Privacy Policy
Effective date: March 7, 2026
1. What followthrough is
followthrough ("we", "us", "our") is a product by Zach Hawtof (hawtofthepress.com). It's a Chrome extension that replaces your new tab with a command surface over Linear, Attio, and a local-first personal list. It syncs your personal data across devices via a backend hosted on Cloudflare. This policy explains what data we collect, how we use it, and your rights.
2. Data we collect
Account information
When you sign in with Google, we receive your Google user ID, email address, name,
and profile picture. We use this to authenticate API requests. We request the
openid, email, and profile OAuth scopes.
Your personal content
Tasks, notes, and sections you create in followthrough. This content is stored locally in your browser (IndexedDB) and synced to our server when you are signed in.
Linear and Attio associations
followthrough connects to Linear and Attio using OAuth tokens you authorize. Your Linear and Attio data remains on those platforms. We store connection metadata (tokens, workspace IDs) and a limited index of IDs and display labels to power autocomplete and cross-source queries. We do not store the underlying issue bodies, contact records, or deal details beyond a short-lived cache required for search.
AI Search content
If enabled, we extract plain text from your personal notes and tasks and store it in Cloudflare R2 for semantic search indexing. This content is scoped to your user account and is only searchable by you.
Usage analytics
We collect minimal analytics via Cloudflare Analytics Engine. These events include your user ID but no content data. Our landing page uses Cloudflare Web Analytics, which collects no personal data and uses no cookies.
3. How we use your data
We process your data on the following legal bases:
- Contract performance: Store and sync your personal tasks and notes; forward command-surface actions to Linear and Attio on your behalf.
- Consent: Index your content for AI-powered semantic search. You can opt out by not using the "Ask" feature.
- Legitimate interest: Understand aggregate usage patterns to improve the product, fix bugs, and ensure security.
We do not sell or share your personal information. We do not use your content to train AI models. We do not show you ads.
4. Where your data is stored
- Locally: Personal items live in your browser's IndexedDB, accessible offline.
- Server-side: Synced data is stored in Cloudflare D1 and R2. Cloudflare operates a global network; your data may be processed in any region where Cloudflare operates.
- Token cache: Authentication tokens are cached (hashed) in Cloudflare KV for up to 50 minutes to reduce latency.
5. Third-party services
We use the following sub-processors:
- Google (USA) — OAuth authentication. See Google's Privacy Policy.
- Cloudflare (USA) — Hosting, database, object storage, AI inference, and web analytics. See Cloudflare's Privacy Policy.
- Linear and Attio — Only when you explicitly connect them. followthrough calls their APIs on your behalf; they remain the system of record for that data.
We do not share your data with any other third parties.
6. Chrome extension permissions
- storage: Store settings and preferences locally in the browser.
- identity: Sign in with your Google account via Chrome's built-in identity API.
We do not request access to your browsing history, tabs, or website content.
7. Data retention
Your data is retained as long as your account is active. Soft-deleted records are permanently purged within 90 days. If you request account deletion, we remove your account and all associated data within 30 days.
8. Your rights
Depending on your location, you may have rights under applicable data-protection laws (including GDPR, CCPA/CPRA): access, deletion, portability, rectification, restriction/objection, and the right to withdraw consent or lodge a complaint.
To exercise any of these rights, email support@followthroughwork.com. We'll respond within 30 days.
9. International data transfers
Our servers are operated by Cloudflare, which processes data globally. Cloudflare participates in the EU-U.S. Data Privacy Framework and uses Standard Contractual Clauses where required.
10. Data breach notification
In the event of a data breach that poses a risk to your rights, we will notify affected users via email within 72 hours of becoming aware of it.
11. Security
HTTPS for all data in transit. Tokens are hashed before caching. API key comparison uses constant-time algorithms. All queries are filtered by authenticated user ID.
12. Children
followthrough is not intended for use by children under 13 (or under 16 in the EEA). We do not knowingly collect data from children.
13. California residents (CCPA/CPRA)
California residents have rights to know, delete, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
14. Changes to this policy
We may update this policy. We'll notify users of material changes via the extension or email at least 30 days before the changes take effect.