NoStack ("we", "our", "the extension") is a Chrome browser extension that saves Substack content to Notion. This policy explains what data we collect, how we use it, and how we protect it.
1. Data We Collect
NoStack collects and processes the following data:
- Notion OAuth Token: When you connect your Notion account via OAuth, we receive an access token from Notion. This token is stored locally in your browser using Chrome's storage API and is never synced across devices.
- Database Configuration: The ID and name of the Notion database you select for saving articles.
- Saved Article URLs: A local list of URLs you have saved, stored in your browser only, used to show the "Already Saved" indicator and prevent duplicates.
- Page Content: When you click "Save to Notion," the extension reads the content of the current Substack page (title, author, body text, images) in order to send it to the Notion API.
2. Data We Do NOT Collect
- We do not track your browsing history beyond saved URLs.
- We do not collect analytics, telemetry, or usage data.
- We do not store your data on our servers (except as described in Section 4 for the sharing feature).
- We do not sell, rent, or share your data with third parties.
- We do not read pages you do not explicitly save.
3. How Data Flows
When you save an article:
- The content script reads the current page's DOM in your browser.
- The extension's service worker sends the extracted content directly to the Notion API (
api.notion.com) using your OAuth token.
- No content passes through our servers for standard saves.
When you connect via OAuth:
- Your browser is redirected to Notion's authorization page.
- After you authorize, Notion redirects to our Cloudflare Worker (
api.nostack.space), which exchanges the authorization code for an access token.
- The token is passed to the extension and stored locally. Our server does not retain the token after the exchange.
4. Sharing Feature
If you enable the public sharing feature:
- Your Notion access token is encrypted using AES-256-GCM and stored in Cloudflare KV (key-value storage) associated with a random, unguessable share token.
- When someone visits your public share link, our Cloudflare Worker decrypts the token, queries your Notion database, and renders the article list as HTML. The token is never exposed in the response.
- You can disable sharing at any time, which immediately deletes the encrypted token from our storage.
5. Database Auto-Creation
If you use the "Create New Database" feature, your Notion token is sent to our Cloudflare Worker to create the database via the Notion API. The token is used for this single request and is not stored.
6. Security
- All communication uses HTTPS.
- OAuth tokens are stored in
chrome.storage.local (never synced cross-device).
- The extension uses a Content Security Policy that restricts connections to
api.notion.com and api.nostack.space only.
- OAuth includes CSRF protection via a cryptographic state parameter.
- Our Cloudflare Worker validates all requests using extension ID verification.
- Stored tokens for the sharing feature are encrypted at rest with AES-256-GCM.
7. Permissions
The extension requests the following Chrome permissions:
- storage: To store your Notion token, database selection, and saved URL list locally.
- activeTab: To read the content of the current tab when you click "Save to Notion."
The extension runs content scripts on substack.com and *.substack.com pages to parse article content and inject the "Save to Notion" menu item.
8. Data Retention
- Local data (token, saved URLs, settings) persists until you disconnect or uninstall the extension.
- Sharing data is deleted immediately when you disable sharing or disconnect.
- We do not maintain backups of your data.
9. Your Rights
You can:
- Disconnect your Notion account at any time (Settings > Disconnect).
- Disable the sharing feature to delete stored tokens from our server.
- Uninstall the extension to remove all local data.
- Revoke the extension's access from your Notion integrations page.
10. Changes to This Policy
We may update this policy as the extension evolves. Changes will be posted on this page with an updated effective date. Continued use of the extension after changes constitutes acceptance.
11. Contact
For questions about this privacy policy, contact us at gabe.marketing or via Compounded Content.