Privacy Policy — HoldPick
Last updated: 2026-04-23
HoldPick ("the extension") is a Chrome Extension that lets you long-press any image on a web page to select it, then copy it to the clipboard, download it, or drag it. This policy explains what data the extension handles and why.
Contact: contact@holdpick.org
Summary
- The extension does not read, collect, transmit, or sell your browsing history, page content, or image content.
- The extension processes images locally in your browser when you copy, resize, convert, or download them.
- If you sign in with Google (optional), we store a minimal user profile on Firebase to track your Free/Pro plan and your daily usage count.
- Pro users' download history (small JPEG thumbnail + source URL + domain + timestamp) is stored in Firestore under your account.
- Payment is handled by LemonSqueezy; we never see or store card data.
1. Data we process
1.1 Stored on your device (chrome.storage.local)
- Cached daily usage counter, cached plan tier, long-press duration, lightsaber color/thickness, default format/size, filename template.
- These never leave your device unless synced to Firestore for signed-in users (see 1.2).
1.2 Stored on Firebase (only after you sign in or are auto-assigned an anonymous ID)
- User document (
users/{uid}): Firebase UID, email (only if you use Google Sign-In), plan tier (free/pro), subscription status, created/updated timestamps. - Usage document (
users/{uid}/usage/{YYYY-MM-DD}): daily count of copy/download actions, so Free users can be limited to the daily quota. - History entries (Pro only,
users/{uid}/history/{autoId}): timestamp, image source URL, page domain, small JPEG thumbnail (generated locally, ≤128 px). Capped at 100 entries.
Anonymous Firebase Auth is used on first install so the usage counter works without a login. You can clear anonymous identity by clicking "Sign out" in the popup.
1.3 Payment data (LemonSqueezy)
- If you upgrade to Pro, payment is processed by LemonSqueezy. The extension never receives or stores payment card data.
- LemonSqueezy sends a webhook with your Firebase UID so we can flip your plan to Pro. See LemonSqueezy's privacy policy at https://www.lemonsqueezy.com/privacy.
1.4 What we do not collect
- Your browsing history.
- The HTML, text, or other content of pages you visit.
- The bytes of images you copy or download (these are processed locally and never uploaded).
- Telemetry, analytics, crash reports, or ad identifiers.
2. Permission justifications
| Permission | Why it's needed |
|---|---|
host_permissions: <all_urls> |
The core feature is long-press on any image on any web page. Restricting to specific sites would break the extension's single purpose. Content script reads only the DOM element you long-press — not page content. |
activeTab |
Ensures the content script only activates UI on the tab you interact with. |
scripting |
Injects the content script bundle into pages that match. |
clipboardWrite |
Primary action — copies the selected image to your clipboard as a PNG. |
downloads |
Primary action — saves the selected image to your Downloads folder. |
storage |
Persists your settings (long-press duration, default format, etc.) and your Firebase auth session. |
identity |
Optional Google Sign-In so your Pro plan follows your account across devices. Uses chrome.identity.getAuthToken with read-only userinfo.email and userinfo.profile scopes. Not used for Free users who don't sign in. |
3. Third-party services
- Firebase (Google LLC) — Authentication + Firestore database. Privacy policy: https://firebase.google.com/support/privacy
- LemonSqueezy — Payment processing and subscription management for Pro upgrades. Privacy policy: https://www.lemonsqueezy.com/privacy
- Google Fonts (DM Sans) — Served via Google Fonts CDN in the popup UI. Google may log the request. Privacy policy: https://policies.google.com/privacy
No other third-party services receive your data.
4. Data retention and deletion
- Settings and cached usage on your device are removed when you uninstall the extension.
- To delete your Firestore data (user doc, usage docs, history), email contact@holdpick.org with the account email. Deletion is performed within 30 days. An automated self-service endpoint is planned; until then, this is handled manually.
- Free-tier anonymous Firebase accounts are not linked to any personal identifier; they are kept for usage-tracking only and can be reset by clicking "Sign out."
5. Children
The extension is not directed to children under 13. We do not knowingly collect data from children.
6. Changes to this policy
Material changes will be reflected in the "Last updated" date and announced on the repository README. Continued use after an update constitutes acceptance.
7. Contact
Privacy questions, data deletion requests, or legal notices: contact@holdpick.org