Privacy and data

TabControl is built to make this page short: not much data leaves your Mac, and what does leaves under your explicit control.

TabControl stores everything user-facing locally first, in an App Group container belonging to TabControl:

• Sessions database — every saved session, window, and tab. A single SQLite file under ~/Library/Group Containers/group.com.marsolab.TabControl/.
• Categories and tags — part of the same database.
• Settings — stored in the app’s UserDefaults under the same App Group.
• API keys — stored in macOS Keychain, service name com.marsolab.TabControl.AIKeys. Keychain is encrypted at rest and protected by your login.

Nothing in the list above is uploaded, tracked, or transmitted anywhere unless you explicitly turn on iCloud sync or cloud AI.

iCloud sync is off by default. If you turn it on:

• Every session (name, timestamps, tab titles, tab URLs, pinned/active state, category, tags, lock flag, soft-delete state) goes to your private CloudKit database.
• A CloudKit private database is accessible only to you, signed in to your Apple ID. Not to Marsoft, not to Apple’s employees in normal operation, not to anyone else.
• Data in transit is encrypted by CloudKit.
• API keys do not sync. They’re Keychain-local, per device, always.

Your iCloud data count (in System Settings → Apple ID → iCloud) will include TabControl’s footprint. The whole thing is usually a few megabytes.

Cloud AI is off by default. If you pick OpenAI or Anthropic as your analysis provider:

• At analysis time, TabControl sends tab titles and URLs and a little bit of session metadata (tab count, capture time) to the provider’s API.
• The request is authenticated with your own API key.
• TabControl does not proxy through any Marsoft-owned server — the connection is direct from your Mac to api.openai.com or api.anthropic.com.
• Responses stay on your device.

TabControl never sends:

• Page content or HTML.
• Cookies, login state, or session tokens.
• Your Apple ID, email, or any identifier beyond what your API key already implies.
• Tabs from sites on your suspend deny list — those are only excluded from suspend, not from analysis; correct is: tabs are always included in analysis.

• Page content. TabControl never reads HTML, DOM, or rendered content. Extension permissions are limited to the APIs Safari exposes for tab metadata.
• Form data, scroll position, or login state. These are Safari’s to manage, not TabControl’s.
• Browsing history beyond what you explicitly save as a session. If you don’t save it, TabControl doesn’t know it happened.
• Any form of telemetry or analytics. The app does not report installation, usage, crashes, or anything else to Marsoft. Crashes go to Apple’s crash reporter like any Mac app; they’re anonymous unless you voluntarily share them.

Inside Safari:

• tabs, activeTab, windows — to read the list of currently open tabs and windows. Standard Safari Web Extension permissions.
• storage — local extension storage for UI state.
• nativeMessaging — for the extension’s native message port to talk to the macOS app.
• Host permissions on <all_urls> — so the extension can see tab metadata on any site.

These are all standard-issue Web Extension permissions. None of them grant access to page content.

Outside Safari (in the macOS app):

• iCloud entitlement for CloudKit access (used only if sync is enabled).
• Keychain access group for storing API keys.
• Network access (used only if you’ve enabled cloud AI or iCloud sync).

No camera, no microphone, no files-and-folders, no full-disk access, no location. If a future feature ever requires any of those, it’ll be gated on an explicit opt-in.

• One session: soft-delete from the UI, then Delete permanently from trash. Propagates to iCloud (if sync is on) on next sync.
• Everything: drag TabControl.app to Trash. Removes the app, the App Group container, and the sessions database. Keychain entries for your API keys are orphaned on drag-to-Trash and can be wiped via Keychain Access. iCloud data stays until you also remove it from System Settings → Apple ID → iCloud → Manage → TabControl.

For privacy questions, write to us via the contact form or read the full privacy policy.