Privacy Policy

1. Who we are

BrowsePal is the controller for personal data we process through the extension, website, and sync API. For privacy questions, rights requests, or security concerns, contact mail@browsepal.ai.

2. Data that stays on your device

Most BrowsePal data is processed on your device first. Local data is stored in chrome.storage.local and removed when you clear the extension's storage, clear browser site data for the extension, or uninstall.

• Settings

  Theme, accent, selected provider, selected model, custom model entries, MCP server definitions, privacy toggles, onboarding state, and cached model catalogs. Stored in chrome.storage.local.

• Provider credentials

  API keys are encrypted locally with PBKDF2-SHA256 (150,000 iterations) and AES-GCM-256 using a per-installation salt. They are decrypted only in your browser when a request to your chosen provider requires them.

• Local chat history

  Conversation messages, model choices, MCP server choices, and attachments such as page text, selections, screenshots, file excerpts, PDFs, images, and YouTube transcripts stay on your device unless you enable encrypted sync.

• Browser context you expose

  When you attach a page, allow first-turn page context, add a tab list, capture a screenshot, read a file, or use browser tools, BrowsePal reads that content locally so it can be sent to the AI provider or MCP server you selected.

• Local auth and encryption state

  If you sign in, your session token, user email, sync cursors, and locally wrapped sync data key are stored on this device so sync can continue without asking for your passphrase on every browser restart.

3. Data we receive on our servers

BrowsePal does not proxy your AI chats. The BrowsePal API receives data only for account authentication, optional encrypted sync, account deletion, and routine infrastructure handling for the website and API.

• Account and magic-link auth

  If you sign in, the BrowsePal API stores your email, a user id, account timestamps, hashed magic-link tokens, and temporary challenge records. It issues a signed session token that your device stores locally. Raw magic-link tokens are not stored.

• Encrypted sync data

  If you enable sync, settings and conversations are encrypted in your browser before upload. The server stores ciphertext, row ids, version numbers, timestamps, and deletion markers. API keys are stripped before settings are synced.

• Wrapped key material

  For zero-knowledge sync, the server stores only the passphrase-wrapped data encryption key, salt, KDF parameters, and wrapping algorithm. BrowsePal never receives your passphrase or an unwrapped sync key.

• Routine request metadata

  The website and API process network metadata such as IP address, user-agent, request path, and headers through Cloudflare and rate-limit services so requests can be served, secured, and abuse-limited. We do not use this metadata for analytics or profiles.

4. What we don’t collect

Browser context is powerful. If you attach a page, enable first-turn page context, capture a screenshot, or let browser tools inspect the active tab, the exposed page content may be sent to the provider or MCP server you selected. Outside those user-facing features, we do not monitor your browsing.

• Background browsing history or a list of sites you visit outside the features you invoke.
• Background keystroke logging, password capture, or silent form monitoring.
• Plaintext synced chats, plaintext synced settings, sync passphrases, or unwrapped sync keys.
• Provider API keys on BrowsePal servers, whether encrypted or plaintext.
• Analytics, telemetry, crash reports, advertising identifiers, or device fingerprints inside the browser extension. The browsepal.ai marketing website uses cookie-free Plausible analytics for aggregated traffic and CTA-click counts only, with no personal identifiers, no cross-site tracking, and no advertising profiles.
• Personal data for sale, targeted advertising, cross-context behavioral advertising, credit scoring, or data broker activity.

5. Why we process data (legal bases)

Under the GDPR and similar laws, we rely on the following legal bases:

• Performance of a contract: delivering the extension features you request, including chat, context attachment, screenshots, file reading, model calls, MCP tool calls, browser tools, magic-link sign-in, and sync.
• Consent: optional choices such as signing in, enabling encrypted sync, unlocking sync with a passphrase, attaching browser context, connecting providers, and adding MCP servers.
• Legitimate interests: keeping the website and API available, authenticating requests, rate-limiting abuse, maintaining security, debugging service errors, and enforcing this policy.
• Legal obligations: retaining limited records where required by applicable law.
• No statutory requirement: you are not legally required to provide personal data to BrowsePal. If you do not provide an email address, sync will not be available. If you do not provide provider credentials or a compatible local endpoint, chat requests to that provider cannot run.

6. Third parties that receive your data

BrowsePal is a bring-your-own-key client. Most recipients of prompts, attachments, and tool data are providers or servers you configured yourself.

• AI providers you select

  When you send a message, your prompt and attachments are transmitted directly from your browser to the provider you configured. BrowsePal can connect straight to Anthropic, OpenAI, Google Gemini, xAI Grok, OpenRouter, or any OpenAI-compatible endpoint you point it at (including local servers like Ollama, LM Studio, or vLLM). Each provider's privacy policy governs that data. BrowsePal does not see, store, or proxy these requests.

• MCP servers you configure

  Any Model Context Protocol server you add runs under its own operator. Tool calls and results flow between your browser and that server directly. You control which servers are added, which are enabled, and what headers or credentials they receive.

• Cloudflare (infrastructure)

  The website, API Worker, D1 database, and edge security/rate-limit handling run on Cloudflare. Cloudflare processes network-level metadata and hosted ciphertext as an infrastructure provider.

  cloudflare.com/privacypolicy ↗
• Amazon SES (email delivery)

  When you request a magic link, Amazon SES receives the destination email address and sign-in link solely to deliver that message.

  aws.amazon.com/privacy ↗
• Plausible Analytics (website only)

  The browsepal.ai website loads a Plausible Analytics script to count aggregated page views and a small set of CTA clicks such as "Add to Chrome". Plausible does not set cookies, does not use cross-site identifiers, and does not collect personal information. The browser extension does not load Plausible.

  plausible.io/privacy-focused-web-analytics ↗

We never sell or rent personal data. We do not share data with advertisers or data brokers.

7. Extension permissions explained

Chrome requires us to declare permissions up front. Here is what each one is used for and the strictly limited reason we need it.

• sidePanel

  Renders BrowsePal inside Chrome’s side panel.

• storage

  Persists settings, encrypted keys, and chat history in chrome.storage.local on your device.

• tabs / activeTab

  Reads the URL and title of the active tab so BrowsePal can attach the current page, list tabs, switch context, and scope browser tools to the tab you are using.

• scripting

  Injects short, purpose-specific scripts into the current page to extract readable text, capture selections or screenshots, inspect page structure, or perform browser actions such as click, type, scroll, and navigate when browser tool use is enabled.

• contextMenus

  Adds a right-click entry so you can send a selection to the chat.

• clipboardRead / clipboardWrite

  Lets you paste clipboard contents into the chat and copy assistant output.

• host_permissions: <all_urls>

  Required so page context, screenshots, and browser tools can work on arbitrary sites you choose to use with BrowsePal. The extension does not run a persistent content script across every page.

8. Security

API keys are encrypted locally with AES-GCM-256 and a per-installation PBKDF2-SHA256 key. Zero-knowledge sync uses a random AES-GCM-256 data encryption key for synced settings and conversations. Your passphrase derives a separate PBKDF2-SHA256 key with a 32-byte salt and 600,000 iterations to wrap that data key. BrowsePal stores only ciphertext and wrapped key material, not the passphrase or unwrapped key. Transport between your browser, chosen providers, MCP servers, Cloudflare-hosted API, and email provider uses TLS where those services support it. No system is perfectly secure, so keep your device, browser, operating system, providers, MCP servers, and passphrase protected.

9. Data retention

• On-device data: retained until you delete a chat, clear the extension's storage, or uninstall.
• Account and sync data: retained until you delete your synced account, delete specific conversations, or ask us to delete it, subject to legal or security retention requirements.
• Magic-link records: magic-link challenge records and hashed tokens expire after 15 minutes and are cleaned up from the database after approximately 24 hours.
• Sessions: signed sessions expire after 30 days. Signing out clears the local session and locally persisted sync key material.
• Infrastructure logs: Cloudflare and the email delivery provider may retain short-lived network, delivery, security, and abuse logs under their own policies.

10. International transfers

BrowsePal is operated through global infrastructure. Cloudflare may process website and API requests at edge locations outside your country. The email delivery provider may also process sign-in email data internationally. Where required, we rely on contractual safeguards such as data processing terms, Standard Contractual Clauses, or equivalent safeguards offered by our service providers. AI providers and MCP servers you configure may process data in jurisdictions of their own choosing; check their policies before sending sensitive data to them.

11. Your rights

Depending on where you live, including the EEA, UK, Switzerland, California, Brazil, and similar privacy regimes, you may have rights over your personal data. We honor them regardless of location where technically feasible.

• Access

  Request a copy of personal data we hold, such as account metadata and encrypted sync records tied to your email. We cannot decrypt synced ciphertext without your passphrase.

• Deletion

  Delete your synced account and associated server-side data from the extension reset controls or by emailing us. On-device data can be cleared in the extension, browser settings, or by uninstalling.

• Portability

  Request an export of the account metadata and encrypted sync records we can provide in a machine-readable format.

• Rectification

  Correct inaccurate personal data we hold about you.

• Withdraw consent

  Stop using sync, sign out, clear local data, or delete your account. New sync data stops flowing once you are signed out or sync is no longer unlocked.

• Object or restrict

  Object to or ask us to restrict processing where the applicable law gives you that right, including processing based on legitimate interests.

• Complain

  Lodge a complaint with your local data protection authority (for EU residents, your national DPA).

To exercise any of these, email mail@browsepal.ai. We respond within 30 days.

BrowsePal does not sell or share personal data for cross-context behavioral advertising. We also do not use sensitive personal information to infer characteristics or for unrelated purposes. If a Global Privacy Control signal reaches our website, there is no sale or targeted-advertising flow to opt out of.

12. Children’s privacy

BrowsePal is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it.

13. Cookies and analytics on this website

browsepal.ai does not set cookies and does not embed advertising or cross-site trackers. The footer may call api.browsepal.ai to show API status, which creates a routine request to the Cloudflare-hosted API.

To understand how the marketing site is performing, the website loads a self-hosted Plausible Analytics script from analytics.mrblithe.com. Plausible counts aggregated page views and a small set of CTA events (such as add_to_chrome when you click an "Add to Chrome" button) so we can measure conversion. Plausible does not set cookies, does not use cross-site identifiers, does not store IP addresses, and does not build advertising profiles. The browser extension itself does not load Plausible or any other analytics script.

14. Chrome Web Store Limited Use disclosure

BrowsePal's use of information received through Chrome extension APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. We use Chrome API data only to provide or improve user-facing BrowsePal features. We do not sell it, use it for advertising, transfer it to data brokers, use it for credit decisions, or allow humans to read it except with your explicit consent for support, where necessary for security or abuse investigation, as aggregated and anonymized internal operations data, or when required by law.

15. Changes to this policy

We will update this page when BrowsePal's data handling changes. For material changes, we will update the effective date at the top and, where the change affects synced accounts, notify you through the email you used to sign in when practical.