Privacy Policy
Last updated: April 2026
1. Introduction
Alexandria Eden, operating as a sole proprietor ("CBrowser," "we," "our," or "us"), operates the CBrowser cognitive browser automation platform at cbrowser.ai. CBrowser provides 120+ MCP (Model Context Protocol) tools for cognitive browser automation, accessibility auditing, and web analysis.
This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and what rights you have regarding your data. It applies to all users of the CBrowser website, API, MCP server, and related services.
By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use CBrowser.
2. Information We Collect
2.1 Account Data
When you create a CBrowser account, we collect:
- Email address β used for authentication, account recovery, and service communications.
- Name β used to personalize your account.
- Password β stored as a one-way bcrypt hash. We never store or have access to your plaintext password.
- API keys β when you generate an API key, we store only a SHA-256 hash of the key. The raw key is shown to you once at creation and is never stored on our servers.
2.2 Usage Data
We automatically collect data about how you use CBrowser:
- Tool calls β which MCP tools you invoke, how often, and credit consumption per call.
- Registered domains β domains you register for site monitoring and reporting.
- Tool results β cognitive scores, accessibility audit scores, and other analytical outputs generated by your tool invocations.
- Log data β IP addresses, request timestamps, user agent strings, and error logs for security and debugging.
2.3 Google Analytics Integration
CBrowser offers an optional integration with Google Analytics 4 (GA4). If you choose to connect your GA4 account:
- We authenticate via Google OAuth 2.0 and request only the
analytics.readonlyscope (read-only access). - We store your OAuth tokens in encrypted form and your GA4 property ID.
- We retrieve per-page metrics such as bounce rate, average session duration, and page views for display within CBrowser.
- We never modify, write to, or delete any data in your Google Analytics account.
- You can revoke this integration at any time from your CBrowser account settings or from your Google account permissions.
2.4 Browser Session Data
When you use CBrowser MCP tools, a headless Chromium browser session is launched server-side. These sessions are:
- Isolated β each user's browser session runs in a separate, sandboxed process.
- Memory-limited β each session is capped at 800MB of memory.
- Ephemeral β sessions are automatically terminated and cleaned up after 300 seconds of inactivity.
- Not retained β no browsing history, cookies, or session state from the headless browser is stored after the session ends.
2.5 Screenshots
Baseline screenshots of your registered domains are stored on our servers for use in site reports and the monitoring dashboard. These screenshots are associated with your account and are deleted when you remove the domain or delete your account.
2.6 Text-to-Speech Audio Cache
The CBrowser page reader feature generates text-to-speech audio using OpenAI's TTS API. Audio files are cached on our server, keyed by a hash of the page text content, for up to 7 days to improve performance. These audio files contain only synthesized speech of webpage content and do not include any personal information.
2.7 Blog and CMS Content
Blog posts published on cbrowser.ai are public content. If you submit a comment, your display name and comment text are publicly visible. Administrative accounts used for content management are subject to the same account data provisions described in Section 2.1.
2.8 Payment Information
All payment processing is handled by Stripe. We do not receive, process, or store your credit card numbers, bank account details, or other financial instrument data. We store only your Stripe customer ID to associate your CBrowser account with your payment history. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.
3. Information We Do Not Collect
- We do not use tracking pixels, third-party analytics SDKs, or advertising trackers on cbrowser.ai.
- We do not collect credentials you may enter into websites during browser automation sessions.
- We do not retain browsing history from headless browser sessions beyond the session lifetime.
- We do not store your raw API keys.
- We do not collect biometric data.
4. How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery β to provide, operate, and maintain CBrowser's features and functionality.
- Authentication β to verify your identity and authorize API requests.
- Billing and usage tracking β to calculate credit consumption and manage subscription tiers.
- Service improvement β to analyze usage patterns, fix bugs, and develop new features.
- Security β to detect, investigate, and prevent abuse, fraud, and unauthorized access.
- Communications β to send essential service notices, security alerts, and account-related emails. We do not send marketing emails without your explicit consent.
- Legal compliance β to comply with applicable laws, regulations, and legal processes.
5. Cookies and Local Storage
CBrowser uses a minimal number of cookies, all of which are essential to the operation of the service:
| Cookie | Purpose | Duration |
|---|---|---|
session | Authentication and session management | Session (expires on browser close) or persistent (if "remember me" is selected) |
cbrowser-lang | Language preference for the page reader | 1 year |
We do not use cookies for advertising, cross-site tracking, or behavioral profiling. Because our cookies are strictly necessary for the service to function, they do not require consent under most cookie consent regulations. However, you can configure your browser to block or delete cookies at any time, though this may prevent you from using CBrowser.
6. Third-Party Services
CBrowser relies on the following third-party services to operate. Each processes data according to its own privacy policy:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Payment details (handled entirely by Stripe) |
| OpenAI | Text-to-speech audio generation; image interpretation via GPT-4 Vision | Page text content (for TTS); screenshots (for vision analysis) |
| OAuth for GA4 integration; Google Translate for page reader | OAuth tokens (encrypted); page text (for translation) | |
| Cloudflare | CDN, DNS, DDoS protection | IP addresses, request metadata (processed by Cloudflare as a data processor) |
| Let's Encrypt | SSL/TLS certificate issuance | Domain names (public certificate transparency logs) |
We select third-party services that maintain strong privacy and security practices. We do not sell, rent, or share your personal data with any third party for their own marketing or advertising purposes.
7. Data Retention
We retain your data only as long as necessary to provide our services or as required by law:
| Data Type | Retention Period |
|---|---|
| Account data (email, name, password hash) | Until account deletion |
| API key hashes | Until key revocation or account deletion |
| Usage and billing records | 90 days (active), then aggregated/anonymized |
| Server and access logs | 30 days |
| TTS audio cache | 7 days |
| Browser session data | 300 seconds of idle time (auto-cleaned) |
| Domain screenshots | Until domain removal or account deletion |
| Google Analytics OAuth tokens | Until integration revocation or account deletion |
| Support communications | 2 years |
When you delete your account, all associated data is permanently removed through a cascade deletion process. This includes account details, API key hashes, usage records, screenshots, OAuth tokens, and any other data tied to your account. Some data may persist in encrypted backups for up to 30 days after deletion, after which backups are rotated and the data is permanently destroyed.
8. Data Security
We implement the following technical and organizational measures to protect your data:
- Encryption in transit β all data is transmitted over HTTPS using TLS 1.2 or higher. SSL certificates are issued by Let's Encrypt.
- Password security β passwords are hashed using bcrypt with a work factor that meets current industry standards.
- API key security β API keys are hashed using SHA-256 before storage. Raw keys are never persisted.
- OAuth token encryption β Google OAuth tokens are encrypted at rest.
- Browser session isolation β each headless browser session runs in a sandboxed process with memory limits and automatic cleanup.
- DDoS protection β Cloudflare provides network-layer protection against distributed denial-of-service attacks.
- Access controls β administrative access to servers and databases is restricted and logged.
While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use our service at your own risk.
9. Your Rights
Depending on your location, you may have certain rights regarding your personal data. We honor these rights for all users, regardless of jurisdiction.
9.1 Rights Under the EU General Data Protection Regulation (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of access β you may request a copy of the personal data we hold about you.
- Right to rectification β you may request that we correct inaccurate or incomplete data.
- Right to erasure β you may request that we delete your personal data. Deleting your account will cascade-delete all associated data.
- Right to restriction of processing β you may request that we limit how we process your data in certain circumstances.
- Right to data portability β you may request an export of your personal data in a structured, machine-readable format (JSON).
- Right to object β you may object to our processing of your personal data in certain circumstances.
- Right to withdraw consent β where processing is based on consent, you may withdraw that consent at any time.
Legal bases for processing: We process your personal data on the following legal bases: (a) performance of a contract (providing the service you signed up for), (b) legitimate interests (security, fraud prevention, service improvement), and (c) consent (optional integrations like Google Analytics).
International transfers: CBrowser is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers.
You also have the right to lodge a complaint with your local data protection supervisory authority.
9.2 Rights Under the California Consumer Privacy Act (CCPA)
If you are a California resident, you have the following rights under the CCPA and the California Privacy Rights Act (CPRA):
- Right to know β you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to delete β you may request deletion of your personal information.
- Right to correct β you may request correction of inaccurate personal information.
- Right to opt out of sale or sharing β we do not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is necessary.
- Right to non-discrimination β we will not discriminate against you for exercising any of these rights.
Categories of personal information collected: identifiers (name, email, IP address), commercial information (purchase history, credits consumed), internet activity information (tool usage, log data), and inferences drawn from the above (usage patterns).
We do not sell personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA.
9.3 Rights Under the Colorado Privacy Act (CPA)
As CBrowser is based in Colorado, we also comply with the Colorado Privacy Act. Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling. We do not engage in any of these opt-out-triggering activities.
9.4 Exercising Your Rights
To exercise any of the rights described above, contact us at [email protected]. We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.
You may also delete your account at any time through your account settings, which will trigger a cascade deletion of all associated data.
10. Data Sharing and Disclosure
We do not sell, rent, lease, or trade your personal data to any third party for any purpose.
We may disclose your information only in the following limited circumstances:
- Service providers β we share data with the third-party services listed in Section 6, strictly for the purposes described. These providers act as data processors on our behalf or as independent controllers for payment processing.
- Legal requirements β we may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request.
- Protection of rights β we may disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a government request.
- Business transfers β if CBrowser is acquired, merged, or substantially all of its assets are transferred, user data may be among the assets transferred. You will be notified via email or a prominent notice on our website of any such change in ownership or control.
11. Children's Privacy
CBrowser is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will promptly delete that information.
For users between 13 and 18 years of age, parental or guardian consent is required to use CBrowser.
12. Do Not Track Signals
CBrowser does not track users across third-party websites and does not use third-party analytics or advertising trackers. Because we do not engage in cross-site tracking, we do not need to respond to Do Not Track (DNT) browser signals. Our privacy practices apply equally to all users regardless of DNT settings.
13. Open-Source CLI and npm Package
The CBrowser CLI tool, available as an npm package (cbrowser), can be used in self-hosted configurations. When you use the CLI to connect to your own MCP server or a self-hosted instance, this Privacy Policy does not apply to data processed on your own infrastructure. This policy governs only data processed by the CBrowser service operated at cbrowser.ai and demo.cbrowser.ai.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered users via email for material changes that affect how we handle personal data.
- Post a prominent notice on our website for at least 30 days following a material change.
Your continued use of CBrowser after any changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this page periodically.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Operator: Alexandria Eden (sole proprietor)
- Location: Colorado, United States
- Website: cbrowser.ai