Privacy Policy

Last updated: April 7, 2026

DOMCommand ("we", "our", "us") is a Chrome extension that lets teams annotate and collaborate on live websites. This policy describes what data we collect, how we use it, and your rights.

Who We Are

DOMCommand is operated as a software product. For the purposes of data protection law, we act as the data controller for account and usage data, and as a data processor for annotation content created by users on behalf of their organizations.

Data We Collect

Information you provide:

• Account information — email address, display name, and password (hashed, never stored in plaintext) when you create an account.
• Annotations — the text you write, the page URL and CSS selector of the element you annotated, priority, assignee, and tags.
• Organization data — team name, member list, and invite records.

Information collected automatically:

• Device metadata — browser type, OS, screen dimensions, and viewport size, attached to each annotation. This helps teams reproduce bugs across different setups.

Data We Do Not Collect

• We do not collect browsing history, page content, cookies, or form data from websites you visit.
• We do not collect data from pages where you have not created annotations.
• We do not sell, rent, or share your data with third parties for advertising or marketing purposes.
• We do not use tracking pixels, fingerprinting, or analytics SDKs in the extension.

How We Use Your Data

• Service delivery — to provide the annotation and collaboration features of DOMCommand.
• Authentication — to verify your identity and manage team membership.
• Communications — to send transactional emails (account confirmation, password reset, team invites). We do not send marketing emails.
• Security — to protect against unauthorized access and abuse.

Cookies and Tracking

The DOMCommand extension does not use cookies. Authentication sessions are stored locally in your browser's extension storage (chrome.storage.local), which is isolated from website cookies and not accessible to any website.

The domcommand.com website does not use analytics or tracking cookies.

How We Share Data

We share data only with the service providers necessary to operate DOMCommand:

• Supabase (database, authentication, real-time sync) — processes all application data.
• Resend (email delivery) — receives email addresses to deliver transactional emails only.
• Vercel (website hosting) — serves the domcommand.com website. No user data is shared with Vercel.

We do not sell data to third parties. We may disclose data if required by law or to protect our legal rights.

Extension Permissions

DOMCommand requests access to all websites (<all_urls>) because the extension needs to render annotation pins, the sidebar, and the annotation form on whatever page you are working on. We do not read or collect page content — the extension only interacts with the DOM to display its own UI elements.

Data Storage and Security

All data is stored in Supabase, hosted on AWS in the United States. Security measures include:

• Encryption in transit (TLS) and at rest.
• Row-level security (RLS) policies ensuring users can only access data within their organization.
• Password hashing via Supabase Auth (bcrypt).
• API keys and secrets stored in server-side environments, never exposed to the extension client.

International Data Transfers

Data is stored and processed in the United States. If you are located outside the US, your data will be transferred to the US for processing. By using DOMCommand, you consent to this transfer.

Data Retention

• Account data — retained for as long as your account exists.
• Annotations and replies — retained for as long as the organization exists.
• Deleted accounts — all associated data (annotations, replies, membership records) will be permanently deleted within 30 days of account deletion.

Your Rights

Depending on your location, you may have the following rights:

• Access — you can export your annotations as CSV at any time from the extension sidebar.
• Deletion — you can request deletion of your account and all associated data.
• Rectification — you can update your display name and password through the extension.
• Portability — annotation data can be exported as CSV.
• Objection — you can stop using the extension at any time and request account deletion.

To exercise any of these rights, contact us at the email below.

US State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, or other US states with consumer privacy laws, you have the right to know what personal data we collect, request its deletion, and opt out of its sale. We do not sell personal data. To make a request, contact us at the email below.

Children's Privacy

DOMCommand is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of DOMCommand after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy? Email privacy@domcommand.com.