Privacy Policy

Last updated: 30 April 2026 · Applies to v0.2.0 onward

Backlot (the "Extension") is a Chrome browser extension that overlays cast and crew information on Netflix's video player. It is built and maintained by Nimit Bhargava as a personal project. This page describes what data the Extension and this website (trybacklot.com, the "Site") collect, what they don't, and why.

1. Summary

The Extension's core feature — fetching cast and crew for the title you're watching — runs entirely on your machine. The only network traffic for that feature is to public, read-only APIs (TMDB and Netflix's own server-rendered HTML). Nothing about what you watch is sent to a third party by the Extension.

The Extension also sends a small set of anonymous product-analytics events to Google Analytics 4. Those events do not include the title, the show name, your viewing history, or any identifier that can be linked back to you. Section 4 covers exactly what is and isn't sent.

2. What the Extension collects on your device

The Extension stores the following in your browser's local storage (chrome.storage.local) on your computer only:

• Cast cache: a 30-day cache of TMDB cast results, keyed by Netflix title ID, so the panel renders instantly the second time you watch a title.
• Toggle state: whether you've turned the Backlot panel on or off.
• Local telemetry buffer: the last 50 internal failure events (e.g. "TMDB rate limited"), used for diagnostics. Inspectable by you via the extension's service-worker DevTools console.
• Anonymous client ID (only if analytics is enabled — see below).

None of this is transmitted off your machine except the analytics data described in section 4. Uninstalling the Extension deletes all of it.

3. What the Extension sends over the network (always)

The cast pipeline makes the following requests, regardless of whether analytics is enabled:

• Netflix (www.netflix.com/watch/{id}): one HTTP GET to the same Netflix URL you're already on, used to read public og: meta tags (title, year, type) that Netflix's live DOM strips. No cookies are read or written by the Extension; Netflix sees the same browser session you'd already have.
• The Movie Database (TMDB) (api.themoviedb.org): search and credits lookups. Your TMDB API key is used as the only identifier; TMDB does not see who you are.
• TMDB image CDN (image.tmdb.org): cast headshot images embedded in the panel.

The Extension does not modify Netflix's page content, does not read your Netflix account, and does not have access to your viewing history beyond the single title currently on screen.

4. Backlot Pro (paid AI chat) — what's sent and stored

The "Ask" tab is the one place the Extension talks to a server we run. It is the only feature that sends data to a third-party LLM. Cast and Catch me up are unchanged from earlier versions: cast data comes from TMDB and recap summaries are generated on your device via Chrome's built-in AI.

What is sent (per Ask message)

• Your question text.
• The title of the show / movie you're watching, the episode (season + number, if TV), and your current playback timestamp (in seconds). The timestamp is what powers the spoiler-safe instructions to the model.
• An anonymous device UUID we generate on first use (same as the analytics UUID — random, not tied to any other identifier).
• The most recent ~20 turns of your conversation, so the model has context.

Where it goes

• To our Cloudflare Worker (proxy + usage counter + paywall enforcement).
• From there, to Google Gemini (gemini-2.5-flash) for the actual response. Google does not use these messages for training under their commercial API terms.
• Counter state and (for paid users) email + Stripe subscription ID are stored in Supabase (a Postgres database we host).

What we DON'T store

• The bodies of your questions or the AI's responses. We log only metadata (chars in/out, ok/error, show title, episode/movie type) for debugging + abuse detection.
• Your IP address (it transits at the network layer, but isn't written to our database).
• Anything tied back to your Netflix account.

Payments + identity

• Payment is handled by Stripe. Card details never touch our server. Stripe collects your email at checkout and we store it on your row so your subscription is portable across devices.
• Optionally you can sign in with email (we send a 6-digit code) or Google to recover or sync your subscription. We only use the email address for that purpose.

You can stop using the Ask tab at any time. Cast + Catch me up continue working without ever sending data to our servers.

Data deletion

To delete your account and all stored data, email hello@nimit.dev from the address on your subscription. We'll wipe your row + cancel any active sub within 7 days. Stripe's payment record is retained per their legal requirements (typically 7 years for accounting).

5. Product analytics

The Extension sends a small set of anonymous events to Google Analytics 4 via the Measurement Protocol. The purpose is to understand how the Extension is used in aggregate (install volume, success/failure rates, which features get used) so it can be improved.

What is sent

• An anonymous client ID (a random UUID generated on first event, stored only in your local browser storage, regenerated if you uninstall and reinstall — not tied to your Google account, IP address, email, or any other identifier).
• The Extension version (e.g. 0.2.0).
• Your browser's UI locale (e.g. en-US).
• The event name and a small set of structured parameters per event:
  • extension_installed — once on install or update.
  • panel_fetch_started — every time the panel kicks off a cast lookup.
  • panel_rendered_success — with cache_hit, cast_count, has_recap, media_type (movie or tv), and timing fields (netflix_fetch_ms, tmdb_total_ms, total_fetch_ms).
  • panel_rendered_fail — with a reason category (e.g. metadata_unavailable, tmdb_rate_limited).
  • cast_clicked / cast_instagram_clicked — with a position (which row).
  • toggle_used — with the new on/off state.
  • tab_switched — with from / to tab names (cast, recap, ask).
  • pause_overlay_rendered — with cast_count.
  • recap_stream_completed / recap_stream_failed — with duration_ms, ai_used, and a reason on failure.
  • ask_message_sent — with ok and an error_reason bucket on failure (e.g. http_500, network, stream_error).
  • ask_daily_limit_reached — with days_remaining in the trial.
  • ask_daily_limit_upgrade_clicked — when the user taps Upgrade from the daily-cap card.
  • ask_trial_expired — when the lifetime free trial runs out.
  • ask_paywall_shown — with trigger (e.g. trial_expired).
  • ask_upgrade_clicked / ask_checkout_started / ask_checkout_failed — with plan (monthly or annual), and a reason on failure.
  • ask_subscription_activated — when our backend confirms payment.
  • ask_magic_link_requested / ask_magic_link_verified — for sign-in events. The verified event includes a paid boolean indicating whether the recovered account is a paid subscriber.

What is NOT sent

• Netflix title names or Netflix title IDs.
• TMDB IDs or anything identifying which specific show or movie you're watching.
• Cast member names or any other content of the panel.
• Your viewing history, viewing duration, or the time of day you watch.
• Your IP address (Google sees the request IP at the network layer — that is unavoidable for any HTTPS request to any service — but the payload itself contains no field tying it back to you).

The events listed above are processed by Google according to Google's Privacy Policy. You can opt out of Google Analytics tracking globally using Google's official opt-out browser add-on, or block the request to www.google-analytics.com with any standard content blocker. Doing so does not affect any of the cast-overlay features.

6. The Site (trybacklot.com)

This website uses Google Analytics 4 via gtag.js to record page views and basic browser/device information. This includes a cookie set by Google to identify return visits. IP anonymization is enabled. No personally identifiable information is collected by the Site itself.

You can opt out of Google Analytics tracking across the web using Google's official opt-out browser add-on.

7. No advertising, no third-party trackers, no resale

Neither the Extension nor the Site contains advertising, fingerprinting, ad networks, or trackers other than the Google Analytics described above. No data is sold, rented, or shared with anyone.

8. Children

The Extension is not directed at children under 13 and does not knowingly collect data from anyone. If you believe data has been collected from a child, contact us and we'll remove it.

9. Changes to this policy

If this policy changes in any meaningful way, the "Last updated" date at the top will reflect that. There is no separate notification — checking this page is the only way to see what changed.

10. Contact

Questions, concerns, or takedown requests: use the contact details on nimit.dev.