Privacy Policy — Nova
Last updated: July 2026
Nova (a new-tab homepage extension) was built with a commitment to privacy. This document explains exactly what data is stored and what network requests are made.
Guiding principle
All of your personal data is stored locally on your own device only, via chrome.storage. We do not run any servers, we do not collect data, and we have no access to any of your information. There is no analytics, no tracking, and no advertising.
Data stored locally
Your settings, tasks, notes, links, habits, and preferences are stored in chrome.storage.local on your device. If you enable sync, your settings (not the heavier data) are synced through Google's chrome.storage.sync — only between your own browsers, under your own Google account.
Network requests
The extension only contacts external services when needed, for features you've turned on:
| Service | When it's used | What's sent | Their policy |
|---|---|---|---|
| Open-Meteo | Weather widget | Coordinates or city name | open-meteo.com |
| CoinGecko | Only if the crypto ticker is enabled | Coin IDs (no personal data) | coingecko.com |
| DuckDuckGo | Only if search suggestions are enabled | Search text as you type | duckduckgo.com |
All requests are encrypted (HTTPS). Every one of these features can be turned off from Settings.
Permissions and how they're used
storage— store your settings and data locally.geolocation— location for the weather widget (you can enter a city manually instead).favicon— display site icons locally, with no external request.
Optional permissions (requested only when you turn the feature on, not at install time):
topSites— suggest quick links from your most-visited sites (read locally only).bookmarks— show bookmarks in the quick-access panel (read locally only).sessions— show recently closed tabs (read locally only).
Data read from topSites/bookmarks/sessions is never transmitted anywhere — it is used only to display it on the page.
Security
The extension uses a strict Content Security Policy (script-src 'self'), runs no dynamic code (no eval), and is protected against XSS and prototype pollution.
Contact
For privacy questions, please open an issue in this repository.