Privacy Policy

Last updated: June 11, 2026

Kickbacks is a VS Code extension that shows a small sponsored line in the Claude Code and Codex spinners and pays you a share of the ad revenue. This page describes exactly what data the extension and the kickbacks.dev services handle. The short version: we measure ads, we never read your work.

What we never collect

• Your source code or file contents. The extension does not read, store, or transmit the contents of your projects.
• Your prompts or AI conversations. What you say to Claude Code or Codex, and what they say back, never leaves your machine through us.
• Keystrokes or browsing activity.

Account data

Signing in uses Google OAuth. We receive and store your Google account identifier, your email address, and your display name. We never see your Google password. You can use ads in demo mode without signing in at all — demo mode is tied only to the random device identifier below, not to any account.

Ad measurement events

To credit your earnings and bill advertisers, the extension reports an event when an ad is fetched, shown, viewed, or clicked. Each event contains:

• the event type and a one-time identifier used to deduplicate it,
• which ad and campaign were shown, and a short-lived serving token,
• a random device identifier generated on install (it identifies the installation, not you or your hardware),
• timestamps and how long the ad was visible,
• the extension version and the Claude Code version string,
• basic environment info: operating system and version, CPU architecture, and editor name (e.g. darwin, arm64, Visual Studio Code).

These events are the billing ledger between you and advertisers, so we retain them. Serving tokens expire and are deleted within 24 hours.

Earnings and payouts

We keep a ledger of what you have earned and what has been paid out. Payouts run on Stripe: when you set up payouts, your bank and identity details go directly to Stripe through their hosted onboarding — we never see or store them. We store only your Stripe account identifier and the payout history. Stripe’s handling of your data is described in the Stripe Privacy Policy.

Service checks

The extension periodically polls our kill switch (so we can stop ad serving remotely if something goes wrong) and checks for extension updates. These requests carry version strings and no account identity.

Consent

The extension asks for your consent in-editor before measurement begins, and asks again whenever the terms version changes. Telemetry is opt-in.

Who we share data with

• Processors: Google (sign-in), Stripe (payouts), Convex (database and API hosting), Vercel (web hosting).
• Advertisers see aggregate statistics only — impression and click counts — never your identity, email, or device identifier.
• We do not sell personal data.

Retention and deletion

Sign-in handshake records live for minutes; serving tokens for up to 24 hours; measurement events and the earnings ledger are retained as accounting records. To access or delete your account data, email privacy@kickbacks.dev from your sign-in address.

Changes

We will update this page when our practices change, and material changes re-trigger the in-editor consent prompt with a new terms version.