Privacy Policy

Last updated: March 2026

Velocity Text Expander ("Velocity", "we", "our", or "us") provides a cross-browser text expansion extension. This Privacy Policy describes what data we collect, how it is handled, and your rights as a user.


1. What We Collect

Device-local data (never leaves your device)

Velocity operates local-first by default. With no account, all snippet data is stored exclusively in your browser's IndexedDB (via Dexie), which is private to your device. We collect and transmit nothing.

The following are stored in chrome.storage.local / browser.storage.local and never sent to any server:

  • Your snippet triggers and bodies (IndexedDB)
  • Debounce and shortcut preferences
  • Sync state flags (sync_enabled, last_sync_ts)

If you enable Encrypted Sync (optional)

When you opt in to sync, the following is transmitted to Supabase (our infrastructure provider):

DataHow stored
Email address (auth only)Plaintext in Supabase Auth
Snippet triggersPlaintext in Supabase (deliberate — required for query performance; documented design decision)
Snippet bodiesAES-GCM encrypted before leaving your device. We cannot decrypt them.
Encryption key metadataTwo-layer key wrap (PBKDF2 + AES-GCM). Your password and recovery codes never leave your device.

We do not store your encryption password or recovery codes.


2. Subprocessors

We use the following third-party subprocessors:

ProviderPurposePrivacy Policy
Supabase, Inc.Authentication and encrypted snippet storagesupabase.com/privacy
Vercel, Inc.Hosting of this website and marketing pagesvercel.com/legal/privacy-policy
Stripe, Inc.Payment processing (future billing — see §4)stripe.com/privacy

We do not use any analytics services, advertising networks, or data brokers. We have no deals to share or sell user data.


3. No Tracking or Telemetry

Velocity collects zero usage telemetry.

  • No page views or event logging
  • No crash reporting that leaves your device
  • No heatmaps, session recordings, or A/B testing
  • No third-party tracking pixels or SDKs embedded in the extension

4. Stripe Data Processing Disclosure

Velocity intends to introduce paid plans in a future version. If and when billing is introduced, payments will be processed by Stripe, Inc. Velocity will not store or have access to your card number or full payment details — these are handled exclusively by Stripe. Stripe's processing is governed by Stripe's Privacy Policy. We will update this policy before any billing feature is activated.


5. Your Rights (GDPR / CCPA)

RightHow to exercise it
Export your dataUse the built-in JSON export in the extension's Options page. No account required.
Delete your dataDelete your Velocity account via the Settings panel. This triggers a hard-delete of all your rows in Supabase. Local IndexedDB data is cleared simultaneously.
Access / rectificationContact us at the address below.
Data portabilityThe JSON export format is open and documented.
Opt out of sale (CCPA)We do not sell data. There is nothing to opt out of.

For EU users: the legal basis for processing sync data is contract performance (fulfilling the sync feature you explicitly enabled). You may withdraw consent by disabling sync at any time — this will not affect locally stored snippets.


6. Data Retention

  • Local data: Retained until you clear your browser data or uninstall the extension.
  • Sync data (Supabase): Retained until you delete your account. Soft-deleted snippets are permanently purged after 30 days.
  • Auth tokens: Session-scoped; not shared with any third parties.

7. Children

Velocity is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children.


8. Changes to This Policy

We will update the "Last updated" date at the top of this page when changes are made. Material changes will be announced via the extension's release notes.


9. Contact

For privacy inquiries, data deletion requests, or DPA arrangements:

Email: privacy@velocity-text.app

We aim to respond within 30 days.