. |
tabGroups |
Shelf Nest | Creates and names Chrome tab groups after AI analysis. Required to write groups back to the browser. |
activeTab |
Graft | Provides temporary access to the currently active tab when you click the extension icon. More privacy-respecting than broad host permissions. |
contextMenus |
Graft | Adds a right-click "Capture with Graft" option so you can quickly save a page without opening the popup. |
alarms |
Graft, Shelf Nest | Schedules background tasks such as periodic sync checks. Does not access any website or user data. |
notifications |
Graft | Shows a brief Chrome notification after a successful page capture. Requires the notifications permission. |
Host permissions (<all_urls> / specific trading sites) |
All (see above) | See §4 extension-specific explanations above. Used only for sidebar injection (Wick) or tab reading (Shelf Nest / Graft) — never for passive tracking. |
Our AI features are powered by Azure OpenAI Service, operated by Microsoft. When you trigger an AI feature, relevant data (chart screenshot, tab titles, or note excerpts) is sent from our server to Azure OpenAI's API.
Sign-in is handled by Google's OAuth 2.0 service. When you sign in, Google authenticates you and shares your email address with us. Google's handling of your data during this process is governed by Google's Privacy Policy.
Paid subscriptions are processed by Lemon Squeezy. All payment card data is handled directly by Lemon Squeezy — it never passes through our servers. Subject to Lemon Squeezy's Privacy Policy.
Our API servers, databases, and storage are hosted on Microsoft Azure in the South India region. Microsoft is a data processor acting on our behalf and is bound by Azure's data processing addendum.
We take reasonable technical and organisational measures to protect your data:
No method of transmission over the internet is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.
We do NOT sell, rent, or trade your personal data to any third party, ever.
We share data only with the following categories of recipients, strictly as required to operate our services:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Azure OpenAI (Microsoft) | Chart screenshots / tab titles / note excerpts | AI processing — analysing charts, grouping tabs, answering questions about notes |
| Google LLC | OAuth token exchange | Authenticating your Google sign-in |
| Lemon Squeezy | Email address (for subscription linking) | Payment processing and subscription management |
| Law enforcement / legal authorities | Any data required by law | Only when required by a valid legal order, court order, or government request |
We will notify you of any law enforcement requests for your data unless prohibited by law from doing so.
| Data Type | Retention Period | Notes |
|---|---|---|
| Email address & account tier | Until account deletion | Deleted within 30 days of a deletion request |
| Daily usage counts | 90 days | Rolling 90-day window; older records auto-deleted |
| Monthly scan counts (Wick Pro) | Current billing month + 1 month | Reset at the start of each billing month |
| Wick Knowledge Base entries | Until you delete them or delete your account | You can delete individual entries in-app at any time |
| Chart screenshots | 0 seconds (never stored) | Processed in memory only; never written to disk |
| Tab titles & URLs (Shelf Nest) | 0 seconds (never stored) | Processed in memory only during the grouping request |
| Page content (Graft) | Never stored on our servers | Stored only on your local device as Markdown files |
| Anonymous device ID (server-side) | 90 days after last use | Auto-purged; only a usage count is stored, not the ID itself beyond the lookup key |
If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
Our legal basis for processing personal data is: performance of a contract (to provide the services you subscribed to), legitimate interests (to enforce free-tier limits and prevent abuse), and consent (for optional features like the Knowledge Base). We do not rely on consent for core service functionality.
To exercise any of these rights, email hello@shelfnest.in. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:
To submit a CCPA request, email hello@shelfnest.in with the subject line "CCPA Request". We will respond within 45 days.
To delete all data we hold about you:
Note: Clearing browser data (chrome.storage) also removes the local device ID and any locally cached data the extensions store on your device.
Our extensions are not directed at children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@shelfnest.in and we will delete the information promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will:
Continued use of our extensions after the effective date of any changes constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you should uninstall the extension and request deletion of your data.
For any questions, requests, or concerns about this Privacy Policy or your personal data:
Note: This policy was last reviewed and updated on April 11, 2026. While we have taken care to ensure it accurately describes our data practices, this document does not constitute legal advice. If you have specific legal concerns, we recommend consulting a qualified attorney.