Privacy Policy

Last updated: May 19, 2026

1. Introduction

This Privacy Policy explains how Bubbling collects, uses, shares, and protects your personal data when you use our services.

Bubbling is a Chrome extension and web dashboard. The extension displays a timer on AI platforms such as ChatGPT, Claude, Gemini, and Grok, giving you a moment to pause and reflect on your own question before reading the response. This Policy applies to the Bubbling extension, the dashboard at bubbling.co, and the backend services that support them.

We have written this Policy in plain language. If anything is unclear, please contact us using the information in Section 11.

2. Information We Collect

This section describes the categories of personal data we collect when you use Bubbling. For each category, we describe what we collect, where it comes from, how it is stored, and how long it is kept.

2.1 Account information

When you sign in to Bubbling using Google OAuth, we receive and store the following information from Google:

• Your email address
• The display name on your Google account
• The URL of your Google profile picture
• Your Google account identifier (the OAuth subject claim)

This information is used to identify your account and to display your profile in the Bubbling dashboard. We do not receive or store your Google password.

This category is retained for the lifetime of your account.

2.2 Content you create

When you use the Bubbling extension, the following content is captured and stored on our servers:

• The content you enter into the Bubbling extension modal
• The prompts you sent to an AI platform (such as ChatGPT, Claude, Gemini, or Grok) in the conversation where you used Bubbling
• The response you received from the AI platform in that conversation
• The tags you create, accept, or select to label a conversation

This content is encrypted at the application layer with AES-256 before being written to our database. It is stored on our servers until you delete it, until you delete your account, or until the conversation it belongs to is deleted — whichever comes first.

2.3 Conversation metadata

For each conversation where you use Bubbling, we also store metadata that describes the conversation itself, separately from the content you create:

• The URL of the conversation on the external AI platform (for example, a specific ChatGPT or Claude conversation URL)
• The identifier of the AI platform (chatgpt, claude, gemini, grok)
• Timestamps for when each piece of content was captured

The conversation URL is a pointer to your original conversation on the third-party AI platform. It is not an access credential: possessing the URL alone does not grant access to your conversation.

This metadata is retained alongside the content it refers to (see 2.2) and deleted when that content is deleted.

2.4 Usage event records

As you use Bubbling, we record event records describing your activity. These records are associated with your account identifier. They include:

• The type of event — for example: opening the side panel, completing or skipping the timer modal, clicking a tag, adding a tag, or removing a tag
• The timestamp of the event
• The AI platform involved, when applicable
• Quantitative measurements — such as the length of the timer, the duration before skipping, the number of messages you entered during the timer modal, and the length (in characters) of the question or the tag
• References (UUIDs) linking the event to a specific conversation or reflection session, when applicable

We do not store the content of your tags, prompts, or responses inside event records — only the metrics listed above. The full content remains in the encrypted store described in 2.2.

We use these records to understand how the product is used in aggregate, to improve features, and to diagnose issues. They are retained alongside your account, with special handling on account deletion (described in our Data Retention section).

2.5 Feedback submissions

If you submit feedback through Bubbling, we store the following in encrypted form:

• The message text you wrote
• The User-Agent string your browser submitted along with the feedback, up to 512 characters

We use feedback submissions to read and respond to you and to improve the product.

2.6 Information we do NOT collect

For transparency, we want to be specific about what we do not collect from your interactions with Bubbling:

• Your IP address is not read or stored by our application servers. Our backend code does not access the client IP from incoming requests and does not write it to our database.
• We do not read the User-Agent header from your browser. The only User-Agent string we store is one you submit voluntarily inside a feedback form (see 2.5 above).
• We do not sell your personal data to any third party.

There are two important exceptions to be aware of:

1. Cloud infrastructure logs. Our infrastructure providers, primarily Amazon Web Services, may log network-level metadata (such as your IP address and the requested URL) at the load balancer, CDN, or VPC level for security and operational purposes. These logs are managed by AWS under their data processing terms. We access them only when investigating security incidents or operational problems.

2. Authentication providers. When you sign in via Google OAuth, Google observes the IP address and User-Agent of your sign-in request. This is part of how Google's authentication service works and is governed by Google's own privacy policy. We do not receive a copy of that information from Google.

3. How We Use Your Information

This section describes the purposes for which we process the personal data described in Section 2.

3.1 Providing the Bubbling service

We use the data we collect to deliver the core functionality of Bubbling. Specifically, this includes:

• Authenticating you and identifying your account across sessions (account information, 2.1)
• Storing the content you create through the extension and making it retrievable from the dashboard (content you create, 2.2)
• Linking captured content back to the conversation on the external AI platform where it originated (conversation metadata, 2.3)

3.2 Powering AI-driven features

Some Bubbling features are powered by AI. To deliver these features, we process the content of your conversations. These features include:

• Generating persona text shown within the timer modal
• Suggesting tags for that conversation

When you use these features, the relevant content is sent to a third-party AI service provider for processing. We describe this provider in detail in Section 4.

3.3 Improving and maintaining the product

We use the usage event records described in 2.4 to understand how Bubbling is used in aggregate, to identify which features are working as intended, to prioritize what to build next, and to diagnose operational issues such as errors or slow requests.

We also use the cloud infrastructure logs described in 2.6 to investigate security incidents and operational problems.

3.4 Responding to you

When you submit feedback through Bubbling (2.5), we read your message and, where appropriate, use it to respond to you or to address the issue you described.

3.5 What we do NOT do with your data

For clarity, we want to be explicit about uses we do not engage in:

• We do not use your conversation content to train any machine learning model that we own or operate. Bubbling itself does not train AI models on your data. AI processing is performed by a third-party provider described in Section 4, under that provider's data-handling terms.
• We do not share your data with advertisers or use it for advertising purposes.
• We do not engage in automated decision-making that produces legal or similarly significant effects about you, within the meaning of GDPR Art. 22. The AI features described in 3.2 produce suggestions and aids — they do not make decisions that affect your rights or obligations.

Summary of legal bases

4. Third Parties We Share Data With

We work with a small number of third-party service providers to operate Bubbling. We do not sell or rent your data to anyone. The third parties listed below process data on our behalf and are bound by contractual data-protection obligations.

4.1 OpenAI

We use OpenAI's API to power the AI-driven features described in Section 3.2.

What is shared: When you use these features, the content of your conversation — including your prompt to the AI platform, the AI platform's response, and the content you entered into the Bubbling extension modal — is sent to OpenAI for processing.

Purpose: Generating persona text and tag suggestions.

Location: United States.

Data handling: OpenAI processes this data under their API Data Processing Addendum. By default, OpenAI does not use API inputs or outputs to train their models. OpenAI may retain API data for a limited period (typically up to 30 days) for abuse-prevention purposes. For details, see OpenAI's enterprise privacy page at https://openai.com/enterprise-privacy/ and their privacy policy at https://openai.com/policies/.

4.2 Google (Sign-in)

We use Google Sign-In (OAuth) to authenticate your account.

What is shared: When you sign in, your browser communicates directly with Google to verify your identity. We do not send Google any information about your activity within Bubbling. In response, Google sends us your email address, display name, profile picture URL, and Google account identifier (OAuth subject claim).

Purpose: Authenticating you and creating or accessing your Bubbling account.

Location: United States.

Data handling: Your sign-in interaction with Google is governed by Google's privacy policy at https://policies.google.com/privacy.

4.3 Amazon Web Services (AWS)

We use AWS to host the Bubbling backend, database, cache, and serverless functions.

What is processed: All data described in Section 2 — your account information, the content you create, conversation metadata, usage event records, and feedback submissions — is stored on or transits through AWS services.

Purpose: Running the application, storing your data, and operating the infrastructure that delivers Bubbling.

Location: AWS US East (Northern Virginia) region — United States.

Data handling: AWS processes data under the AWS Data Processing Addendum. AWS does not access the contents of data in our account except as required to operate the services or respond to lawful requests. For details, see https://aws.amazon.com/compliance/data-protection/.

Cross-border data transfer details (Standard Contractual Clauses, supplementary safeguards, and other transfer mechanisms) are covered in Section 6, International Data Transfers.

5. How We Protect Your Information

We take the security of your data seriously and apply technical and organizational measures appropriate to the risks involved in processing your personal data, in keeping with our obligations under GDPR Art. 32.

5.1 Encryption in transit

All connections between your browser, the Bubbling extension, and our servers are protected by TLS (HTTPS). Our load balancer is configured to use TLS 1.2 or TLS 1.3 with restricted cipher suites. Connections between our application servers and our internal services — including the database and cache — are also encrypted with TLS.

5.2 Encryption at rest

We apply encryption at rest at two layers:

• Storage-level encryption. Our database (Amazon Aurora PostgreSQL) is encrypted at rest using AWS Key Management Service (KMS).

• Application-level encryption. In addition, we apply AES-256 encryption at the application layer to the most sensitive fields before they are written to the database:

  • The content you create — your prompts, AI responses, the content you enter into the Bubbling extension modal, and your tags (see Section 2.2)
  • The content of your feedback submissions, including the User-Agent string submitted with them (see Section 2.5)

  This means that even within our database, these fields are stored as ciphertext, not as plaintext.

5.3 Access controls

Access to production systems and to the contents of your data is restricted to the operator of Bubbling. We do not access the contents of your stored data except as needed to operate the service, to diagnose specific issues you have reported to us, or to respond to lawful requests.

5.4 Infrastructure security

Bubbling is hosted on Amazon Web Services (AWS), inside a private network (VPC). Our application servers are not directly accessible from the public internet; all incoming traffic flows through a managed load balancer that terminates TLS. We rely on the underlying security certifications and controls maintained by AWS — see https://aws.amazon.com/compliance/ for details.

5.5 No system is completely secure

While we apply industry-standard practices to protect your data, no system or service can guarantee absolute security. If you become aware of a security issue affecting Bubbling, please contact us — see the contact section at the end of this Policy.

5.6 Notification of personal data breaches

If we become aware of a personal data breach affecting your data:

• We will notify the relevant supervisory authority within 72 hours where required under GDPR Art. 33.
• We will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms under GDPR Art. 34.

6. International Data Transfers

Bubbling's infrastructure is located primarily in the United States. When you use Bubbling, your personal data is transferred to and processed in the United States through the third parties identified in Section 4 (Amazon Web Services, OpenAI, and Google).

We apply the safeguards listed below to all transfers of personal data, regardless of where you are located.

6.1 Contractual safeguards

Each of our third-party providers processes personal data on our behalf under a Data Processing Addendum (DPA) that incorporates the Standard Contractual Clauses approved by the European Commission for international data transfers (Commission Implementing Decision (EU) 2021/914).

These clauses impose binding obligations on each provider to protect personal data to a standard essentially equivalent to GDPR, including obligations on:

• security and confidentiality
• onward transfer restrictions
• assistance with data-subject rights
• breach notification
• liability and remedies

We apply these clauses to all transfers, including transfers from jurisdictions that may not otherwise require this level of contractual protection. This way, every user of Bubbling benefits from the same baseline of transfer safeguards.

6.2 Provider certifications

Where our providers maintain additional certifications relevant to international transfers — such as the EU–U.S. Data Privacy Framework (DPF), or other recognized adequacy mechanisms — those certifications apply in addition to the contractual safeguards above. Details are available in each provider's privacy and compliance documentation, linked from Section 4.

6.3 Technical safeguards

In addition to legal and contractual mechanisms, we rely on the technical measures described in Section 5 to protect personal data during international transfer:

• TLS encryption of all data in transit between regions
• Application-layer AES-256 encryption of the most sensitive content fields
• Access controls limiting who can read or process the data

6.4 Requesting transfer information

You can request a copy of the contractual safeguards (such as the Standard Contractual Clauses) that apply to transfers of your data by contacting us — see the contact section at the end of this Policy.

7. Data Retention

This section describes how long we keep each category of personal data collected under Section 2, and what happens when you delete your account.

7.1 Account information

We retain your account information for as long as your Bubbling account exists. If you delete your account, this information is deleted as described in 7.6.

7.2 Content you create

The content you create (Section 2.2) is retained until any of the following occurs:

• You delete the specific item from the dashboard
• You delete your Bubbling account
• The conversation that the content belongs to is deleted

Whichever occurs first will trigger deletion of the affected content.

7.3 Conversation metadata

Conversation metadata (Section 2.3) is retained alongside the content it refers to (7.2) and deleted when that content is deleted.

7.4 Usage event records

Usage event records (Section 2.4) are retained for as long as your account remains active. They are handled differently on account deletion — see 7.6.

7.5 Feedback submissions

Feedback submissions (Section 2.5) are retained for as long as your account remains active. They are deleted when you delete your account.

7.6 Account deletion

When you delete your Bubbling account, the following happens:

1. Your account information, content, conversation metadata, and feedback are permanently deleted. This covers all data described in Sections 2.1, 2.2, 2.3, and 2.5.

2. Your usage event records are anonymized and aggregated, then deleted. Before deletion, we compute non-identifying aggregate statistics from your event history — such as how long the account was active, how many events occurred in total, and which platforms were used — and store those statistics with a random identifier that cannot be linked back to you. The original event records are then permanently deleted. These aggregate statistics are used only to understand how users engage with Bubbling over time.

3. Backups. Automated backups maintained by our infrastructure provider may continue to contain copies of your data for up to 7 days after deletion, after which the backups are rotated and the data is removed from them as well.

7.7 Legal and operational exceptions

We may retain data beyond the periods described above if necessary to:

• Comply with a legal obligation
• Establish, exercise, or defend legal claims
• Investigate suspected fraud, abuse, or violations of our terms

In such cases, the retained data is limited to what is strictly necessary for the specific purpose, and is deleted once that purpose no longer applies.

8. Your Rights

We respect your rights regarding your personal data. The rights listed below are granted to all Bubbling users, regardless of where you are located.

8.1 Rights you have

You have the following rights regarding the personal data we hold about you:

• Right of access (GDPR Art. 15). You can request a copy of the personal data we hold about you.
• Right to rectification (GDPR Art. 16). You can request that we correct inaccurate or incomplete data about you.
• Right to erasure (GDPR Art. 17). You can request that we delete your personal data. The fastest way to exercise this right is by deleting your Bubbling account from the profile settings page — see Section 7.6 for what happens on account deletion.
• Right to restrict processing (GDPR Art. 18). You can request that we limit how we use your data in certain circumstances.
• Right to data portability (GDPR Art. 20). You can request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object (GDPR Art. 21). You can object to processing of your personal data that is based on our legitimate interests (see Section 3.3 and the legal-basis summary in Section 3).

8.2 Rights related to automated decision-making (GDPR Art. 22)

As described in Section 3.5, we do not engage in automated decision-making that produces legal or similarly significant effects about you. The AI features in Bubbling produce suggestions and aids only.

8.3 How to exercise your rights

To exercise any of the rights above, contact us using the contact information at the end of this Policy. We will respond to your request within one month of receiving it. In exceptional cases — for example, complex requests or unusually high volume — we may extend this period by up to two additional months, in which case we will inform you of the extension and the reason for it.

We do not charge a fee for responding to legitimate requests.

8.4 Right to lodge a complaint

If you believe our handling of your personal data does not comply with applicable data protection law, you have the right to lodge a complaint with the data protection authority of your jurisdiction. You can do so without contacting us first, although we encourage you to reach out to us so we can address your concerns directly.

8.5 Verification of identity

To protect against unauthorized requests, we may ask you to verify your identity before responding to a request — for example, by signing in to your Bubbling account or confirming via your registered email address.

9. Children

Bubbling is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child under 16 has created an account, contact us using the contact information at the end of this Policy — we will delete the account and all associated data in accordance with Section 7.6.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our technology, applicable legal requirements, or for other operational reasons.

When we make material changes to this Policy, we will notify you through the Bubbling dashboard or by email to the address associated with your account, before the changes take effect.

The "Last updated" date at the top of this Policy will always reflect when the most recent change was made. We encourage you to review this Policy periodically.

If you do not agree with an updated Policy, you may delete your Bubbling account before the changes take effect.

11. Contact

Bubbling is operated by Mincheol Kim.

Email: privacy@bubbling.co

For questions about this Privacy Policy, to exercise the rights described in Section 8, or to report any concerns about how we handle your personal data, please contact us at the email address above.