Privacy Policy

The short version

Lockby is a Chrome extension that locks your browser to a set of whitelisted domains during timed focus sessions. When a session is active, it blocks navigation to any site not on your whitelist. Everything it needs to do this runs locally in your browser.

What stays on your device

All extension data lives in chrome.storage.local on your machine. Nothing is sent to our servers. This includes:

• Session settings — your whitelisted domains and session duration.
• Session history (Pro) — a log of your past focus sessions, including duration, block count, and completion status. Stored locally, never uploaded.
• Block counter — how many times the extension blocked a navigation attempt during a session.

What we collect when you create an account

You can use Lockby's free tier without an account. If you sign up for Pro, we collect and store the following:

• Email address — provided through Google OAuth or email/password sign-up. Used for account identification and transactional emails (receipts, billing updates).
• Display name and avatar — pulled from your Google account if you sign in with Google OAuth. Used to personalize your account page.
• Subscription status — your plan type (free or Pro), subscription ID, active status, and expiry date. This lets us validate your Pro license.

That's the complete list. We don't collect anything else.

What we never collect

To be completely clear — we have zero access to:

• The URLs you visit or your browsing history
• Page content or screenshots
• Keystrokes or form data
• Anything from your tabs
• Your IP address (we don't log it)
• Device fingerprints or hardware identifiers

The extension works entirely locally. It checks URLs against your whitelist in your browser — that logic never touches our servers.

How we use your data

If you have an account, we use your data for these purposes only:

• Account management — to let you sign in and manage your profile.
• License validation — to verify your Pro subscription is active so the extension can unlock Pro features.
• Transactional emails— receipts, billing updates, and password resets. We don't send marketing emails.
• Payment processing — to handle Pro subscription billing through Lemon Squeezy.

Third-party services

We rely on a small number of trusted third-party services to run Lockby:

• Supabase — handles authentication and stores your account and license data. Your browsing data is never sent to Supabase. Supabase Privacy Policy.
• Lemon Squeezy — processes payments for Pro subscriptions. Your payment details (card number, billing address) are handled entirely by Lemon Squeezy — we never see or store them. Lemon Squeezy Privacy Policy.
• Google— if you choose to sign in with Google OAuth, Google provides us with your email, display name, and avatar. We don't receive any other Google account data. Google Privacy Policy.

We don't use any analytics tools, advertising networks, or data brokers. No Google Analytics, no Facebook Pixel, no tracking scripts of any kind.

Cookies and tracking

We don't use tracking cookies, analytics cookies, or advertising pixels. The only cookies on our website are essential authentication cookies set by Supabase to keep you signed in. These are strictly necessary for the service to work and cannot be used to track you across other sites.

Data retention and deletion

• Account data — exists as long as your account is active. You can delete your account at any time from your account page. When you do, we remove all your data (profile, license, authentication record) from our servers within 30 days.
• Local extension data — removed automatically when you uninstall the extension. You can also clear it manually from the extension settings at any time.
• Payment records — Lemon Squeezy may retain transaction records as required by financial regulations. This is governed by their privacy policy.

Your rights under GDPR (EU/EEA residents)

If you're in the EU or EEA, you have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data. You can also do this yourself from your account page.
• Data portability — request your data in a structured, machine-readable format.
• Restriction of processing — ask us to limit how we use your data.
• Objection — object to our processing of your data.
• Complaint— lodge a complaint with your local data protection authority if you believe we're not handling your data correctly.

Our legal basis for processing your data is contract performance (providing the service you signed up for) and legitimate interest (keeping the service running and secure).

To exercise any of these rights, email support@lockby.app.

California residents (CCPA)

If you're a California resident, the California Consumer Privacy Act gives you additional rights:

• Right to know— you can request what personal information we've collected about you.
• Right to delete — you can request deletion of your personal information. You can also do this yourself from your account page.
• Right to opt out of sale— we don't sell your personal information. Never have, never will.
• Non-discrimination— we won't treat you differently for exercising your privacy rights.

To exercise these rights, email support@lockby.app.

Children's privacy

Lockby is not intended for children under 13. We don't knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@lockby.app and we'll delete it promptly.

Data security

We take reasonable measures to protect your data:

• All communication between your browser and our servers uses HTTPS encryption.
• Database access is protected by Row Level Security — users can only access their own data.
• Payment webhook signatures are verified using HMAC with constant-time comparison to prevent tampering.
• Authentication tokens are securely managed by Supabase.
• We never store your payment details — those are handled entirely by Lemon Squeezy.

No system is 100% secure, but we're committed to protecting your data with industry-standard practices.

International data transfers

Your account data may be processed and stored on servers located outside your country of residence, including in the United States, through our third-party service providers (Supabase and Lemon Squeezy). These providers maintain appropriate safeguards to protect your data in compliance with applicable data protection laws.

Changes to this policy

If we make meaningful changes to this policy, we'll let you know by email or through an in-extension notice before the changes take effect. We won't silently reduce your privacy rights.

Questions?

If you have any questions about this privacy policy or how we handle your data, reach out to us at support@lockby.app.