Privacy Policy

Last updated: March 24, 2026

The short version

SecondChat lets you chat with other people browsing the same web page. We collect only what's needed to make that work — your chosen username, the pages you chat on, and your messages. We don't sell your data, we don't track you across the web, and we don't use third-party analytics or tracking pixels in the extension. Messages are automatically deleted after 30 days.

1. Who we are

SecondChat is a browser extension that adds a real-time chat sidebar to any web page. When you visit a page, you can see and talk to other SecondChat users on that same page.

SecondChat is published by runelab. Contact: support@secondchat.app

This policy covers the SecondChat browser extension and the server infrastructure that powers it.

2. Information we collect

2a. When you use SecondChat as a guest

You can use SecondChat without creating an account. When you do, we collect:

Server-assigned username — a randomly generated name like "CosmicHawk" that identifies you in chat. You don't choose this; our server creates it.
Page URLs you chat on — the hostname and path of web pages where you join a chat room (e.g., youtube.com/watch?v=abc123). This is used as the "room key" so people on the same page can talk to each other.
Chat messages — the text content of messages you send.
IP address (hashed) — we immediately transform your IP address using a one-way cryptographic hash (SHA-256). The original IP address is not stored in our database. We also store the first three octets of your IP (e.g., 192.168.1.*) for abuse correlation. The full IP is never persisted.
Device identifier — a randomly generated UUID (created using crypto.randomUUID()) stored locally on your device. This identifier is used for device-level ban enforcement and daily active user counting. It is not linked to your browser fingerprint, hardware, or any other identifier. It is sent to SecondChat servers only.
Timestamps — when you first and last used SecondChat, and when each message was sent.
Country code — your approximate country is determined from your IP address using a local database (MaxMind GeoLite2) on our server. No third-party service receives your IP address for this purpose. Only the two-letter country code (e.g., "US") is stored.

2b. When you sign in with Google or Twitch

If you choose to sign in, we additionally collect:

OAuth provider ID — your Google account ID or Twitch account ID. This links your SecondChat account to your identity on that platform.
Email address — provided by Google or Twitch during sign-in. Used to identify your account.
Display name / Twitch login — your Twitch username, if you sign in with Twitch.
Profile picture URL — the avatar URL from your Google or Twitch profile.

We request the minimum OAuth scopes needed: openid email profile from Google and user:read:email from Twitch. We do not access your contacts, files, streams, subscriptions, or any other account data.

2c. Analytics data

We collect first-party analytics events to understand how SecondChat is used. These events include:

Install — recorded once when you first open SecondChat
Session — recorded once per day when you open SecondChat
Signup / Login — recorded when you create an account or sign in

Each analytics event records: the event type, your device identifier (the locally generated UUID described in section 2a), a timestamp, and your user ID if you are signed in.

Analytics events are first-party only — they are sent to SecondChat servers and nowhere else. They do not contain message content, page URLs, or browsing history. No third-party analytics services or tracking pixels are used by the extension.

2d. Feedback and abuse reports

If you submit feedback or report abusive content through the extension, we collect:

Feedback submissions — feedback type (bug, feature, abuse, other), your message text, your username, the current room key, and your browser user agent string. If you are a guest, you may optionally provide an email address for follow-up; if you are signed in, your account email is used automatically.
Abuse reports — the reported user's username, the reported message text, the reason you selected, and any additional note you provide.

Feedback is stored in our database indefinitely until reviewed and resolved by an administrator. Abuse reports are stored until reviewed and resolved. Both are accessible only to SecondChat administrators.

2e. Server logs

Our servers temporarily record IP addresses, request metadata, and error information in operational logs for security monitoring and debugging purposes. Server logs are automatically rotated and deleted within 7 days. Server logs are not used for advertising or profiling.

2f. Information we do NOT collect

We do not read or access the content of web pages you visit
We do not record your browsing history beyond the specific pages where you actively join a chat room
The extension reads the URL of the active tab in order to determine the chat room associated with the current page. It does not access page content, DOM elements, or execute scripts on the page.
We do not collect passwords
We do not use cookies for tracking (our cookies are strictly for authentication)
We do not use third-party analytics, tracking pixels, or ad-measurement scripts inside the extension

3. How we use your information

Data	Purpose
Page URLs (room keys)	Route you to the correct chat room so people on the same page can talk
Username and color	Identify you in chat to other users
Chat messages	Deliver messages to other users in the same room, store for backfill when new users join
IP hash and country code	Detect ban evasion, correlate abusive accounts, display country flags in admin panel
Device identifier	Enforce device-level bans against abusive users, count daily active users
OAuth profile data	Create and authenticate your account, display your chosen username
Email address	Account identification; we do not send marketing emails unless you opted into the beta waitlist
Analytics events	Measure usage patterns (installs, daily sessions, sign-ups) for internal product improvement only
Feedback submissions	Improve the product, fix bugs, respond to user questions
Abuse reports	Investigate and act on reported content or users

4. Automated content moderation

SecondChat uses automated moderation to keep chat safe. This includes:

Word filters — server-side filters that block messages containing prohibited words or phrases.
Rate limiting — limits on how quickly you can send messages to prevent spam.
AI-assisted spam detection — when enabled by the administrator, chat messages may be sent to Anthropic's Claude API for automated spam classification. Only the message text and your username are sent. The AI returns a single-word verdict (SPAM or OK) and no message content is retained by Anthropic beyond the API call. Anthropic processes this data according to their privacy policy and API terms of service. This feature can be disabled at any time by the administrator.

Users may report abusive content using the built-in moderation tools available in the chat interface (right-click or long-press on any message).

5. External services the extension contacts

The SecondChat extension communicates with the following external services. This is a complete list.

Service	Domain(s)	Purpose	Data sent
SecondChat API	`api.secondchat.app`	Authentication, profiles, moderation, config, feedback	Auth tokens, messages, room keys, device ID
SecondChat WebSocket	`chat.secondchat.app`	Real-time chat message delivery	Auth tokens, messages, room keys
DiceBear Avatars	`api.dicebear.com`	Generate default profile avatars	Username as URL parameter only
7TV Emote CDN	`cdn.7tv.app`	Load chat emote images	Image requests only — no user data
BetterTTV CDN	`cdn.betterttv.net`	Load chat emote images	Image requests only — no user data
FrankerFaceZ CDN	`cdn.frankerfacez.com`	Load chat emote images	Image requests only — no user data

Emote images from 7TV, BetterTTV, and FrankerFaceZ are a core feature of SecondChat — they enable the shared visual language of internet chat culture. These CDNs receive standard HTTP image requests but no SecondChat user data, authentication tokens, or identifiers.

6. Data storage and retention

Chat messages are stored in our database and automatically deleted after 30 days.
Guest identities expire and are purged after 30 days of inactivity.
Registered accounts are retained until you request deletion.
Server logs are automatically rotated and deleted within 7 days.
Temporary data (presence indicators, typing status, reaction counts) is stored in Redis with short time-to-live values and is not persisted long-term.
Message backfill — the most recent messages per room are cached temporarily so new users see recent context when joining.
Analytics events are stored for up to 90 days, then automatically deleted.

All data is stored on servers operated by Hetzner Cloud in the United States.

7. Data sharing

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Your data may be shared in these limited circumstances:

Other SecondChat users — your username, display color, and chat messages are visible to other users in the same room. Your email, IP hash, and account details are never shown to other users.
AI moderation — as described in section 4, message text may be sent to Anthropic's API for spam detection.
OAuth providers — during sign-in, we exchange authorization codes with Google or Twitch to verify your identity. No chat data is sent to these providers.
Legal requirements — we may disclose data if required by law, subpoena, or court order.

8. Advertising

SecondChat may display sponsored messages in the chat feed. These are clearly labeled with the word "Sponsored" and a distinct visual style. Sponsored messages are not sent by other users.

Sponsored content is served by SecondChat's own server — no third-party ad networks, ad scripts, or tracking pixels are loaded by the extension. Ad delivery is not personalized based on your chat content, browsing history, or any user profile. We do not share any user data with sponsors.

9. Browser extension permissions

SecondChat requests these browser permissions:

Permission	Why
`tabs`	Read the URL of your active tab to determine which chat room to connect you to. Does not access page content.
`storage`	Store your authentication token, guest identity, device identifier, and chat preferences locally on your device
`sidePanel`	Display the chat interface as a browser side panel
`webNavigation`	Detect when you navigate to a new page so the chat room updates automatically

The extension does not inject content scripts into web pages and does not modify page content. See section 5 for a complete list of external services the extension communicates with.

10. Local data stored by the extension

The extension stores the following data locally on your device using the browser's local storage API (chrome.storage.local/browser.storage.local):

Authentication token (JWT) — for keeping you signed in. Expires after 7 days.
Guest token — your persistent anonymous identity. Expires after 30 days.
Device identifier — a randomly generated UUID, stored permanently until you uninstall the extension or clear extension data.
Display preferences — theme, font size, notification settings.
Recent message history — cached locally per room for showing recent context. Up to 200 messages per room depending on user settings (default 50), automatically cleaned after 7 days of inactivity.
Dismissed announcements — IDs of announcements you've dismissed, so they don't reappear.

This data never leaves your device except for authentication tokens and device identifiers sent to SecondChat servers to verify your identity and enforce moderation. You can clear all local data by removing the extension or clearing extension storage in your browser settings.

11. Security

We take reasonable measures to protect your data:

All connections use TLS encryption (HTTPS and WSS)
Authentication tokens are signed JWTs with expiration
IP addresses are hashed with SHA-256 before storage — the original IP cannot be recovered from the hash
OAuth uses industry-standard flows with CSRF protection
Database access is restricted to the application server
Admin endpoints require separate authentication
GeoIP lookups use a local database — no third party receives your IP for geolocation

12. Data breach notification

In the event of a data breach affecting personal information, we will notify affected users and relevant regulatory authorities as required by applicable law. Notification will occur without unreasonable delay and will include a description of the breach, the types of data affected, and steps being taken in response.

13. Age requirement

Users must be at least 13 years old to use SecondChat. We do not knowingly collect personal information from anyone under the age of 13. If you believe someone under 13 has provided us with personal information, please contact us and we will promptly delete it.

14. Your rights

All SecondChat users can:

Access your data — contact us to request a copy of data we hold about you.
Delete your account — contact us to request deletion of your registered account and all associated data.
Clear local data — remove the extension or clear its storage at any time.
Use SecondChat anonymously — you can always use SecondChat as a guest without providing any personal information beyond what is described in section 2a.
Log out — signing out clears your authentication token and reverts you to guest mode.

For users in the European Economic Area (EEA)

Our lawful bases for processing your personal data under the General Data Protection Regulation (GDPR) are:

Performance of a contract — processing necessary to provide the chat service you use (delivering messages, maintaining your account, room routing).
Legitimate interests — processing necessary for abuse prevention, content moderation, spam detection, and service security, where these interests are not overridden by your rights.
Consent — where you voluntarily sign in via Google or Twitch, providing us with your profile data.

In addition to the rights listed above, EEA residents have the right to:

Rectification — request correction of inaccurate personal data.
Data portability — request a copy of your data in a structured, commonly used format.
Restriction of processing — request that we limit how we use your data in certain circumstances.
Object to processing — object to processing based on legitimate interests.
Lodge a complaint — you have the right to lodge a complaint with a supervisory authority in your country of residence.

For California residents

Under the California Consumer Privacy Act (CCPA), California residents have the right to:

Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
Delete — request deletion of personal information we hold about you.
Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

We do not sell personal information as defined by the CCPA. To exercise any of these rights, contact us at the address below.

15. Chrome Web Store Limited Use policy

SecondChat complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. This applies to all data the extension accesses or collects:

We only collect data that is necessary to provide the page-scoped chat feature described in this policy.
We do not transfer user data to third parties except as described in section 7 (other users see your messages, AI moderation, OAuth identity verification, legal requirements).
We do not use user data for advertising, marketing, or any purpose unrelated to the core chat functionality.
We do not sell user data.
We do not allow humans to read user data except: with the user's affirmative consent, for security/abuse investigation, to comply with applicable law, or when data is aggregated and anonymized for internal analytics.

Google API Services User Data Policy

SecondChat's use and transfer of information received from Google APIs additionally adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data (email, name, profile picture) to create and authenticate your SecondChat account. We do not transfer Google user data to third parties for advertising, do not allow humans to read it without consent, and do not use it for purposes unrelated to the core functionality of SecondChat.

16. Changes to this policy

We may update this privacy policy from time to time. When we make significant changes, we will update the "Last updated" date at the top. Continued use of SecondChat after changes constitutes acceptance of the updated policy.

17. Contact

For privacy questions, data requests, or concerns, contact us at:

support@secondchat.app