Contakt — Privacy Policy
This document explains exactly what Contakt does and does not do with your data. It is written in plain English on purpose. If something here doesn't match the extension's behaviour, treat that as a bug and please report it.
TL;DR
- Everything you type stays on your device by default. Phone numbers, contact names, message bodies, notes, and tags are never transmitted. They live in
chrome.storage.localon your computer. - One optional channel exists, off by default: anonymous telemetry (event names + platform + region code). You opt in with a single toggle in Settings or onboarding. We never see anything identifiable, even when you opt in.
- No advertising. No third-party trackers. No SDKs. The extension talks to your computer's storage, the messaging platform you chose (WhatsApp/Telegram/etc.), and — only with your consent — our own telemetry endpoint.
1. What data Contakt stores on your device
The following lives in chrome.storage (local + sync) on your computer. Uninstalling the extension or clicking "Reset" in Settings removes it.
| Data | Where it comes from | Can leave the device? |
|---|---|---|
| Phone numbers | You type or paste them | Never |
| Contacts (names, multiple numbers, notes, tags) | You add them | Never |
| Message bodies | You type them | Never (only sent to the messenger you picked) |
| Templates | You write them | Never |
| Reminders + scheduled messages | You create them | Never |
| History (last 100 sent messages) | Generated on send | Never |
| Settings (country, platform, "my number", excluded sites) | You configure them | Never |
| Usage stats (counters: messages sent, reminders created…) | Generated locally | Never |
| Imported CSV / vCard data | You provide the file | Never (parsed locally, never uploaded) |
Chrome Sync. If you have Chrome Sync enabled, Chrome may encrypt and sync some of this data between your own devices via your Google account. That's a Chrome feature, not a Contakt feature — Contakt itself does not see or use Google services. You control it from Chrome's settings.
2. The one optional remote channel: anonymous telemetry
In Settings → Data → Usage there is a toggle labelled "Help improve Contakt". It is off by default. The first-launch onboarding also surfaces it once, again with the default off.
If you turn it on, the extension begins sending event records to a Cloudflare Worker we operate at https://contakt-telemetry.tosih.workers.dev. Each record is one of the following events:
message_sentreminder_createdtemplate_usedcontact_addedmessage_scheduled
Each record carries up to the following extra fields, and only these fields:
| Field | Example | Meaning |
|---|---|---|
event | "message_sent" | which event fired |
platform | "whatsapp" | which messenger the action used |
country | "TR" | ISO region code of the recipient phone number (not yours) |
duplicateAction | "merge" | only on contact_added from import; how you resolved duplicates |
reminderPreset | "1h" / "custom" | only on reminder_created; which preset chip you used |
importFormat | "csv" | only on import; csv or vcard |
importCount | 42 | only on import; row count |
id | "7f3a9c8b21e04d56" | a random anonymous cohort ID we mint when you first opt in |
ts | 1730000000000 | client timestamp |
A receipt-server-side whitelist re-applies the same filter. Even if a tampered version of the extension tried to send extra fields, the worker drops anything outside this list before writing to storage.
What the cohort ID is and isn't
- It is a 16-character random hex string generated on your device when you first opt in (e.g.
7f3a9c8b21e04d56). - It is not linked to your name, email, IP, browser fingerprint, or any account.
- Its only purpose is to count "how many distinct extensions sent events today" — without it, every record looks identical and we can't tell whether 1 person used the extension 100 times or 100 people each used it once.
- It rotates whenever you click "Reset" in Settings → Usage. The old ID and its events stay in our analytics; the new ID has no link to them. From our side they're two unrelated cohorts.
- You can delete it any time by toggling telemetry off (the ID stops being used) or by uninstalling the extension.
What anonymous telemetry never carries
- Phone numbers (yours, anyone you've messaged, anyone in your contacts) — under no circumstances
- Contact names
- Message bodies — content of any message you ever type
- Notes — anything you've written about a contact
- Tag values — the names of your tags
- Templates — bodies or titles
- History — which numbers you've messaged
- Email addresses — we don't ask for any
- IP address — Cloudflare may log connection IPs at the network level for abuse protection, retained briefly per Cloudflare's standard policy. We don't store, query, or use IP addresses ourselves.
- Browser fingerprint — no canvas, audio, font, or behavioural fingerprinting
This list is enforced by automated tests. Any change that lets a banned field through would fail CI before shipping.
Where the data goes
- The Cloudflare Worker validates the payload, applies the server-side whitelist, and writes one row per event to Cloudflare Workers Analytics Engine.
- We use this for product decisions (e.g. "does anyone actually use the QR feature?", "which reminder preset wins?", "which countries should we localise next?"). It is not sold, shared, or used for advertising.
- Retention: Workers Analytics Engine retains data for up to 90 days, after which it is automatically discarded.
3. Talking to messaging platforms
When you press Send (or a scheduled message fires), Contakt opens a tab pointing at the messenger you chose:
- WhatsApp:
https://wa.me/<phone>?text=<your-message> - Telegram:
https://t.me/<phone>?text=<your-message> - Signal:
https://signal.me/#p/<phone>?text=<your-message> - Viber, WeChat, LINE, KakaoTalk, Zalo: their respective deep links
These URLs are constructed locally and opened in your browser. Contakt does not act as a proxy; it does not log the request; it does not see the response. WhatsApp/Telegram/etc. are themselves governed by their own privacy policies, which apply once your browser visits their pages.
4. Permissions Contakt asks for and why
| Permission | Why we need it |
|---|---|
contextMenus | Right-click → "Contakt with this number" on selected text |
storage | Save your contacts, templates, reminders, settings on this device |
notifications | Show reminder + scheduled-message notifications |
clipboardRead | If your clipboard contains a phone number when you open the popup, offer to fill it in |
alarms | Fire reminders and scheduled messages at the right time |
host_permissions: http://*/*, https://*/* | Run phone-number detection on any webpage you choose to allow |
host_permissions: contakt-telemetry.tosih.workers.dev/* | Send opt-in telemetry events (only if you toggled it on) |
We deliberately do not ask for cookies, webNavigation, webRequest, history, bookmarks, geolocation, or any similarly broad permission. If a future version needs one, we will explain why in the changelog.
5. Data retention
| Where | Retention |
|---|---|
chrome.storage.local (your contacts, history, etc.) | Until you delete it or uninstall the extension |
chrome.storage.sync (settings, templates, tags) | Until you delete it or uninstall the extension. Chrome may also remove inactive sync data per Google's own policies. |
| Anonymous telemetry events on our server | Up to 90 days, then automatically discarded |
| Cohort ID on your device | Until you click "Reset" in Settings → Usage, or uninstall the extension |
6. Your rights
You have full control of your data:
- Export everything. Settings → Data → Download Backup produces a complete JSON file of every contact, setting, template, reminder, and scheduled message stored on your device.
- Delete everything on this device. Uninstall Contakt from
chrome://extensions. Chrome removes the extension's storage. - Opt out of telemetry at any time. Settings → Data → Usage → toggle off. No further events leave your device.
- Reset the anonymous cohort ID. Settings → Data → Usage → Reset. The ID rotates; existing telemetry (already sent) keeps no link to your new ID.
- Request deletion of telemetry data. Because telemetry is anonymous (no email, no name, no IP we retain), we have no practical way to look up "your" rows. The 90-day rolling retention means anything you sent 90+ days ago is already gone, and toggling off prevents future events. If you have a specific concern, contact us — see § 11.
If you are in the EU/UK and reading this with GDPR in mind: we believe Contakt's anonymous-telemetry model means we do not process personal data. We follow the same principles regardless of jurisdiction.
7. Children's privacy
Contakt is not directed at children under 13. We don't knowingly collect data from them and our anonymous-telemetry model wouldn't let us identify any subset of users by age in the first place.
8. Third-party services
The only third-party service Contakt directly communicates with on your behalf is Cloudflare (Workers + Analytics Engine), and only when you have explicitly opted in to telemetry. Cloudflare's own privacy policy applies to that connection: https://www.cloudflare.com/privacypolicy/.
When you press Send, your browser navigates to the messaging platform you chose (WhatsApp Web, Telegram Web, etc.). Once that tab is open, those services' privacy policies apply.
We do not embed analytics SDKs, advertising networks, error-reporting services, A/B testing platforms, or feature-flag services in the extension.
9. Security
- Storage is local (
chrome.storage), sandboxed by Chrome to the extension's origin. - The optional telemetry endpoint uses HTTPS.
- Backup files exported via "Download Backup" are plain JSON and not encrypted at rest. Treat them like any other sensitive file you keep around — a future Pro tier will add encrypted backups for users who want belt-and-braces.
- We do not transmit credentials, API keys, or session tokens from your browser. Contakt has no concept of an account.
10. Changes to this policy
If Contakt's privacy behaviour ever changes — for example, if a new opt-in feature transmits a different field — we will:
- Update this document, including the version number and "last updated" date at the top.
- Surface the change in the changelog and, where the change widens what is collected, in a one-time notice in the extension's UI.
- Push the new version to the Chrome Web Store, which will require users to accept any new permissions before the feature is enabled.
The current policy is always reachable at https://contakt-telemetry.tosih.workers.dev/privacy.
11. Contact
Questions, concerns, deletion requests, or "wait, I think Contakt just did X — is that documented?" reports:
- Maintainer: Oytun Yüksel
- Email: oytun@tosih.com
We aim to respond within a week. The extension is currently maintained part-time, so please be patient with non-urgent queries.