Privacy Policy - Unbrowse Agent

Introduction

Unbrowse Agent ("the Extension") is a browser extension developed by Unbrowse.ai that enables intelligent browsing automation and network traffic recording. This Privacy Policy explains how we collect, use, protect, and share information when you use our Extension.

What Makes This Extension Different

Unlike typical browser extensions, Unbrowse Agent collects and stores extensive data including network traffic, authentication credentials, and cookies on our servers. While we implement encryption similar to password managers, our service requires collecting more data types (network traffic, browsing patterns, API interactions) to enable automation functionality.

Important

This is not a privacy-focused tool. We collect and store your browsing data and encrypted credentials to provide automation services. While credentials are encrypted with your master password before leaving your browser, network traffic and metadata are stored unencrypted on our servers for functionality purposes.

By using Unbrowse Agent, you consent to the collection, transmission, and storage of your data as described in this policy.

Information We Collect

1. Authentication Information

OAuth tokens: When you authenticate with Unbrowse.ai, we store authentication tokens locally in your browser
User account data: Basic account information linked to your Unbrowse.ai account
Session data: Temporary session information to maintain your logged-in state

2. Network Traffic Data

When you activate the recording feature, we collect:

HTTP/HTTPS request and response headers
Request and response bodies
Cookies sent and received during browsing
Network timing information
URL paths and query parameters
Page navigation events

3. Authentication Credentials

The Extension automatically detects and stores authentication credentials including:

Authorization headers (Bearer tokens, API keys, etc.)
Authentication cookies
API keys and access tokens
OAuth tokens from websites you visit

4. Local Storage Data

Extension settings and preferences
Recording configurations
Domain exclusion lists
Master password configuration status (password itself is never stored)

How We Use Your Information

We use the collected information for the following purposes:

Browsing Automation: To enable AI-powered browsing assistance and task automation
Network Analysis: To analyze and replay your browsing sessions for automation purposes
Credential Management: To securely manage and reuse authentication credentials across sessions
Service Improvement: To improve our AI agent's capabilities and user experience
Session Replay: To enable accurate reproduction of your browsing activities when needed

Data Security & Encryption

We implement encryption measures similar to password managers, but with important differences regarding what data is protected:

What IS Encrypted: Credentials Only

Authentication credentials (tokens, API keys, auth cookies) are encrypted using AES-256-GCM encryption before transmission:

Algorithm: AES-256-GCM (Galois/Counter Mode)
Key Length: 256 bits
Authentication: 128-bit authentication tag to prevent tampering
Initialization Vector: 12-byte cryptographically random IV for each encryption operation

What IS NOT Encrypted: Network Traffic and Metadata

The following data is stored unencrypted on our servers:

Network request/response bodies (except credentials)
HTTP headers (excluding authorization headers)
URLs, domains, and paths you visit during recording
Timestamps and browsing patterns
Non-authentication cookies
Page navigation events

This data is necessary for automation functionality and is not encrypted.

Encryption Implementation: Credential Sync vs Chat

Credential Sync (Extension - Zero-Knowledge)

Master password NEVER transmitted - Stays in your browser
Master password NEVER stored - Only in memory during recording
Credentials encrypted client-side before upload
We cannot decrypt without your master password

Chat Interface (Extension & Web App - NOT Zero-Knowledge)

Encryption key IS transmitted - Sent as HTTP header (X-Credential-Key)
Encryption key may be stored - In browser localStorage/storage for convenience
Server receives the key - We can see your encryption key when you chat
We CAN decrypt credentials when you provide your key via chat

Zero-knowledge encryption only applies to credential sync in the extension (when recording and uploading credentials). When using the chat interface (in either the extension or web app), your encryption key is transmitted to enable the AI to access and use your credentials.

Important Limitation

Zero-knowledge encryption applies ONLY to authentication credentials. Network traffic, URLs, and browsing patterns are visible to us and stored unencrypted on our servers.

Data Storage & Retention

Local Storage (In Your Browser)

Extension settings and preferences
Encrypted credential cache in IndexedDB
Authentication tokens (stored securely by Chrome)
Temporary recording data (cleared after upload)

Remote Storage (Unbrowse.ai Servers)

What We Store Encrypted (Zero-Knowledge):

Authentication credentials - Encrypted with your master password; we cannot decrypt

What We Store Unencrypted (Readable by Us):

Network traffic recordings - Full HAR format data including request/response bodies
URLs and domains - Every site you visit during recording
HTTP headers - Non-authentication headers from your traffic
Cookies - Non-authentication cookies from recorded sessions
API interactions - Full request/response data for automation
Timestamps and patterns - When and how you browse
User account data - Email, subscription info, settings
Session metadata - Browser type, extension version, etc.

Why We Store This

Automation and session replay require access to full network traffic. Unlike password managers that only store credentials, we need this data to reproduce your browsing sessions.

Data Access: What We Can and Cannot See

What We CANNOT Access (Zero-Knowledge):

✅ Your master password - Never stored, never transmitted, never known to us
✅ Decrypted credentials - Encrypted tokens, API keys, auth cookies remain encrypted
✅ Credential values - Without your master password, credentials are unreadable

What We CAN Access:

❌ All network traffic - Full request/response bodies during recording
❌ Browsing patterns - Sites visited, navigation paths, timing
❌ API responses - Data returned from services you interact with
❌ Page content - Any content transmitted during recorded sessions
❌ Metadata - Usage patterns, frequency, session duration

This is fundamentally different from password managers, which only store encrypted credentials. We store extensive browsing data for automation functionality.

Data Sharing & Third Parties

We do NOT sell, trade, or rent your personal information to third parties.

Service Providers & Data Access

We share data with trusted service providers:

Cloud infrastructure providers (e.g., AWS, Google Cloud): Store both encrypted credentials and unencrypted network recordings
Analytics services: May receive anonymized usage data
Support services: May access your data when you request support

Your Control & Rights

You Can:

View and delete stored credentials at any time
Export your data from Unbrowse.ai
Disable credential sync in extension settings
Exclude specific domains from credential extraction
Control recording - only captures when you explicitly enable it
Delete your account and all associated data
Change or remove your master password at any time

Permissions Explained

The Extension requires the following permissions:

Permission	Purpose
`storage`	Store settings, tokens, and encrypted credential cache locally
`activeTab`	Access information about the current tab during recording
`webRequest`	Monitor network requests to capture traffic and detect credentials
`debugger`	Advanced network capture for comprehensive recording
`scripting`	Inject scripts to extract cookies and page information
`tabs`	Manage recording across multiple tabs
`cookies`	Capture authentication cookies for session replay
`<all_urls>`	Record network traffic from any website you visit
`sidePanel`	Display agent interface in browser side panel

All permissions are used only when recording is active and are essential for the Extension's core functionality.

Children's Privacy

Unbrowse Agent is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date
Showing a notification in the Extension (for material changes)

Technical Details for Security Researchers

Encryption Specification

Algorithm: AES-256-GCM
Key Derivation: SHA-256(master_password)
IV: 12 bytes, crypto.getRandomValues()
Tag Length: 128 bits
Format: {ciphertext: base64, iv: base64}

Threat Model

Credentials are Protected Against:

✅ Server compromise (credentials encrypted with your master password at rest)
✅ Network interception of credentials (HTTPS + pre-encrypted payload)
✅ Database breach (credentials remain encrypted without your master password)
✅ Unauthorized access (credentials unreadable without master password)
✅ Insider threats (employees cannot decrypt credentials)

Network Traffic & Browsing Data is NOT Protected Against:

❌ Server compromise (unencrypted network recordings accessible)
❌ Database breach (browsing patterns, URLs, API responses exposed)
❌ Insider threats (employees can access unencrypted data)
❌ Legal requests (we can and will provide unencrypted data when legally required)
❌ Service provider access (cloud infrastructure providers can access unencrypted data)

Comparison to Password Managers

Feature	Password Managers	Unbrowse Agent
Encrypted credentials	✅ Yes	✅ Yes
Zero-knowledge credentials	✅ Yes	✅ Yes
Encrypted browsing data	N/A	❌ No
Minimal data collection	✅ Yes	❌ No
Server can see activity	❌ No	✅ Yes
Privacy-focused	✅ Yes	❌ No

Summary: What You Should Know

Unbrowse Agent is an automation tool, not a privacy tool.

✅ What IS Private (Credential Sync Only):

Your master password (never stored, never transmitted during credential sync)
Decrypted credential values (encrypted client-side before upload)

⚠️ What IS NOT Private (Chat Features):

Encryption key (transmitted in HTTP headers to enable AI automation)
Server can decrypt credentials when you use chat with your encryption key
Any chat where you provide your encryption key gives us access to decrypt credentials

❌ What IS NOT Private (All Products):

Every website you visit during recording
All network traffic and API responses
Your browsing patterns and timing
Non-authentication cookies and headers
Content and data from recorded sessions

If you need maximum privacy, consider:

Using domain exclusions for sensitive sites
Only recording when necessary
Understanding that we can see everything except your decrypted credentials
This tool prioritizes automation functionality over privacy

Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: privacy@unbrowse.ai
Website: https://unbrowse.ai/privacy
Support: https://unbrowse.ai/support

For security concerns or to report vulnerabilities:

Security Email: security@unbrowse.ai

Your Consent

By using Unbrowse Agent, you consent to this Privacy Policy and our data practices as described herein.

If you do not agree with this policy, please discontinue use of the Extension and uninstall it from your browser.

Unbrowse.ai - Your intelligent browsing agent with credential encryption built-in.

Privacy Policy for Unbrowse Agent