Crouton Creations

Privacy Policy for 2FA Tray

Last Updated: January 2026
App Name: 2FA Tray (macOS App & Browser Extension)

Overview

2FA Tray is committed to protecting your privacy. This privacy policy explains how our macOS menu bar application and optional browser extension handle your data. 2FA Tray monitors your Gmail for two-factor authentication codes and magic links, storing them locally on your Mac for quick access.

Data Collection and Storage

What We Collect

  • 2FA Codes: Authentication codes extracted from your emails (6-10 digit numbers, alphanumeric codes)
  • Magic Links: Activation and sign-in URLs from authentication emails
  • Email Metadata: Sender email address and subject lines (for code identification)
  • Message IDs: Used to prevent duplicate code detection
  • OAuth Tokens: Google authentication tokens for Gmail access
  • User Preferences: Settings like watched labels, detection strictness, and hotkey configuration

What We Do NOT Collect

  • Full email body content (only temporarily processed for code extraction)
  • Passwords or login credentials
  • Browsing history or web page content
  • Personal identity information beyond your Gmail address
  • Analytics or telemetry data

Where Data is Stored

  • 100% Local Storage: All data is stored locally on your Mac
  • SQLite Database: Recent codes stored in ~/Library/Application Support/2FATray/
  • macOS Keychain: OAuth tokens stored securely using Apple's Keychain services
  • No Cloud Services: We do not sync or backup your data to any external servers
  • No Analytics: We do not collect any usage analytics or telemetry

Data Usage

Your data is used solely to:

  • Detect and extract 2FA codes from your Gmail messages
  • Display codes in the menu bar and notifications
  • Copy codes to your clipboard for easy pasting
  • Prevent duplicate code notifications
  • Optionally match codes to the service you're logging into (via Screen Context feature)

Gmail Access

  • Read-Only Access: 2FA Tray requests only read-only access to your Gmail (gmail.readonly scope)
  • Cannot Send or Delete: The app cannot send emails, delete messages, or modify your inbox in any way
  • Secure Authentication: Uses Google's official OAuth 2.0 flow for secure sign-in
  • Token Storage: OAuth tokens are stored securely in macOS Keychain with encryption

Optional Features

Screen Context (Optional)

When enabled, this feature helps identify which service you're logging into:

  • Captures a screenshot of the frontmost window (requires Screen Recording permission)
  • Extracts text using on-device OCR (Apple Vision framework)
  • Screenshots are never stored - processed in memory only
  • Can be disabled at any time in settings

Browser Extension Permissions

The optional Chrome extension communicates only with the local macOS app:

  • nativeMessaging: Local communication with the macOS app (no internet)
  • activeTab: To paste codes into the current tab when you request it
  • scripting: To inject codes into login forms
  • storage: To save your extension preferences locally

The extension does not access your browsing history, track your activity, or send any data externally.

Data Sharing

We do not share your data with anyone. Specifically:

  • No data is sent to our servers (we don't have any)
  • No data is shared with third parties
  • No data is used for advertising
  • No data is sold or monetized in any way
  • The only external communication is with Google's servers for Gmail access

Data Security

  • Encrypted Token Storage: OAuth tokens stored in macOS Keychain with system-level encryption
  • Secure Communication: All Gmail API calls use HTTPS encryption
  • Local-Only Processing: Code detection happens entirely on your Mac
  • Auto-Clear Clipboard: Configurable automatic clipboard clearing (default: 90 seconds)
  • No Network Transmission: Your 2FA codes never leave your device

User Rights

  • Access: View your recent codes through the menu bar interface
  • Sign Out: Disconnect your Gmail account at any time
  • Delete: Clear all stored codes and data from the app
  • Revoke Access: Remove app permissions from your Google account settings
  • Disable Features: Turn off Screen Context or other optional features

Data Retention

  • Recent Codes: Kept for up to 5 minutes (configurable), maximum 100 codes stored
  • Processed Message IDs: Retained for deduplication (~30 days)
  • OAuth Tokens: Stored until you sign out or revoke access
  • Uninstalling: Removing the app deletes all associated data from your Mac

Children's Privacy

Our app is not directed at children under 13. We do not knowingly collect data from children.

Changes to This Policy

We will notify users of any material changes to this privacy policy by updating this page.

Contact

For privacy concerns or questions, please email support@croutoncreations.com

By using 2FA Tray, you agree to this privacy policy.