Reader.csv — Privacy Policy

Reader.csv is a Chrome extension that turns CSV and TSV files into interactive tables in your browser. This page explains exactly what it does with your data — in plain English.

The short version

Everything happens on your computer. The extension does not send file contents, URLs, browsing history, or anything else to any server. There is no account, no analytics, no telemetry, no ads. We have no way to see what you open.

What it stores on your computer

1. Your preferences — theme, link behaviour, number formatting, and similar settings. Saved with Chrome's standard chrome.storage.sync so they follow you across browsers signed into the same Chrome profile.
2. Your recent files list — display-only filenames of the last few files you opened, kept in chrome.storage.local on this one device. The list never contains file contents. You can clear it from the viewer's empty state.
3. File handles for one-click re-open (optional) — when you pick a local file via "Open file…" in a Chromium browser that supports the File System Access API, Reader.csv stores the resulting FileSystemFileHandle for that file in a local IndexedDB database (tabview / recentFileHandles) on this one device so you can re-open the same file from the recent-files list with a single click. A handle is a pointer to a file on your disk; it does not contain file contents, and re-opening still requires your explicit permission. Entries are pruned in lock-step with the recent-files list and removed automatically if the underlying file can no longer be reached. Nothing in IndexedDB is persisted to the cloud or leaves the device.
4. A short-lived handoff entry — when you open a CSV/TSV from a web URL, the raw text is briefly placed in chrome.storage.session so the viewer page can pick it up. Session storage is in-memory only, lives no longer than the current Chrome session, and is explicitly removed by the viewer the moment it reads the payload. Nothing is persisted to disk and nothing leaves the device.

That's the entire data footprint.

What it does not do

• Does not collect personally identifying information, health data, financial data, passwords, location, browsing history, mouse movements, keystrokes — nothing.
• Does not transmit file contents, parsed rows, filter expressions, or anything else anywhere.
• Does not run analytics or track usage.
• Does not load remote scripts, fetch executable code at runtime, or include any third-party network beacons.
• Does not sell, share, or transfer any user data — there is no user data to transfer.

How files are handled

Four ways to open a file, all local:

• Drag a file onto the viewer tab — the file is read with the browser's FileReader, parsed in memory, and rendered. Nothing is uploaded.
• "Open file…" picker — same path as drag-and-drop.
• file:// URL — when you double-click a .csv or .tsv from Finder or Explorer (and you have toggled "Allow access to file URLs" on at chrome://extensions), Reader.csv's content script swaps Chrome's raw-text view for the interactive table. On macOS, where Chrome routes file://*.csv through its download flow instead of rendering it inline, Reader.csv intercepts that download, cancels it, reads the file directly from disk, and shows it in the viewer.
• http(s):// URL — when you navigate to a *.csv or *.tsv URL on the web, Reader.csv uses Chrome's declarativeNetRequest API to rewrite the response headers Chrome was already going to receive (strip Content-Disposition: attachment, set Content-Type: text/plain) so the file renders inline as text. The extension itself never sees the response body; the rewrite is declared statically in rules/csv-rules.json and applied by Chrome before the response reaches any extension code. For URLs that have no .csv/.tsv extension but are served with a CSV Content-Type (e.g. download.php?file=foo), Reader.csv catches the resulting download via Chrome's downloads API, cancels it, and re-fetches the same URL to render it in the viewer instead.

There is one outbound network request Reader.csv's own code makes: when you click or navigate to a CSV/TSV URL that Reader.csv intercepts as a convenience, it issues a single fetch for the URL you just clicked, with credentials: "include" so authenticated CSVs (SharePoint, Google Sheets exports, intranets) work. The fetch goes to the same origin your browser was already going to ask. Nothing else leaves the machine.

Permissions, plain English

• storage — saves your preferences, the recent-files list, and the short-lived handoff entry described above.
• IndexedDB (browser API, no Chrome permission required) — stores the file handles for the one-click re-open feature described above.
• downloads — catches CSV/TSV downloads that the header rules can't reach (file:// URLs and HTTP(S) URLs without a .csv/.tsv extension but a CSV Content-Type), cancels them, and re-fetches the URL into the viewer. Reader.csv only looks at the URL, filename, and MIME type of each new download to decide whether to redirect — it never reads the contents of any other download.
• declarativeNetRequestWithHostAccess — strips Content-Disposition: attachment and rewrites Content-Type to text/plain on CSV/TSV responses so Chrome renders them inline. Header modifications are declared statically in rules/csv-rules.json; the extension never sees the network response itself.
• host permissions: <all_urls> — required by declarativeNetRequestWithHostAccess to apply the header rewrites on cross-origin CSV/TSV responses, and by the click-to-fetch convenience above. Reader.csv does not read page content beyond detecting clicks on CSV/TSV links and (optionally) intercepting them.
• file URL access (opt-in, configured in chrome://extensions) — required so the extension can render local CSV/TSV files you open from disk.

Third parties

Reader.csv does not include any third-party SDKs, scripts, fonts, or analytics. All code that runs in the extension ships in the extension package itself.

Changes

If this policy changes, the new text will replace this page.

Contact

Questions or concerns: support@spoonkeyworks.com