Privacy Policy

Last updated: 2026-05-24

This is the privacy policy for PiP Cue, a Chrome browser extension and the companion website at kayonstudio.com/pip-cue. PiP Cueis an independent side project ("we", "us", or "our") operated by an individual developer. Contact tenxnaveen@gmail.com for anything privacy-related.

TL;DR

We collect almost nothing. The extension works fully without an account. The only personal data we ever store on our servers is your Google account email address, and we only store it if you click "Sign in with Google" to opt into cross-device bookmark sync. Transcripts, captions, and the contents of any video you watch never leave your browser. We never sell, share, or analyze your data. There is no advertising. There is no analytics.

What we collect

When you use the extension without signing in (default)

Nothing. No data leaves your computer.

• Your settings (subtitle style, default PiP mode, etc.) are stored in your browser's local extension storage (chrome.storage.local).
• Your saved bookmarks are stored in the same local storage, up to 20 of them.
• The toggle for "Auto-PiP when switching tabs" is stored locally.
• Bookmark reminders (if you set any) are scheduled via chrome.alarms and fired by chrome.notifications — both happen entirely inside your browser.
• Fetched YouTube transcripts and captions live only in the active tab and are discarded when you close the panel or navigate away. They are never uploaded to any server we control.

We do not contact any server. We do not see any of this data.

When you opt into bookmark sync (Sign in with Google)

If you click Sign in with Google in the popup, dashboard, options, or onboarding page, the following happens:

1. The extension opens a Google OAuth window via chrome.identity.launchWebAuthFlow. You're asked to authorize PiP Cue against Supabase (our authentication and database provider). Supabase is what Google sees as the requesting application.
2. The only profile field PiP Cue receives is your email address (used as your unique account identifier). We do not request scopes for your name, profile picture, contacts, calendar, drive, or any other Google service.
3. Supabase issues a session token. The extension stores that token in chrome.storage.local so you stay signed in.
4. Each time you save a bookmark from the extension, the bookmark is written to your row in our Supabase database. Each row contains: the video URL, title, thumbnail URL, timestamp in seconds where you stopped, the site/hostname, and your user ID.
5. When you open the saved-videos dashboard (here on the website or in the extension), PiP Cue reads your bookmarks back from Supabase.

We do not link your email to any other identifier. We do not enrich your profile from third parties. The only thing your email is used for is identifying which row in the bookmarks table belongs to you.

This use of Google sign-in is consistent with Google's Limited Use requirements: PiP Cue uses Google authentication only to identify your bookmark row, never for ads, analytics, training of AI/ML models, sharing with third parties, or human review (except minimally for security where required by Supabase or a court order).

YouTube transcripts and captions

The transcript sidebar and the Captions Only window read caption tracks directly from YouTube's own player. Specifically:

• For the transcript sidebar, PiP Cuefetches the caption track via YouTube's public timedtextendpoint, the same endpoint YouTube's player uses internally.
• When you translate to another language, PiP Cue appends the &tlang=parameter to that request, which routes the translation through YouTube's own translation backend.
• All caption data lives only inside the current tab. We do not store, upload, or relay transcripts to any server we operate. We do not log which videos you read transcripts for.
• Caption fetches are subject to YouTube's normal terms and rate-limits. PiP Cuedoesn't bypass DRM or any access control.

Send to NotebookLM

When you click Send to NotebookLM on a saved bookmark, the following happens entirely inside your browser:

1. PiP Cue opens a new tab pointing at notebooklm.google.com.
2. A small content script — restricted by the manifest to only run on notebooklm.google.com/*— waits for NotebookLM's interface to load, then pastes the YouTube URL (with the exact timestamp where you saved the video) into NotebookLM's "Add source" dialog.

The only piece of data we hand to NotebookLM is the YouTube URL you already saved. We do not send your email, your account ID, or any other Pip Cue data to NotebookLM. The content script does not run on any other site. What you then do inside NotebookLM is governed by Google's privacy policy, not ours.

What we do not collect

• Your browsing history
• The contents of pages you visit (other than the <video> element on the active tab and, on YouTube, the visible caption overlay text — both of which stay on your computer)
• Any video file or stream content
• Cookies or tokens from sites you visit
• Mouse movement, scroll, click, or keypress telemetry
• Device fingerprints, screen size, timezone, locale, or installed plugins
• Which videos you watch, save, transcribe, translate, or send to NotebookLM
• Anything from any site that does not have a <video> element you interact with

There are no analytics on the extension or the website. There are no advertising trackers. There are no third-party scripts loaded on either client.

Why each Chrome permission is needed

PiP Cue asks for these permissions in its manifest. Each one has a specific, user-facing reason — none are used for tracking.

• activeTab — read the active tab so the popup knows whether there's a video to pop out.
• scripting — inject the PiP triggers, the YouTube Save button, the transcript sidebar, and the NotebookLM auto-fill helper.
• storage — local bookmarks, settings, sync queue (all in chrome.storage.local).
• tabs — open the saved-videos dashboard, onboarding tab, and the Chrome shortcuts page.
• contextMenus — right-click toggle for Auto-PiP.
• identity — Google OAuth flow when you opt into sync.
• alarms — fire bookmark reminders at the times you set.
• notifications — display reminder notifications when alarms fire.
• offscreen — play the reminder sound (service workers can't touch Web Audio directly).
• host_permissions: <all_urls> — required because Picture-in-Picture has to work on any video on any site you visit (Netflix, Vimeo, Coursera, Twitch, embedded players, etc.). The extension does not read or transmit page content from any site beyond the <video> element you interact with and, on YouTube, the captions you choose to view.
• content_scripts on notebooklm.google.com — a separate, scoped script that runs only on NotebookLM so the Send-to-NotebookLM action can paste the URL into the Add-source field. It has no access to any other site.

Third parties

PiP Cue relies on three third-party services:

1. Supabase— handles authentication (Google OAuth via Supabase) and stores your bookmarks if you've signed in. Standard server logs (IP, request timestamps) for operational purposes; we don't use them for tracking. Supabase privacy policy.
2. Google— only when you click "Sign in with Google", or when you click "Send to NotebookLM" on a saved bookmark (which opens NotebookLM, a Google product, in a new tab). PiP Cueitself never talks directly to Google's APIs beyond the OAuth screen. Google privacy policy.
3. Vercel— hosts this website. Standard hosting logs (IP, timestamps); we don't access or analyze them. Vercel privacy policy.

Your rights

• Stop syncing.Click "Sign out" in the popup, the dashboard, or the options page. Your local bookmarks remain.
• Export your data.The extension's saved-videos dashboard has an "Export" button that writes all your bookmarks to a JSON file.
• Delete your synced data. Email tenxnaveen@gmail.comfrom the email address you signed in with. We'll delete every row in our Supabase database that belongs to your user ID, plus your auth record. We'll confirm by reply within 7 days.
• Access.If you'd like a one-time machine-readable export, email the same address. We'll respond within 7 days.
• Object. Uninstall the extension to remove all local data. Email us to remove synced data.

If you are a resident of the EU/EEA, the UK, or California: the rights above are intended to satisfy GDPR Articles 15–20 and the corresponding provisions of the UK GDPR and CCPA/CPRA. We do not "sell" personal information.

Children

PiP Cueis not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect data from anyone in that age range. If you believe a minor has signed in for sync, email us and we'll delete the account.

Trademarks

YouTube, NotebookLM, Google Chrome, Netflix, Disney+, and Prime Video are trademarks of their respective owners. PiP Cue is an independent project and is not affiliated with, endorsed by, or sponsored by any of them. Their names and marks appear on this site for nominative identification only — to describe which products PiP Cue works with.

Changes to this policy

When we update this page, we'll change the "Last updated" date and post a note in the PiP Cue release notes. Material changes that expand what we collect will be sent to signed-in users by email before they take effect.

Contact

Privacy questions or deletion requests: tenxnaveen@gmail.com