Privacy Policy

Deck for Nextcloud

Last updated: April 2026

1. About This Policy

This Privacy Policy explains what data the Deck for Nextcloud extension ("the Extension", "we", "our") collects, stores, and shares — and what it does not. By installing or using the Extension you agree to the practices described here. If you disagree, please uninstall it.

2. About Deck for Nextcloud

Deck for Nextcloud is a Chrome extension that lets you browse and manage your Nextcloud Deck boards, cards, stacks, labels, and due dates directly from your browser toolbar. It connects exclusively to the Nextcloud server you configure — no other servers are involved in card data.

3. Data We Collect

The Extension stores the following data locally on your device only:

Your Nextcloud server URL and username, plus an app password used to authenticate with your server. Both login methods (Browser Login via Login Flow v2, and manual App Password entry) result in the same thing being stored: a Nextcloud-issued app password. Your main Nextcloud account password is never requested, seen, or stored. All credentials are encrypted with AES-256-GCM before being saved.
Your Deck boards, stacks, cards, labels, and assignments — cached locally so the extension works offline and syncs efficiently. Card titles and descriptions are also encrypted at rest.
Your display preferences (theme, font size, sync interval) and optional PIN setting (stored as a SHA-256 hash, never the raw PIN).

None of this data ever leaves your device except as part of the direct, encrypted HTTPS connection to your own Nextcloud server.

4. Data We Do NOT Collect

We do not collect, transmit, or store any of the following:

Personal identifiers such as your name, email address, IP address, or device ID.
Usage data, telemetry, crash reports, or analytics of any kind.
Browsing history or activity on other websites.
Card content, board names, or any Nextcloud data — outside your own device and your own server.
Payment or financial information.

The Extension contains no analytics SDKs, no tracking pixels, no third-party advertising, and makes no outbound network requests except to your configured Nextcloud server and the Polar.sh checkout service described in Section 6.

5. Chrome Permissions — Why We Request Them

The Extension requests the following Chrome permissions:

storage — Saves your encrypted credentials, cached boards/cards, and display preferences to chrome.storage.local and chrome.storage.session.
alarms — Schedules periodic background syncs with your Nextcloud server at the interval you choose.
tabs — Opens the Nextcloud Login Flow page in a new tab during authentication setup, then closes it after approval.
optional_host_permissions (<all_urls>) — Requested only at runtime, when you provide your server URL. Required to allow the extension to make API calls to whichever domain hosts your Nextcloud instance. No access is granted to any other site.

6. Third-Party Services

The Extension includes an optional "Support the project" donate button powered by Polar.sh. If you choose to donate:

Clicking the button loads a Polar.sh checkout widget. You are interacting directly with Polar.sh and their privacy policy applies.
The Extension itself receives no payment data and stores nothing from the donation flow.
Donating is entirely optional and has no effect on extension functionality.

Polar.sh privacy policy: https://polar.sh/legal/privacy

7. Trademark & Affiliation Disclaimer

"Nextcloud" and the Nextcloud logo are trademarks of Nextcloud GmbH. This extension is an independent community project and is not affiliated with, endorsed by, or supported by Nextcloud GmbH in any way. All trademarks belong to their respective owners.

8. Your Rights & Control Over Your Data

Because all data is stored locally on your device, you have complete control:

Access: Open the extension options page to view your connected server and credentials.
Delete: Click "Disconnect" in the options page to wipe all stored credentials and cached data instantly. Uninstalling the extension removes all stored data.
Portability: Your data lives in Chrome's local storage on your own device — no account or export request is needed.

9. Children's Privacy

The Extension is not directed at children under the age of 13. We do not knowingly collect any information from children. If you believe a child has used this Extension, please contact us at the address in Section 15 and we will assist however we can.

10. Security

We take security seriously:

Credentials and card content are encrypted on-device using AES-256-GCM via the browser's built-in Web Crypto API before being saved to storage.
A random 12-byte IV is generated per encryption operation and stored alongside the ciphertext.
The optional PIN is stored only as a SHA-256 hash — the raw PIN is never saved anywhere.
All communication with your Nextcloud server uses HTTPS.
The published extension code includes integrity checks (SHA-256 file hashes) that halt execution if any extension file has been tampered with after installation.

Despite these measures, no security measure is 100% effective. If you discover a security issue, please contact us privately before disclosing it publicly.

11. Transparency & Open-Source Intent

The source code for this extension is available for inspection. We believe users deserve to know exactly what software running in their browser does. The extension contains no minified third-party bundles from external CDNs, no dynamically loaded scripts, and no eval() calls. The published build is obfuscated to protect against copying, but the original source code remains auditable.

12. Legal Rights, Fair Use & DMCA

All original code in this extension is copyright of its authors. The extension may reference Nextcloud's public REST API solely to provide interoperability. If you believe any content in this extension infringes your rights, please contact us at the address in Section 15 with a description of the concern and we will respond promptly.

13. International Users & GDPR

This extension stores data only on your local device and does not transmit personal data to any server we control. As such, standard data-controller obligations under GDPR, CCPA, or similar regulations do not apply to us. If you use this extension within the EU, your data remains on your own device and is processed by your own Nextcloud server under your own control.

14. Changes to This Policy

We may update this policy as the extension evolves. The "Last updated" date at the top will reflect any changes. Continued use of the extension after an update constitutes acceptance of the revised policy. For significant changes we will include a note in the Chrome Web Store release notes.

15. Contact

For privacy questions, bug reports, feature requests, or any other feedback:

chromeextensions@howareyou.cc

We aim to respond to all inquiries within 5 business days.