Privacy Policy
Effective Date: 09/05/2026
Minimap is a browser extension that opens a small, movable, resizable map on any webpage. This policy explains what the extension does on your device, what leaves your device, and where it goes. By installing or using Minimap, you agree to this policy. If you do not agree, please uninstall the extension.
What Minimap does on your device
Minimap is opened by clicking its toolbar icon or pressing Alt+O. When opened on a tab, it injects a map overlay into the current page. The map itself, your search box, and your settings panel all run locally in your browser inside an isolated shadow root. We do not read, modify, or transmit the contents of the pages you visit.
What we don't collect
We do not collect, store, log, or build a profile of you. We have no database of users. We never have, and we have no plans to start. Specifically:
1. We do not collect your browsing history, the URLs you visit, or the content of any webpage.
2. There are no user accounts, sign-up forms, email collection, or login system.
3. We do not use advertising, ad-tracking pixels, fingerprinting, or third-party analytics SDKs inside the extension.
4. We do not sell, rent, or trade any data to anyone.
A note about location data
Minimap's Chrome Web Store listing declares "Location" as a data category. Here is exactly what that covers and why:
1. Your IP address is visible to any server your browser contacts. When the extension fetches a map tile from Mapbox, a search result via our geocoding worker, or a temporary token from our broker, those servers see your IP as a side effect of the HTTP request. Chrome classifies IP address as "location" data, which is why the box must be checked. We do not store IP addresses for tracking purposes; our workers process the minimum needed to enforce the free-tier ceiling and discard the rest.
2. Your precise GPS coordinates (from the browser's geolocation API, used by the "locate me" button) never leave your device. They are passed straight to the in-page map to center it on your location. We do not log, transmit, or send them to any of our servers or to any third party.
3. Map view coordinates — When the map renders any area, including the area around you after pressing "locate me", Mapbox receives tile requests for that area. From Mapbox's side these look identical to any other panning of the map; they are not labeled as your location.
What stays on your device
The extension uses your browser's local storage to remember things like the map's corner position, size, dark mode preference, and similar settings. This data lives in your browser profile and is never uploaded to us.
What leaves your device, and where it goes
To render a map and let you search for places, the extension makes network requests to a small set of services:
1. Mapbox (api.mapbox.com) — When the map is open, your browser requests map tiles, fonts, and styles directly from Mapbox. These requests carry the temporary access token described below, and Mapbox sees the standard request metadata (your IP address, requested tile coordinates, user agent). See Mapbox's privacy policy for how they handle this.
2. Mapbox token broker (a Cloudflare Worker we operate) — Each time you open the map, the extension fetches a short-lived (about one hour) Mapbox access token from our broker. The broker mints tokens server-side so the long-lived secret never ships in the extension, and it counts requests to enforce a monthly free-tier ceiling. The broker logs the minimum needed to enforce that ceiling and to debug abuse.
3. Geocoding worker (a Cloudflare Worker we operate) — When you type in the search box, your query is sent (with a short debounce) to our geocoding worker, which proxies and caches results from Photon (an open-source geocoder operated by Komoot, photon.komoot.io). Recent results are cached at the edge so common queries don't hit Photon every time.
4. Photon by Komoot (photon.komoot.io) — If our cache misses, your search query is forwarded to Photon to translate text like "Eiffel Tower" or "1600 Amphitheatre Parkway" into coordinates. See Komoot's privacy policy for how they handle this.
None of these requests carry an account identifier, an email address, or a profile of you — there is no account to attach them to.
Data retention
Our workers retain only what is needed to keep the service running:
1. Rate-limit counters used to enforce the monthly free-tier ceiling — kept until the counter window rolls over (monthly), then reset.
2. Edge-cached geocoder responses — cached at the Cloudflare edge for up to 24 hours, then refreshed from Photon on demand.
3. Standard request logs (timestamp, IP, status code) — retained for at most 30 days, after which they are automatically discarded.
We retain nothing else. There is no user database, no profile, and no long-term identifier tied to you.
Permissions and why Minimap asks for them
The browser shows a permission prompt at install. Each permission Minimap requests has a single, narrow purpose:
1. tabs — Read the active tab's URL to detect pages where the extension cannot run (such as chrome://, the Web Store, and browser internals) and gray out the toolbar icon accordingly.
2. storage — Saves your map position, size, and preferences locally so they persist between sessions.
3. offscreen — Used to host a hidden document so the "locate me" button can request your coordinates from the browser's geolocation API. No user data is collected from this document.
4. geolocation — Only triggered when you press the "locate me" button. Your browser will prompt you for permission. Your coordinates are used locally to center the map and are never transmitted to us or to any third party. See "A note about location data" above.
5. Host permissions for our two Cloudflare Workers (minimap-geocode.minimapextension.workers.dev and minimap-mapbox.minimapextension.workers.dev) and api.mapbox.com — These are the exact endpoints described in the previous section. The extension does not contact any other origins.
Cookies
The extension itself does not set or read cookies. Third-party services it contacts may set cookies on their own domains as part of normal HTTP behavior; those cookies are scoped to the third party, not to the websites you are browsing.
Children's privacy
Minimap is not directed at children under 13 and does not knowingly collect personal information from children.
Security
We take reasonable steps to protect the small amount of operational data our workers process (such as request counts). No system is perfectly secure, and we cannot guarantee the security of data in transit between your browser and any third-party service.
Changes to this policy
If this policy changes, the updated version will be posted on this page with a new effective date. Material changes will also be reflected in the extension's store listing.
Contact
Questions about this policy? Email sein.bucher@gmail.com.