Last updated: March 22, 2026
FrictionBox collects the minimum data needed to operate. If you sign in with Google, we receive your name, email, and profile picture to identify your account. We do not request access to Gmail, Drive, Calendar, or any other Google service.
Your site list, gate configurations, and gate statistics are stored locally in your browser and are not transmitted to FrictionBox servers.
The FrictionBox Chrome extension uses declarativeNetRequest to redirect navigations
for sites you have explicitly added to your friction list. Broad host permission (<all_urls>) is required because you choose which domains to gate — the extension cannot predict them in advance.
The extension does not read or modify page content, and does not collect browsing history. Its content script runs
only on frictionbox.app to sync your configuration between the web app and the
extension. Gate UI is loaded from frictionbox.app inside the extension — no remote code is executed in the extension context.
When signed in, your configuration may be synced to our servers using a key-value store keyed to your user ID. This data is used only to restore your settings across devices. It is never sold, shared with third parties, or used for advertising.
Third-party plugins run inside a sandboxed iframe and can only interact with the platform through the BoxContext API. Plugins cannot access your browsing data, cookies, or any data outside their sandbox. Plugin state is scoped per-box and per-entry — one plugin cannot read another's data.
Plugins may request data from external APIs. These requests are proxied through FrictionBox servers and restricted to domains declared in the plugin's manifest. Your identity is not attached to these requests.
Some gates use LLM-powered content generation (e.g. typing passages). These requests are anonymous with no user identity or browsing context attached. No cookies or tracking pixels from third-party ad networks are used anywhere in FrictionBox.
You can clear all local FrictionBox data from Settings at any time. To delete your synced account data, sign out and contact us. We will remove all server-side records associated with your account.
We may update this policy as the product evolves. Continued use after changes constitutes acceptance.