Privacy Policy

Scope

This policy covers the BrowserPilot website, Chrome extension, local bridge process, activation service, purchase and licensing flows, and support communications. Together, these components form the “Service.”

Data Controller

BrowserPilot is operated by SeedSource (Luis Hernandez).
For any privacy-related questions or requests, contact us at [email protected].

What We Collect — On Your Device (Local Only)

The BrowserPilot extension and local bridge process the following data entirely on your machine to provide browser automation functionality:

• Tab URLs and titles — used to route automation commands to the correct browser tab.
• Page content, accessibility snapshots, and screenshots — used to enable AI-assisted interaction with web pages.
• Form values and page state — accessed during automation sessions to fill forms and interact with page elements.
• Local audit log — a log of tool invocations written to ~/.browserpilot/audit.log on your machine.
• Extension settings and session state — your preferences and current session configuration, stored in Chrome local storage.

What We Collect — On Our Servers

When you purchase BrowserPilot, claim access, or verify runtime approval, the following data is collected and stored on our servers:

• Email address — provided during purchase on Gumroad and used to deliver your license claim link.
• Gumroad sale ID and commercial license metadata — used to verify your purchase, reconcile commercial events (refund/dispute/cancellation), and manage your entitlement record.
• Machine fingerprint — a hashed device identifier used to enforce seat limits. It does not contain personal information.
• Platform and hostname — your operating system type and computer name, recorded during activation.
• Device session credentials — cryptographic tokens (stored as hashed digests) used to verify your license on each use.
• IP address — the IP address of activation, verification, and refresh requests, recorded in server logs and session metadata.
• Request timestamps — when your license was activated, last verified, refreshed, and when sessions were issued or revoked.
• Basic server logs — standard web server request logs (method, path, status code, response time) retained for operational and security purposes.

How We Use Your Data

• License fulfillment: your email address is used to send a one-time claim link after purchase and for license recovery if you lose access.
• Commercial verification: your Gumroad sale ID and commercial license metadata (including Gumroad license key where present) are used for purchase reconciliation and lifecycle management.
• Activation and verification: your entitlement record, machine fingerprint, and device-session credentials are used to issue, verify, and refresh runtime approval so the software operates on authorized machines.
• Seat management: machine fingerprints and platform data are used to enforce the maximum number of activated devices on your license.
• Security and abuse prevention: IP addresses and timestamps are used to detect and prevent unauthorized access, brute-force attacks, and license abuse.
• Service operations: server logs are used for debugging, performance monitoring, and incident response.

We do not use any collected data for advertising, profiling, or behavioral tracking.

Lawful Bases for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing your email, sale ID, and entitlement lifecycle metadata is necessary to fulfill your purchase and deliver BrowserPilot access.
• Legitimate interests (Art. 6(1)(f)) — processing IP addresses, machine fingerprints, and request logs is necessary for security, fraud prevention, and service reliability. These interests do not override your fundamental rights.

Who We Share Data With

We share data only with service providers necessary to operate BrowserPilot:

• Gumroad — processes your payment and provides commercial event metadata (including sale ID and license metadata) to our activation server. Gumroad is not a runtime approval authority after purchase. See Gumroad’s Privacy Policy.
• Resend — delivers transactional emails (license claim links, recovery emails) on our behalf. Only your email address and the message content are shared. See Resend’s Privacy Policy.
• Render — hosts our activation server infrastructure. Server logs and request data are processed on Render’s platform. See Render’s Privacy Policy.
• Cloudflare — provides CDN, DNS, and DDoS protection for our web services. Cloudflare may process IP addresses and request metadata. See Cloudflare’s Privacy Policy.

We do not sell your data. We do not share data for advertising purposes. We do not transfer data to any parties beyond those listed above.

Chrome Web Store Limited Use Disclosure

BrowserPilot’s use of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:

• BrowserPilot does not use Chrome API data for advertising or marketing.
• BrowserPilot does not sell Chrome API data to any third party.
• BrowserPilot does not transfer Chrome API data to third parties except as necessary to provide the core browser automation functionality you requested.
• BrowserPilot does not use Chrome API data for creditworthiness or lending purposes.
• All Chrome API data (tab URLs, page content, accessibility trees, screenshots) is processed locally on your device and is never transmitted to BrowserPilot servers.

Data Retention

• License records (email, sale ID, and commercial license metadata) — retained for the lifetime of your license or until you request deletion.
• Activation records (machine fingerprint, platform, hostname) — retained while the activation is active. Revoked activations are retained for up to 90 days for abuse prevention, then purged.
• Device sessions — active sessions expire automatically (typically within 30 days). Expired and revoked session records are retained for up to 90 days, then purged.
• Entitlement claim links — expire within 24 hours of issuance. Expired claim records are retained for up to 30 days.
• Server logs — retained for up to 30 days for operational purposes.
• Local audit logs — stored on your machine and fully under your control. BrowserPilot does not access or manage these remotely.

Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under applicable data protection law:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete personal data.
• Right to erasure — request deletion of your personal data, subject to legal retention obligations.
• Right to data portability — request your data in a structured, machine-readable format.
• Right to restriction — request that we restrict processing of your data in certain circumstances.
• Right to object — object to processing based on legitimate interests.
• Right to lodge a complaint — file a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

Your California Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with the following rights:

• Right to know — you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
• Right to delete — you may request deletion of your personal information, subject to certain legal exceptions.
• Right to opt-out of sale or sharing — we do not sell or share your personal information as defined under the CCPA/CPRA. No opt-out is required because no sale or sharing occurs.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, contact [email protected].

International Data Transfers

Our activation server is hosted in the United States via Render. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual safeguards provided by our infrastructure providers to protect data transferred internationally.

Security

We implement appropriate technical and organizational measures to protect your data, including:

• All server communication is encrypted via TLS (HTTPS).
• Session tokens and license keys are stored as cryptographic digests (hashes), not in plain text.
• Access to the activation server database is restricted to essential operations.
• Device sessions are time-limited, revocable, and automatically expire.

Children’s Privacy

BrowserPilot is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. We encourage you to review this page periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

Contact

For privacy-related questions, data requests, or concerns, contact:
SeedSource (Luis Hernandez)
Email: [email protected]