Privacy Policy

Last updated: 30 April 2026 · Applies to v0.2.0 onward

X-Ray for Netflix (the "Extension") is a Chrome browser extension that overlays cast and crew information on Netflix's video player. It is built and maintained by Nimit Bhargava as a personal project. This page describes what data the Extension and this website (xray.nimit.dev, the "Site") collect, what they don't, and why.

1. Summary

The Extension's core feature — fetching cast and crew for the title you're watching — runs entirely on your machine. The only network traffic for that feature is to public, read-only APIs (TMDB and Netflix's own server-rendered HTML). Nothing about what you watch is sent to a third party by the Extension.

The Extension also sends a small set of anonymous product-analytics events to Google Analytics 4. Those events do not include the title, the show name, your viewing history, or any identifier that can be linked back to you. Section 4 covers exactly what is and isn't sent.

2. What the Extension collects on your device

The Extension stores the following in your browser's local storage (chrome.storage.local) on your computer only:

• Cast cache: a 30-day cache of TMDB cast results, keyed by Netflix title ID, so the panel renders instantly the second time you watch a title.
• Toggle state: whether you've turned the X-Ray panel on or off.
• Local telemetry buffer: the last 50 internal failure events (e.g. "TMDB rate limited"), used for diagnostics. Inspectable by you via the extension's service-worker DevTools console.
• Anonymous client ID (only if analytics is enabled — see below).

None of this is transmitted off your machine except the analytics data described in section 4. Uninstalling the Extension deletes all of it.

3. What the Extension sends over the network (always)

The cast pipeline makes the following requests, regardless of whether analytics is enabled:

• Netflix (www.netflix.com/watch/{id}): one HTTP GET to the same Netflix URL you're already on, used to read public og: meta tags (title, year, type) that Netflix's live DOM strips. No cookies are read or written by the Extension; Netflix sees the same browser session you'd already have.
• The Movie Database (TMDB) (api.themoviedb.org): search and credits lookups. Your TMDB API key is used as the only identifier; TMDB does not see who you are.
• TMDB image CDN (image.tmdb.org): cast headshot images embedded in the panel.

The Extension does not modify Netflix's page content, does not read your Netflix account, and does not have access to your viewing history beyond the single title currently on screen.

4. Product analytics

The Extension sends a small set of anonymous events to Google Analytics 4 via the Measurement Protocol. The purpose is to understand how the Extension is used in aggregate (install volume, success/failure rates, which features get used) so it can be improved.

What is sent

• An anonymous client ID (a random UUID generated on first event, stored only in your local browser storage, regenerated if you uninstall and reinstall — not tied to your Google account, IP address, email, or any other identifier).
• The Extension version (e.g. 0.2.0).
• Your browser's UI locale (e.g. en-US).
• The event name and a small set of structured parameters per event:
  • extension_installed — once on install or update.
  • panel_session_start — once per Netflix watch page you open.
  • panel_rendered_success — with a cache_hit boolean.
  • panel_rendered_fail — with a reason category (e.g. metadata_unavailable, tmdb_rate_limited).
  • cast_clicked — when you click a cast row to open IMDB.
  • toggle_used — with the new on/off state.

What is NOT sent

• Netflix title names or Netflix title IDs.
• TMDB IDs or anything identifying which specific show or movie you're watching.
• Cast member names or any other content of the panel.
• Your viewing history, viewing duration, or the time of day you watch.
• Your IP address (Google sees the request IP at the network layer — that is unavoidable for any HTTPS request to any service — but the payload itself contains no field tying it back to you).

The events listed above are processed by Google according to Google's Privacy Policy. You can opt out of Google Analytics tracking globally using Google's official opt-out browser add-on, or block the request to www.google-analytics.com with any standard content blocker. Doing so does not affect any of the cast-overlay features.

5. The Site (xray.nimit.dev)

This website uses Google Analytics 4 via gtag.js to record page views and basic browser/device information. This includes a cookie set by Google to identify return visits. IP anonymization is enabled. No personally identifiable information is collected by the Site itself.

You can opt out of Google Analytics tracking across the web using Google's official opt-out browser add-on.

6. No advertising, no third-party trackers, no resale

Neither the Extension nor the Site contains advertising, fingerprinting, ad networks, or trackers other than the Google Analytics described above. No data is sold, rented, or shared with anyone.

7. Children

The Extension is not directed at children under 13 and does not knowingly collect data from anyone. If you believe data has been collected from a child, contact us and we'll remove it.

8. Changes to this policy

If this policy changes in any meaningful way, the "Last updated" date at the top will reflect that. There is no separate notification — checking this page is the only way to see what changed.

9. Contact

Questions, concerns, or takedown requests: use the contact details on nimit.dev.