1. Introduction
Carthole is a browser extension that helps users track their spending on quick commerce platforms (Zepto, Blinkit, Swiggy Instamart). This privacy policy explains how we handle your data.
🔒 The Short Version: Your data stays on your device. We don't collect, store, or transmit any personal data to external servers. Period.
2. Data Collection
Carthole does NOT collect, store, or transmit any personal data to external servers.
All data processing happens locally on your device:
- Order data scraped from Zepto and Blinkit websites
- Email data from Gmail (for Instamart orders only)
- Computed analytics and statistics
3. Gmail Access (Instamart Feature)
For Swiggy Instamart tracking, Carthole requests read-only access to your Gmail to find Instamart delivery confirmation emails.
📧 What we access:
- We ONLY search for emails from "noreply@swiggy.in" with "Instamart" and "delivered" in the subject
- We ONLY extract order total and date from these emails
- We do NOT read, store, or access any other emails
- Email data is processed locally and never leaves your device
- You can disconnect Gmail access at any time
4. Data Storage
- All data is stored locally in your browser using Chrome's storage API
- Data is never transmitted to any external server
- Data is automatically cleared when you uninstall the extension
- You can clear cached data at any time from within the extension
5. Data Sharing
We do NOT share any data with third parties. Your data never leaves your device.
6. Analytics & Tracking
Carthole does NOT use any analytics, tracking, or telemetry services. We have no idea how many people use the extension or how they use it.
7. Permissions Used
Here's why we need each permission:
- activeTab: To read order data from Zepto/Blinkit pages when you click "Fetch Details"
- scripting: To run scripts that extract order information from the page
- storage: To cache your order data locally for quick access
- identity: To authenticate with Gmail for the Instamart feature
8. Your Rights
You have complete control over your data:
- View all cached data within the extension
- Export your data as CSV anytime
- Delete cached data with one click
- Disconnect Gmail access instantly
- Uninstall the extension to remove all data
9. Data Protection Mechanisms
We implement the following measures to protect your data:
- Local-only processing: All data is processed entirely on your device using Chrome's built-in storage APIs. No data is ever transmitted to external servers.
- No remote storage: We do not operate any servers or databases. Your order data and Gmail tokens exist only in your browser's local storage.
- Minimal local caching: We only cache the extracted order amount and date in your browser's local storage - never the full email content. No data is ever stored on any external server.
- Token security: Gmail authentication tokens are stored securely using Chrome's built-in identity API and can be revoked by the user at any time.
- Automatic cleanup: All cached data is automatically deleted when you uninstall the extension.
- User control: You can disconnect Gmail access and clear all cached data at any time from within the extension.
- No third-party sharing: Your data is never shared with any third parties because it never leaves your device.
- Encryption at Rest: Although data is stored locally, we utilize Chrome's storage.local and identity APIs, which leverage industry-standard encryption provided by the underlying operating system to ensure your data remains secure and confidential.
- Security Procedures: Strict security procedures are in place to ensure that data extracted from quick commerce sites is never exposed to third-party scripts or external network calls.
- Data Minimization & Confidentiality: We implement technical safeguards to ensure only the necessary metadata (amount and date) is processed, maintaining the strict confidentiality of your personal shopping history.
10. Google User Data Protection
This section specifically addresses how we protect data accessed through Google APIs (Gmail).
How we access Google Gmail data:
- We request read-only access to Gmail (gmail.readonly scope)
- We ONLY search for emails from "noreply@swiggy.in"
- We extract ONLY the order total and delivery date from these emails
How we protect the user data:
- Local processing only: Gmail data is processed entirely in your browser. No Google user data is ever transmitted to any external server.
- No server storage: We do not operate servers or databases. Your Gmail data exists only in your browser's local storage.
- Minimal data retention: We only store the extracted order amount and date, not the full email content.
- Secure token handling: OAuth tokens are managed by Chrome's built-in identity API and stored securely in browser storage.
- No sharing: Google user data is never shared with third parties.
- User control: You can revoke Gmail access anytime by clicking "Disconnect" in the extension. This immediately removes all stored tokens and Gmail-derived data.
- Protection of Google User Data: We protect the confidentiality of Google user data by ensuring it never leaves the client-side environment. We use encryption (via Chrome’s secure storage sandbox) to protect any Google-derived information stored on your device.
- No External Transmission: We maintain security procedures that prevent the transmission of any Google user data to external servers, ensuring that your Gmail information stays within the secure container of your browser.
Google API Services User Data Policy Compliance:
Our use of Google APIs complies with the Google API Services User Data Policy,
including the Limited Use requirements. We only use Gmail data to display your
Instamart spending analytics within the extension.
11. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be reflected in the "Last updated" date at the top of this page.