Last updated: 16 July 2026
Tab Truck is built so that we cannot see your data, not merely so that we promise not to. This page explains exactly what the extension, the web app and the website touch, where it goes, and what we — the developer — can and cannot access.
To do its job, Tab Truck processes:
Tab Truck only reads a tab when you explicitly save it (via the popup, a keyboard shortcut, or the right-click menu). It does not monitor your browsing, and it does not read pages in the background.
Saved groups and notes are stored in your own Google Drive, using two narrowly-scoped Google permissions:
drive.appdata — a hidden, per-application folder that only Tab Truck can access. Your synced tabs and notes live here. The extension cannot see any of your other Drive files.drive.file — access limited to files Tab Truck itself creates. This covers the optional share links, your mailbox, and any file you send, all of which are written (encrypted) into a “Tab Truck Shares” folder. Tab Truck still cannot see any other file in your Drive.We request these two scopes specifically because they are the narrowest that make the product work. Tab Truck never requests full access to your Drive.
When you enable end-to-end encryption, Tab Truck derives a key from a passphrase you choose, entirely on your device. Your groups and notes are encrypted with that key before they are uploaded to Google Drive. The passphrase is never transmitted and is not recoverable by us — if you lose it and your recovery key, your data cannot be decrypted by anyone, including the developer.
A share can be opened in one of two ways, and in neither does a key reach us. A share link carries its decryption key in the link’s URL fragment (the part after the #), which browsers never send to any server. A mailbox message carries no key at all: the reader derives it from a passcode you gave them separately, in their own browser. The person who has the link — or the ID and the passcode — can read the shared item; Google and the developer only ever see ciphertext.
Your mailbox is a single file in your own Drive, readable by anyone who has its ID, holding one encrypted message per passcode. Reading one takes no sign-in and no account: the message itself travels directly from Google to the reader’s browser and is decrypted there. If the reader used your short code rather than the raw ID, one extra step happens first — their browser asks our directory which Drive file that code points at (see below). The directory returns a file id and nothing else; the message never passes through it.
A file you attach is encrypted and parked as its own separate file in your Drive; only a small pointer to it sits inside the mailbox message, so the file's contents are unreadable without the passcode too. You can remove a message, or let it expire, at any time; the passcode that opened it then opens nothing, and expired files are deleted automatically.
A Drive file id is 33 characters, which is miserable to read down a phone. So Tab Truck offers a short code (for example otter-7k2q) as an easier address for your mailbox. Turning a short code back into a Drive file id needs a lookup table that both you and your reader can reach, and that means a small server. It is the only one we run, and it is deliberately as ignorant as we could make it.
What it stores, per code: the code itself, the Drive file id of your mailbox, and a SHA-256 hash of an edit token (the secret that lets you, and only you, re-point that code later). That is the whole record.
What it never sees or stores: your messages, your files, your encryption keys, your passcodes, your Google account, your Google tokens, or your name or email. It could not decrypt anything if it wanted to — it has no key material of any kind.
IP addresses. To stop someone hammering the lookup, the directory keeps a short-lived counter keyed by the requesting IP address. That counter expires after 60 seconds and is never linked to your code, your content or your identity. We keep no request logs of our own. The service is hosted on Cloudflare, which processes requests under its own terms.
Using a short code is optional. If you would rather no service of ours know anything at all, hand out the raw 33-character mailbox ID instead — nothing then touches the directory.
None of your content. No server of ours receives your tabs, notes, files or messages. Your Google sign-in authorizes your browser to talk to your Drive; that authorization is never shared with us. We have no ability to read, collect or sell your data, and no key with which we could decrypt it.
The single exception, stated plainly: if you claim a short code, our directory holds that code, the Drive file id it points at, and a hash of your edit token — and briefly, an IP-keyed rate-limit counter. A file id is not content and is not a secret: it is the address your readers already have. It cannot be used to read anything, because everything at that address is ciphertext.
Google Drive stores your (encrypted) data under your own Google account, subject to its privacy policy.
Cloudflare hosts this website and the short-code directory, and therefore processes those requests under its privacy policy.
Ko-fi. This website — the marketing pages only — loads Ko-fi’s support-button script from storage.ko-fi.com, which means Ko-fi can see that a browser loaded the page. It is not present in the extension or the web app, and it never has access to your Tab Truck data. If you would rather avoid it entirely, any content blocker will remove it without affecting the product.
There are no analytics or advertising SDKs anywhere — not on the site, not in the extension, not in the web app.
Tab Truck’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Data accessed via Google Drive is used solely to provide and improve the tab backup, sync, and sharing features you request; it is not transferred to others except as necessary to provide those features, and it is never used for advertising or sold.
Your data remains in your Google Drive until you delete it. You can remove a group, note or message at any time, export everything to a file, or disconnect Google Drive to stop syncing. Messages and sent files also expire on their own if you gave them an expiry, and expired file contents are deleted automatically.
To erase everything at once, use Delete everything from Drive — in the extension under Settings → Backup & transfer → Danger zone, or at the bottom of the web app. It permanently deletes the synced file, your mailbox, every share and every file you sent, and clears the copy on your device. It cannot be undone. You can also revoke Tab Truck’s access entirely from your Google Account permissions page.
If you claimed a short code, its directory record (code, file id, edit-token hash) is not removed by the purge; once the mailbox file is gone the code simply points at nothing and resolves to an error. To have a code record deleted outright, email us at the address below.
Tab Truck is not directed at children under 13 and does not knowingly collect information from them.
If this policy changes, the “last updated” date above will change and the new version will be posted here.
Tab Truck is made by Tanapon Sangphol (Thailand), who is the data controller for the limited purposes described above. In practice that responsibility is narrow: because your data is encrypted on your device and stored in your own Google Drive, there is no Tab Truck-held copy to control.
Questions about this policy: donborero@gmail.com.