Lux Privacy Policy

Last updated: June 27, 2026

Lux (“the extension”) is a new tab dashboard for Chrome and Brave. This policy explains what data Lux accesses and how it is handled. The short version: Lux runs in your browser and keeps your data on your device. Lux operates no server that stores your data — the only Lux-run infrastructure is a minimal, stateless token relay (described below) used to connect certain accounts and refresh their access tokens, and it stores nothing.

Who operates Lux

Lux is operated by an individual developer. Contact: hyun@hyunwk.me.

Data Lux accesses

Dashboard settings and content you create (widget layout, tasks, quick links, preferences). Stored locally via the browser’s chrome.storage.
Connected-account tokens. When you connect Google, Outlook, Spotify, GitHub, or AniList, the resulting OAuth access/refresh tokens are stored locally on your device so the relevant widget can call that service on your behalf.
Basic account identity. When you connect an account, Lux reads basic profile details (such as your email address or username) to confirm which account is connected.
Google Calendar and Outlook Calendar data (read-only). If you connect a calendar, Lux reads your upcoming events to display them in the calendar widget. This data is fetched directly from Google or Microsoft to your browser.
GitHub data (read-only). If you connect GitHub, Lux reads your contribution activity, notifications, and pull requests to display them in the GitHub widget. This data is fetched directly from GitHub to your browser.
Spotify data. If you connect Spotify, Lux reads your current playback and available devices to show and control what’s playing, and starts, pauses, or skips playback at your request. To power the in-widget search, it also reads your saved tracks and playlists so it can surface and play them. This data is fetched directly from Spotify to your browser.
AniList data. If you connect AniList, Lux reads your anime and manga lists, notifications, and the recent activity of people you follow to display them in the AniList widget. AniList does not offer scoped or read-only access, so the access token it issues is account-wide (it could read and write your account). Lux only writes when you explicitly trigger it: the like button sends a single like/unlike, the +/− buttons on a title adjust your episode or chapter progress, and the mark-all-read button clears your notification count. It makes no other changes to your account. This data is fetched directly from AniList to your browser. Sign-in briefly redirects through a Lux page (lux.hyunwk.me/anilist/callback) that reads the token from the page address in your browser and passes it to the extension; the token rides in the URL fragment, which is never sent to any server.
Browser data via optional permissions. If you enable features that use them, Lux may read your bookmarks, browsing history, recently closed sessions, or most-visited sites to power the quick-access features. These are requested only when you turn on a feature that needs them and are used only on your device.
Weather location. The Weather widget looks up conditions from Open-Meteo for a place you choose by name. The place name you search is sent to Open-Meteo to resolve it and return the forecast. No account or API key is involved, no precise device location is used, and your chosen location is stored only on your device.

How Lux uses this data

Data is used solely to provide the features you see: rendering your dashboard, displaying your calendar events, controlling playback, and powering quick access. Lux does not use this data for advertising, profiling, or any purpose unrelated to the features you enable.

Storage and retention

All settings and tokens are stored locally in your browser and remain there until you remove them — by disconnecting an account, clearing the data, or uninstalling the extension. Nothing is stored off your device; the token relay described below keeps no data either.

Sharing

Lux does not sell, rent, or share your data with any third party. The only network requests Lux makes are directly to the services you connect (Google, Microsoft, Spotify, GitHub, AniList), to the Open-Meteo weather service when you use the Weather widget, and to the Lux token relay when connecting and refreshing accounts that require it — all to provide the features you requested.

Token relay

Some services — Google, Microsoft, and GitHub — require a confidential client secret to exchange and refresh access tokens, a step that cannot be performed safely inside a browser extension. To support them, Lux runs a small, stateless relay (hosted on Cloudflare) that performs only these token steps: it receives a single-use authorization code (when you sign in) or a refresh token (when a short-lived access token expires) from your browser, exchanges it with the provider for a fresh access token, and returns that token to your browser. The relay has no database, stores no data, and keeps no logs of your personal information. Your tokens are stored only on your device, and the relay is contacted only to complete sign-in and to refresh expired tokens — at all other times the widget talks to the service directly from your browser.

Google user data — Limited Use

Lux’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, the Google data Lux accesses — your calendar events (via the calendar.readonly scope) and your account email (via the userinfo.email scope) — is used only to display your events and identify the connected account, on your device; it is not transferred to others, not used for advertising, and not read by humans.

Changes

If this policy changes, the updated version will be posted at this URL with a new “Last updated” date.