Privacy Policy

Last updated: March 24, 2026

The short version: Unbait does not collect, store, or transmit any of your data to its own servers. There are no Unbait servers. Everything stays on your device or goes directly to your chosen AI provider.

Contact

For privacy questions, email unbait@in-flux.app or open an issue on GitHub.

Data controller

Unbait is a local browser tool. The developer does not receive, store, or process any of your data. You are the data controller for any data sent to AI providers through Unbait.

What Unbait does

Unbait is a browser extension that replaces clickbait headlines with informative titles. To do this, it briefly fetches the text of articles on the page you are viewing and sends that text to an AI provider to generate a better headline.

On YouTube, Unbait fetches video transcripts (captions) to understand the video content. The transcript text (covering the first 1–8 minutes of the video, depending on the transcript depth setting) is sent to your AI provider along with the video title. Neutral thumbnail frames are loaded directly from YouTube's own image servers (i.ytimg.com) — no external service is involved.

If you use Unbait on YouTube, transcripts from videos you have access to (including unlisted or private videos) may be sent to your AI provider for title analysis.

Legal basis for processing

Processing is based on your explicit action (GDPR Art. 6(1)(b)) — you choose to activate Unbait and trigger each processing action. You control what data is sent and to which provider.

Data stored on your device

API key — stored in your browser's local extension storage. Never sent anywhere except directly to your chosen AI provider over HTTPS.
Provider preference — which AI provider you selected (Anthropic, OpenAI, or Google Gemini).
Always On sites — the list of websites where you enabled automatic de-clickbaiting.
Title cache — rewritten headlines (including YouTube titles) are cached locally for up to 7 days to avoid repeated API calls. The cache is capped at 500 entries and can be cleared manually.
Transcript depth setting — your preferred transcript depth (how much of a YouTube video's captions are sent to the AI provider). Stored locally alongside your other preferences.

Gemini API key handling

Note: Google's Gemini API requires the API key to be sent as a URL parameter rather than a header. This means the key may be visible in browser developer tools and network logs.

Data sent to third parties

When Unbait rewrites headlines, it sends the following directly to your chosen AI provider:

The original headline or video title
A brief excerpt of the article (first few paragraphs) for context, or the YouTube video transcript (first 1–8 minutes depending on the transcript depth setting)
Your API key (for authentication)

On YouTube, neutral thumbnail frames are loaded from YouTube's own image servers (i.ytimg.com) and are not sent to any AI provider or external service.

This data is sent directly from your browser to the AI provider's API. Unbait has no intermediary server. The AI providers and their privacy policies are:

International data transfers

Anthropic and OpenAI are US-based companies. When you use these providers, article excerpts and your API key are sent to US servers. These providers operate under the EU-US Data Privacy Framework and/or Standard Contractual Clauses. Google (Gemini) processes data per their own privacy terms. Your direct relationship with the provider governs these transfers.

Data NOT collected

No analytics or tracking
No user accounts or registration
No browsing history (beyond the cached titles you explicitly generated)
No personal information
No cookies — Unbait does not set or use its own cookies. However, when fetching article content for context, the browser may include existing cookies for that website (same-origin requests). This is standard browser behavior.
No data is ever sent to Unbait's own servers (there are none)

Permissions

Unbait uses optional host permissions. It does not request access to all websites by default. When you click "Enable for this site" or manually trigger de-clickbaiting, the extension requests permission for that specific site only.

Your rights

Under the GDPR, you have the right to access, rectify, and erase your data (Art. 15–17), as well as the right to data portability (Art. 20).

Locally stored data — you have full control via the extension settings. You can clear the cache and delete your API key at any time.
Data processed by AI providers — contact your provider directly using the links above.

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

Open source

Unbait is fully open source. You can inspect the complete source code at github.com/jorgvreeswijk/unbait to verify these claims.

Changes to this policy

If this policy changes, the updated version will be published at this URL. The extension itself does not auto-update this policy.