Privacy Policy
Vibe Automator ("we", "the extension", "the service") is a Chrome browser extension that detects your active browsing context and queues Spotify music to match your current vibe. This policy explains what data we collect, how we use it, and your choices.
Operator: Utkarsh Khandelwal
Contact: tech2trail@gmail.com · Support
Summary
- We read only your active tab's hostname and title — not your full browsing history, page content, or background tabs.
- Context is sent only after smart timing rules (settle, dwell, cooldown) — not on every click or tab switch.
- Unrecognized sites may be classified by server-side AI (AWS Bedrock); results are cached per domain for up to 30 days.
- You sign in with your own Spotify account; we never access another user's library.
- Data is sent to the Vibe Automator backend (AWS, via CloudFront) to queue music on your Spotify account.
- We do not sell data, run ads, or use third-party analytics in the extension.
What Data We Collect
1. Active tab context (when you browse)
When you use Chrome with the extension enabled, it reads the currently active tab only:
- Hostname (e.g.
github.com) - Page title (e.g. "Pull Request #42")
This is used to determine a vibe (e.g. Deep Focus, Learning) or mark the site as unknown for server-side AI classification. The extension uses timing rules (approximately 5 seconds settle + 30 seconds dwell, plus cooldown and idle checks) before sending context — it does not transmit data on every tab click.
We do not collect or transmit your full browsing history, bookmarks, page body/DOM content, or data from background tabs. The extension does not inject scripts into arbitrary websites.
2. Spotify account information (when you connect)
When you click Connect with Spotify, you are redirected to Spotify's authorization page. If you approve, our backend receives:
- Spotify user ID
- Display name and email (from Spotify profile API)
- OAuth refresh token (encrypted at rest with AWS KMS)
We use this to link your extension to your Spotify account and queue tracks on your library.
3. API key (authentication)
After Spotify sign-in, our backend issues a personal API key (vibe_…) that identifies your account. The extension stores this key locally in Chrome's chrome.storage.local and sends it as a Bearer token on each context request. You can disconnect at any time from the extension popup, which removes the key from local storage.
4. Custom vibe mappings (optional)
If you use the Custom Vibes tab to assign domains to vibes, those mappings are stored locally in chrome.storage.local on your device. They are included in context payloads sent to our backend when relevant.
5. Session state (ephemeral)
The extension stores pending tab context, active-tab preview for the popup, and send deduplication state in chrome.storage.session. This data is cleared when Chrome closes and is not persisted long-term.
6. AI domain classification cache (optional)
For sites not in our built-in vibe catalog, our server may classify the domain using AWS Bedrock. The result (vibe name and audio parameters) is cached:
- On our servers — DynamoDB, keyed by domain, TTL up to 30 days
- On your device —
chrome.storage.localdomain cache, TTL up to 30 days, to show prior AI picks in the popup
Only the domain hostname and page title are sent for classification — not full page content.
7. Extension preferences
The extension stores your auto-queue pause toggle and tab-switch timing metadata locally. No account profile beyond Spotify OAuth is required.
How Data Is Stored
| Data | Where | Retention |
|---|---|---|
| API key | Chrome storage.local on your device | Until you disconnect or uninstall |
| Custom vibe mappings | Chrome storage.local on your device | Until you reset or uninstall |
| Pending context / dedup hash / popup preview | Chrome storage.session | Until browser session ends |
| AI domain vibe cache (client) | Chrome storage.local | Up to 30 days per domain entry |
| Auto-queue pause preference | Chrome storage.local | Until you change it or uninstall |
| AI domain vibe cache (server) | AWS DynamoDB | Up to 30 days per domain (TTL) |
| Spotify refresh token | AWS DynamoDB (encrypted with KMS) | Until you disconnect / we delete your account |
| User profile (Spotify ID, name, email) | AWS DynamoDB | Same as above |
| API key (server copy) | AWS DynamoDB | Same as above |
How Data Is Used
- Vibe detection — Active tab hostname and title are mapped to a built-in or custom vibe, or marked unknown.
- AI classification — Unknown domains may be classified by AWS Bedrock; results are cached to avoid repeat inference.
- Context ingestion — A JSON payload is sent via HTTPS POST to
https://d35gwaocqa5ei3.cloudfront.net/context(CloudFront → AWS Lambda). - Music queueing — Our backend invokes a Bedrock agent that calls the Spotify Web API to add recommended tracks to your Spotify queue.
We do not use your data for advertising, profiling, or any purpose unrelated to music queueing based on browsing context.
What We Send and Where
| Destination | Data sent | Purpose |
|---|---|---|
| Vibe Automator backend (AWS, us-east-1, via CloudFront) | Active tab context, API key, vibe metadata | Process vibe changes and trigger Spotify actions |
| AWS Bedrock (us-east-1) | Domain hostname + page title for unknown sites | AI vibe classification; cached per domain |
| Spotify (accounts.spotify.com) | OAuth authorization (browser redirect) | User consent and token exchange |
| Spotify Web API (api.spotify.com) | Playback/queue requests using your token | Add tracks to your queue |
Data is not sent to the extension developer's personal devices, ad networks, or unrelated third parties.
Content Script on OAuth Callback
After Spotify sign-in, a small content script runs only on the Vibe Automator OAuth success page (https://*.cloudfront.net/auth/spotify/callback or localhost during development). It reads your API key from that page and saves it to extension storage so you do not have to copy-paste it manually. It does not run on any other website.
Chrome Permissions
The extension requests permissions needed for its core function:
tabs/activeTab— read the active tab URL and title onlystorage— save API key, custom mappings, and caches locallyalarms— schedule settle, dwell, and cooldown timersidle— skip queueing when you are idle or the screen is lockedwindows— resolve the correct browser tab when you open the popuphttps://*/*— required by Chrome to read active-tab URLs on HTTPS sites; we do not scrape all sites in the background
Third-Party Services
- Spotify — OAuth sign-in and music playback/queue API. Subject to Spotify's privacy policy and terms.
- Amazon Web Services (AWS) — Hosting for ingestion API, database, encryption, and AI (Lambda, DynamoDB, KMS, CloudFront, Bedrock). Data processed in
us-east-1.
Data Sharing
We do not sell, rent, or trade your personal data. We share data only:
- With Spotify, as required to queue music on your account (using your authorization).
- With AWS, as our infrastructure provider (under standard cloud processing terms).
We do not share data with advertisers or data brokers.
Your Choices
- Connect / disconnect Spotify — Use the extension popup. Disconnect removes your API key from local storage (server-side tokens remain until you request deletion).
- Pause auto-queue — Toggle off automatic sends from the popup without uninstalling.
- Uninstall — Removes all locally stored extension data.
- Custom mappings — Reset from the Custom Vibes tab at any time.
To request deletion of server-side account data (DynamoDB records and encrypted Spotify token), email tech2trail@gmail.com.
Security
- All API communication uses HTTPS.
- Spotify refresh tokens are encrypted at rest with AWS KMS.
- API keys are transmitted only in the
Authorization: Bearerheader to our ingestion endpoint. - The extension does not embed third-party tracking scripts.
Children's Privacy
Vibe Automator is not directed at children under 13. We do not knowingly collect data from children.
Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top will reflect changes. Continued use of the extension after changes constitutes acceptance of the revised policy.
Contact
Questions about this privacy policy:
- Email: tech2trail@gmail.com
- Support: Support page