Yumetab — Privacy Policy
_Last updated: 2026-04-11_
Yumetab is a Chrome New Tab rhythm game built by an independent developer. This document explains, in plain language, exactly what data the extension touches, where it goes, and what it never does.
TL;DR
- No accounts. No email. No tracking pixels. No ads. No analytics SDK.
- Everything you do — songs, scores, settings, cosmetics — lives on **your
device** unless you opt in to a feature that explicitly says otherwise.
- The only thing that ever leaves your computer is (1) an anonymous random
ID for global leaderboards and (2) your encrypted Stripe payment when you voluntarily buy the Supporter Pack.
- Audio you import (
.mp3,.osz, etc.) never leaves your device. Ever.
We have no upload endpoint to send it to.
What gets stored on your device
All in chrome.storage.local (sandboxed to this extension, never synced to your Google account unless you also enable Cloud Save):
| Data | Why |
|---|---|
| Your settings (volume, scroll speed, key bindings, calibration offset) | So the game works the way you set it up |
| Personal bests per song | Local progression / NEW PB ribbon |
| Daily challenge streak | Streak counter on the landing page |
| Active skin / trail / hit sound id | So your cosmetics persist across reloads |
A random anonymous UUID (crypto.randomUUID()) | Identifies your scores on the global leaderboard without identifying you |
| Imported songs and generated charts (in IndexedDB) | So you don't re-import the same .mp3 every tab open |
There is no profile, no name, no email, nothing tied to your real identity. The UUID is generated locally on first run and never associated with anything that could deanonymise you.
What gets sent over the network
Yumetab makes network requests in only three situations:
1. Weekly NCS music drops (CDN)
When you open a new tab, Yumetab fetches a small JSON manifest (drops.json) from a content-delivery network and, if there are new drops, downloads the corresponding .mp3 files. This is a one-way GET — we do not send anything back to the CDN beyond the standard HTTP headers your browser sends to any web server. The CDN provider's edge logs may record your IP address per its own privacy policy.
2. Global leaderboards & daily challenge (Yumetab API)
If you finish a song with a personal best, the game POSTs the run to the Yumetab leaderboard API. The payload contains:
- Your anonymous UUID (the one stored locally; never linked to a name)
- The chart id and a chart-content hash
- Score, accuracy, max combo, grade
- A compressed replay (sequence of key-press timings) for anti-cheat checks
- Scroll-speed and a few rate-limit / plausibility flags
It does not contain: your IP-as-identifier, your email, your audio file, the lyrics or title of any song you imported privately, your other browser activity, or any cookie. The CDN edge sees your IP for routing only; the backend code does not log it persistently.
You can avoid this entirely by leaving "Submit scores to global leaderboard" off in Settings — local PBs and daily challenge still work offline.
3. Cloud Save (Supporter Pack only, opt-in)
If you buy the Supporter Pack and tap [ PUSH ] in Settings, an encrypted JSON blob containing your settings, PBs, favourites, and active cosmetics is uploaded to the same backend. It is keyed by your anonymous UUID, capped at a small fixed size, aggressively rate-limited, and never read by anything except your own UUID's matching read.
What gets sent to ExtensionPay (only if you buy)
The Supporter Pack and Seasonal Pass purchases are processed by ExtensionPay, which uses Stripe as the underlying payment processor. When you click [ UNLOCK ]:
- ExtensionPay opens its own hosted checkout page in a new tab.
- You give Stripe your card details and (per Stripe's policy) an email
address. Yumetab never sees either of those — they go directly to Stripe.
- ExtensionPay returns a
paid: trueflag to the extension. That's it.
We never see your name, email, billing address, or card. If you want a refund, you can request one directly through ExtensionPay's user dashboard or by messaging us in the Yumetab Discord: https://discord.gg/2Z4u2wmW5z.
What we will NEVER do
- We will never upload audio files you import. The Web Audio API decodes
them locally; there is no upload code path in the extension.
- We will never sell, share, or trade any data with advertisers, brokers,
or third parties beyond the Cloudflare / Stripe / ExtensionPay infrastructure described above.
- We will never add tracking pixels, fingerprinting, or analytics SDKs.
- We will never read your bookmarks, browsing history, tabs, cookies, or
page content. The extension manifest only requests storage permission; Chrome enforces this at the platform level.
- We will never publish the extension's source code. Yumetab is closed
source. The privacy claims here are independently verifiable from the shipped extension's manifest.json (only storage permission, no <all_urls>, no tabs, no cookies) and a network sniff (only the three endpoints described above).
- We will never silently change this policy. Material changes will be
noted in CHANGELOG.md and the "Last updated" date at the top of this file.
Children
Yumetab is suitable for all ages. We do not knowingly collect any data from children. Because we collect no personally identifiable information from anyone, COPPA / GDPR-K obligations are satisfied by design.
Your rights (GDPR / CCPA)
Because the only personal-ish data we hold is an anonymous UUID you can regenerate at any time:
- Access: open Settings → there's a button to view your UUID and
cloud-save payload.
- Deletion: open Settings → "Reset everything." This wipes
chrome.storage.local, IndexedDB, and (if you're a supporter) issues a DELETE /cloud to the backend.
- Portability: your cloud-save payload is plain JSON; the same Settings
panel exports it.
Contact
Questions, concerns, or refund requests: join the Yumetab Discord at https://discord.gg/2Z4u2wmW5z.
_Yumetab is an independent project. Compatible with .osz beatmap files you provide. Not affiliated with osu! or ppy Ltd._