mimfold

Mimfold Saver — Browser extension

Extension Privacy Policy

Last updated: 30 April 2026

1. Scope

This policy describes how the Mimfold Saver browser extension for Chrome and Edge (the "Extension") handles data. It supplements the main Mimfold Privacy Policy, which applies to the Mimfold mobile app and the Mimfold backend you connect to. If anything in this Extension policy conflicts with the main policy regarding the Extension specifically, this policy controls.

The Extension is published by the same team that operates Mimfold and is designed solely to forward X/Twitter posts to your own Mimfold library. It is not a separate service: it has no servers of its own, no analytics, and no advertising.

2. Summary in one paragraph

The Extension only runs on x.com, twitter.com, and mobile.twitter.com. When you click the Mimfold icon on a tweet, it reads the tweet's public metadata from the page (URL, ID, author handle, post text, avatar URL, verification badge, post date) and writes a single "import request" document to your own Firebase project on your behalf. It does not download media itself, it does not contact any third-party AI service, it does not store API keys, and it does not run analytics or trackers. Authentication is performed with an 8-character pairing code you generate in the Mimfold mobile app.

3. Data the Extension accesses

Data Where it comes from What the Extension does with it
Tweet URL, tweet ID, author handle The X/Twitter page you are viewing Sent to your Mimfold Firestore so the backend can fetch the post on your behalf.
Tweet text, author display name, author avatar URL, verified badge, post date The X/Twitter page you are viewing Sent to your Mimfold Firestore as context shown alongside the saved item.
Pairing code (8 letters/digits) You paste it from the Mimfold mobile app Used once to authenticate against Firebase Auth, then exchanged for a session token.
Firebase Auth session (ID token, refresh token, your account email and UID) Returned by Firebase Auth after you sign in Stored locally in chrome.storage.local on your device so you stay signed in. Refresh tokens are sent only to Google's Secure Token endpoint.
Your Firestore profile field username and the private field extensionPairingCode Your own Firestore documents users/{uid} (public profile) and users/{uid}/private/extension (owner-only) Read to display your handle in the popup and to detect when the pairing code has been regenerated in the mobile app.

4. Data the Extension does not collect

  • Browsing history. The Extension only runs on X/Twitter pages and only reads tweet content when you explicitly click the Mimfold save icon. It does not log, transmit, or store the URLs of other pages you visit.
  • Form input, keystrokes, or clipboard data outside the pairing-code field in the Extension popup itself.
  • Cookies or login state of any third-party site, including X/Twitter.
  • IP addresses, device identifiers, or fingerprints beyond what Firebase needs to deliver authentication and Firestore traffic.
  • Analytics, telemetry, crash reports, or advertising identifiers. The Extension contains no analytics SDK, no tag manager, no remote configuration service, and no ad network.
  • AI prompts or AI-generated content from third parties. The Extension does not call OpenRouter, Gemini, or any other AI provider. Any AI tagging is done server-side by Cloud Functions under the main Mimfold privacy policy, only after the import request lands in your Firestore.

5. Permissions the Extension requests, and why

  • storage — to keep your Firebase session (ID token, refresh token, account email, UID, current pairing code) on your device so you do not have to sign in on every browser restart. Stored locally via chrome.storage.local; never transmitted anywhere except back to Firebase Auth for token refresh.
  • Host access to x.com, twitter.com, mobile.twitter.com — to inject the Mimfold save button into tweets and to read the tweet metadata you choose to save.
  • Host access to identitytoolkit.googleapis.com, securetoken.googleapis.com, firestore.googleapis.com — to sign in with your pairing code, refresh expiring session tokens, and write your import request document to Firestore. These are Google-operated Firebase endpoints owned by Google LLC.

The Extension does not request the tabs, history, webRequest, cookies, or <all_urls> permissions, and it does not run on any site other than the three X/Twitter hosts listed above.

6. Where the data goes

Tweet metadata you choose to save and your authentication tokens are sent to the Firebase project that hosts your Mimfold account (project ID memedia-vault), operated by Google LLC on Mimfold's behalf. From there:

  • The Mimfold Cloud Function processes your import request, fetches the public media from X/Twitter, and stores it in Firebase Storage and Firestore under your account.
  • The Mimfold mobile app, when you next open it, downloads the processed item into your local library.

No data is sent to any other party from the Extension itself.

7. Authentication model

The Extension does not ask for your email or password. Instead, you generate an 8-character pairing code in the Mimfold mobile app (Profile → Browser extension), and the mobile app rotates your Firebase Auth password to that code at the same time. You paste the code into the Extension popup; the Extension reads the public pairings/{code} Firestore document to look up your account email, signs in to Firebase Auth, and stores the resulting session locally.

Regenerating the pairing code in the mobile app immediately invalidates older codes. The Extension detects this on its next popup open by comparing the stored code to the extensionPairingCode field in the owner-only users/{uid}/private/extension document, and signs you out automatically.

8. Data retention and deletion

  • On your device: click Sign out in the Extension popup to clear the stored session. Removing the Extension from Chrome/Edge also clears all chrome.storage.local data the Extension stored.
  • On the server: the data the Extension produces is the same data covered by the main Mimfold Privacy Policy (your library and account record). You can delete individual items inside the Mimfold mobile app, or delete your entire account from Profile → Settings → Delete Account; this also deletes the pairings/{code} mapping and any import requests you have written.

9. Children

The Extension is not directed to children under 13 (or the equivalent minimum age in your country). Do not install or use the Extension if you are under that age.

10. Changes

If we change this policy in a material way, we will update the "Last updated" date above and, when appropriate, mention the change in the Extension's release notes on the Chrome Web Store.

11. Single purpose declaration

Per the Chrome Web Store Developer Program Policies: the single purpose of the Mimfold Saver extension is to let signed-in Mimfold users save X/Twitter posts to their own Mimfold library with one click. All permissions and host access listed above are used solely in service of that purpose.

12. Contact

For questions about this Extension policy, or to exercise any data-rights request related to data the Extension produces, email mimfold@gmail.com.