A privacy policy
without much to say.
Decaf is a browser extension that runs entirely on your device. It does not collect, transmit, sell, or share any personal data. There are no analytics, no telemetry, no servers we send anything to, and no accounts. Your settings and usage stats live in your browser's local storage and never leave it.
What we don't collect
To make this concrete: Decaf does not collect or transmit any of the following.
- Your name, email, phone number, or any other identifier.
- Your IP address.
- Your browsing history, the URLs you visit, or page contents.
- The posts, videos, or accounts you interact with on YouTube, TikTok, Instagram, X (Twitter), or Reddit.
- Analytics events, crash reports, performance metrics, or A/B-test assignments.
- Cookies, fingerprints, or any other tracking signal.
We did not forget to add these. We chose not to.
What stays on your device
Decaf stores a small amount of state in the browser's local extension
storage (browser.storage.local) so that your settings persist
across sessions. This data never leaves your computer.
- Your settings — which mode you picked (Detox / Basic / Extreme), which platforms are covered, which features are toggled.
- Local stats — counters for how many feed items have been blocked today and all-time. These exist purely to render the popup; they are not sent anywhere.
- Per-platform session state — the post-count progress and cooldown timer for each platform you're using, so closing and reopening a tab doesn't reset your allowance. Cleared automatically after two hours of inactivity.
- Optional password hash — if you choose to password-protect the settings page, the SHA-256 hash of that password is stored locally. The plaintext password is never stored and never transmitted.
Uninstalling the extension removes all of the above.
Permissions, plainly
Browsers ask you to approve permissions at install time. Here's what Decaf actually does with each one.
storage— used to save the local settings and stats described above.- Site access on
youtube.com,tiktok.com,instagram.com,twitter.com,x.com, andreddit.com— required to inject the content scripts that hide short-form feeds, recommendations, and other attention-bait elements on those sites. Decaf does not read or send any page content; it only modifies the page's appearance to hide the elements you've chosen to hide.
Decaf does not request access to any other site, your tabs in general, your bookmarks, your downloads, your history, or your identity.
Third parties
None. Decaf does not include third-party scripts, analytics SDKs, ad networks, error trackers, or any other third-party code. The extension fetches no remote resources at runtime.
The website you're reading this on is hosted by Netlify, which
receives standard server logs (IP, user agent, requested URL) for
pages you visit on decafapp.com. Those logs are
governed by Netlify's privacy policy.
The extension itself does not interact with our website during
normal use.
The uninstall page
When you uninstall Decaf, your browser opens decafapp.com/goodbye. Visiting that page is a normal web request, and as above it shows up in Netlify's server logs. We do not record, link, or aggregate those visits with any other information. We can't tell who uninstalled or why; it's just a goodbye note.
Children
Decaf is not directed at children under 13. Because we collect no personal information from anyone, COPPA's parental-consent requirements don't apply, but if you are a parent and have questions, the contact address below works for you too.
Changes to this policy
If we ever change Decaf in a way that affects this policy — for example, adding an optional sync feature — we will update this page, change the "Last updated" date at the top, and post a clear note in the extension's settings page. Material changes will not be retroactive: data that was local-only will not be uploaded without a fresh, opt-in choice.
Contact
Questions, concerns, or corrections: privacy@decafapp.com.
← Back to decafapp.com