Privacy Policy

Last updated: April 30, 2026

1. Introduction and Data Controller

SeshTab ("the Service", "we", "us", "our") is a browser extension and web application for tab and session management, operated by Jakub Stolarski, conducting unregistered business activity (działalność nierejestrowana) under Polish law, pursuant to Article 5(1) of the Act of 6 March 2018 on Entrepreneurs' Law.

Data Controller:
Jakub Stolarski
ul. ks. Jerzego Popiełuszki 12A/10, 37-450 Stalowa Wola, Polska
E-mail: support@getseshtab.com

This Privacy Policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — "GDPR", known in Poland as RODO). It describes what personal data we collect, why we collect it, the legal basis for each processing activity, with whom we share it, how long we retain it, and what rights you have as a data subject.

2. Data We Collect

We process the following categories of personal data:

a) Account Data

Email address (required for email/password account creation)
Hashed password (stored by our authentication provider; we never see your plaintext password)
For OAuth sign-in via Google or GitHub: your name, email address, and profile avatar URL as provided by those services

b) User Content Data

Workspace names, colours, and icons you create
Tab URLs, page titles, and favicon URLs stored within workspaces, sessions, and snoozed tabs
Public workspace share slugs (when you choose to make a workspace publicly accessible)

c) Tab History Data (Pro subscribers only)

URLs, page titles, favicon URLs, and timestamps of tabs associated with your sessions
Retained for a rolling 90-day period, then automatically deleted

d) Payment Data

Your Stripe customer ID, stored in our database to link your account to your subscription
All billing details (card number, billing address, invoices) are processed and stored exclusively by Stripe; we never receive or store this information ourselves

e) Analytics Data (where consent has been given)

Anonymised or pseudonymised page view data, session counts, and user-flow information collected via Google Analytics and Vercel Analytics, only if you have accepted analytics cookies via our consent banner

f) Technical Data

IP address, collected passively via server and hosting infrastructure logs
Authentication session cookies (see Section 7 and our Cookie Policy for full details)

g) Extension Local Data (stored on your device only)

Authentication token stored in browser.storage.local within your browser
Session snapshots, workspaces, saved sessions, snoozed tabs, favourites, and profiles stored locally in IndexedDB (via the Dexie library) within your browser
Theme preference (sesh-theme) stored in localStorage on the web dashboard
None of this local data is transmitted to our servers independently of your deliberate actions (e.g., triggering a cloud sync)

3. Legal Basis and Purpose of Processing

For each processing activity we rely on one of the following legal bases under Article 6 GDPR:

3.1 Performance of a Contract — Art. 6(1)(b) GDPR

We process your data to the extent necessary to provide the Service you subscribed to:

Creating and maintaining your account (email, hashed password, or OAuth profile data)
Storing and synchronising your workspaces, sessions, and snoozed tabs across devices
Managing your Pro subscription and billing relationship (Stripe customer ID)
Enforcing plan-level limits and delivering Pro features (cloud sync, AI Clustering, tab history)

Providing this data is a contractual requirement. Without it, we cannot create your account or deliver cloud features.

3.2 Legitimate Interests — Art. 6(1)(f) GDPR

We process certain data based on our legitimate interests, provided those interests are not overridden by your rights:

Security and fraud prevention: IP address logging via hosting infrastructure to detect abuse and protect the Service. Our legitimate interest: protecting users and the platform.
Service stability and debugging: Server-side error logs (which may incidentally include IP addresses) to diagnose and fix technical issues.
Payment fraud prevention: Stripe's fraud-prevention cookies set during checkout. Our legitimate interest (and Stripe's): preventing fraudulent transactions.

You have the right to object to processing based on legitimate interests. See Section 8.

3.3 Legal Obligation — Art. 6(1)(c) GDPR

We may be required to retain certain data (e.g., accounting records related to transactions) to comply with applicable Polish and EU law.

3.4 Legitimate Interests — Onboarding Emails — Art. 6(1)(f) GDPR

After you create an account, we send a short sequence of onboarding emails via Resend to help you discover SeshTab's features. These emails are service-related (not promotional) and are sent based on our legitimate interest in helping users get value from the Service. You may unsubscribe at any time via the link included in every email, without affecting your account or access to the Service.

3.5 Consent — Art. 6(1)(a) GDPR

Analytics (Google Analytics, Vercel Analytics): We use these services only if you have accepted analytics cookies via our cookie consent banner. You may withdraw your consent at any time by clicking "Manage cookies" in the footer or by clearing your browser cookies.

AI Tab Clustering (Pro feature only): When you use the AI Clustering feature, your currently open tab URLs and page titles are transmitted to our server and then sent to the OpenAI API (gpt-4o-mini) to generate grouping suggestions. This processing occurs only when you explicitly activate the command. You may choose never to use this feature. Triggering it constitutes an informed, voluntary action constituting consent within the meaning of the underlying contractual relationship.

4. Sub-Processors and International Transfers

To operate the Service, we engage the following sub-processors. Where a sub-processor is located outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR as the appropriate safeguard for the transfer.

Processor	Country	Data shared	Transfer basis
Supabase, Inc.	USA (AWS us-east-1)	Account data, user content, tab history, Stripe customer ID, technical session data	EU SCCs (Supabase DPA)
Stripe, Inc.	USA	Stripe customer ID; billing data collected directly by Stripe	EU SCCs (Stripe DPA)
OpenAI, LLC	USA	Tab URLs and page titles — Pro users only, when AI Clustering is triggered	EU SCCs (OpenAI DPA)
Vercel, Inc.	USA (edge/CDN)	IP addresses, request metadata via server logs; analytics data (if consent given)	EU SCCs (Vercel DPA)
Resend, Inc.	USA	Email address (for transactional emails such as account verification)	EU SCCs (Resend DPA)
Google LLC (Analytics)	USA	IP, page views, user behaviour data — only if analytics consent given	EU SCCs / EU-US DPF
Google LLC (OAuth)	USA	Name, email, avatar — only when you choose to sign in with Google	EU SCCs / EU-US DPF
GitHub, Inc. (OAuth)	USA	Name, email — only when you choose to sign in with GitHub	EU SCCs (GitHub DPA)

You may obtain copies of the applicable SCCs by contacting us at support@getseshtab.com.

Note on Google and GitHub OAuth: When you choose to sign in using Google or GitHub, those services process your data under their own privacy policies. Supabase mediates this authentication on our behalf. We receive only the profile fields you authorise. We do not receive your Google or GitHub passwords.

5. Retention Periods

Data category	Retention period
Account data (email, OAuth profile)	Lifetime of account; up to 30 days after deletion (recovery window), then permanently erased
User content (workspaces, sessions, snoozed tabs)	Lifetime of account; deleted promptly upon account deletion
Tab history (Pro only)	Rolling 90 days; entries older than 90 days are automatically purged
Stripe customer ID	Retained while account exists; removed upon account deletion after subscription cancellation
Server and access logs (IP addresses)	Up to 90 days, as retained by Vercel's infrastructure
Analytics data (Google Analytics, Vercel Analytics)	Up to 26 months (Google Analytics default); processed only with consent
Extension local data (IndexedDB, browser.storage.local)	Stored on your device only; persists until you clear browser data or uninstall the extension. We do not control or access this data directly.

6. Public Workspace Sharing

If you choose to make a workspace public using the share feature, a unique share URL (e.g., getseshtab.com/shared/[slug]) is created. This URL and the workspace's name, tab URLs, and page titles become publicly accessible on the internet to anyone who has the link, without requiring authentication.

You can revoke public access at any time by disabling the share toggle in your workspace settings. Upon revocation, the workspace will no longer be accessible via the share URL.

You should not save sensitive, confidential, or private information in publicly shared workspaces.

7. Cookies and Browser Storage

We use a small number of strictly necessary cookies, payment-related cookies, and (with your consent) analytics cookies. We do not use advertising cookies. For full details of all cookies, localStorage usage, and extension storage, please see our Cookie Policy.

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of them, contact us at support@getseshtab.com. We will respond within one calendar month of receiving a verifiable request (extendable by a further two months for complex requests, with notice given to you within the first month).

Right of Access (Art. 15 GDPR): Request a copy of all personal data we hold about you, along with information about how it is processed.
Right to Rectification (Art. 16 GDPR): Ask us to correct inaccurate or complete incomplete personal data.
Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR): Request deletion of your personal data. You can also initiate self-service account deletion at any time from Settings → Delete account in the dashboard.
Right to Restriction of Processing (Art. 18 GDPR): Ask us to temporarily stop processing your data while a dispute over accuracy or lawfulness is resolved.
Right to Data Portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used, machine-readable format (JSON export). Contact us to request an export.
Right to Object (Art. 21 GDPR): Object at any time to processing of your personal data based on our legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent (analytics cookies, AI Clustering), you may withdraw that consent at any time. For analytics, use the "Manage cookies" option in the footer to change your preference.
Right to Lodge a Complaint (Art. 77 GDPR): If you believe we have infringed your rights under GDPR, you have the right to lodge a complaint with the Polish data protection authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Polska
Website: uodo.gov.pl
E-mail: kancelaria@uodo.gov.pl
Phone: +48 22 531 03 00
You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence or place of work.

9. Children's Privacy

SeshTab is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete it. For users between 13 and 16 in EU member states where the age of digital consent is 16, parental consent may be required under applicable national law.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the address associated with your account at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.