Privacy Policy

Last updated: May 13, 2026

1. Introduction

At AI Browsing Assistant, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, process, and disclose your information when you use our Chrome browser extension and associated services (collectively, the "Extension").

By installing and using the Extension, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect and store only the minimum information necessary to provide our service. Specifically:

2.1 Google Account Authentication & OAuth Scopes

AI Browsing Assistant authenticates using your own Google Account via OAuth 2.0. When you sign in, you grant the Extension the following specific permissions:

email scope: Allows the Extension to view your email address associated with your Google Account. This is used to identify your account.
generative-language.retriever scope: Allows the Extension to access Google's Gemini API for AI processing. This is required for the AI features to function.

The Extension never sees, accesses, or stores your Google Account password. Authentication is handled securely by Google's OAuth system. For more information about how Google handles your data, please review the Google Privacy Policy.

2.2 Data Transmitted to Google for AI Processing

IMPORTANT: When you use the Extension's AI features, the following data is transmitted directly from your browser to Google's Gemini API servers for processing:

Your prompts and queries: Any questions, commands, or text you input for AI processing
Webpage content snippets: Portions of web pages you actively interact with when using AI features (e.g., content you ask the AI to analyze, summarize, or explain)
AI responses: Generated responses from Google's API flow back through the Extension

Key Fact: This AI-related data flows directly from the Extension to Google. Our backend server (Firebase) never sees, accesses, intercepts, or stores these prompts, webpage snippets, or AI responses. Google processes this data under their own Terms of Service and Privacy Policy. We encourage you to review Google's Terms of Service and Google Privacy Policy to understand how Google handles your AI processing data.

2.3 Email Address

When you sign up for an account or subscribe to our Pro plan, we collect your email address. Your email is used to:

Authenticate your identity and maintain your account
Determine whether you are a Free or Pro user and grant access to the corresponding features
Track daily free prompt usage for Free-tier users to enforce usage limits
Manage and verify active Pro subscriptions
Send essential service-related communications (e.g., subscription confirmations, payment receipts, account notifications)

2.4 Usage Data (Free Prompt Count)

For Free-tier users, we maintain a simple integer counter of AI prompts submitted per day to enforce the daily usage limit. This counter is associated with your email address and resets automatically every 24 hours. No prompt content, webpage content, or AI responses are included in this usage data — only a numerical count. This data is not used for any other purpose.

2.5 Payment Information

We do not collect, store, or process your payment card details. All payment processing for Pro subscriptions is handled securely by our third-party payment processor, Stripe. We may receive a confirmation of your payment status (e.g., paid or declined) and your email address, but we never have access to your full financial details. For more information, review the Stripe Privacy Policy.

2.6 Information We Do NOT Collect, Store, or Retain Long-Term

We do NOT collect, access, or store long-term any of the following on our systems:

Your name, physical address, or phone number
Your IP address
Full browsing history, bookmarks, or comprehensive list of visited web pages
Important clarification: While webpage content snippets and prompts ARE TRANSMITTED to Google's API when you actively use AI features (see Section 2.2), we never collect, access, or store this AI-related data on our own backend systems. This data flows directly from your browser to Google.
Cookies or tracking identifiers for advertising purposes
Any sensitive or special category data

3. How We Collect Information

We collect information in the following ways:

3.1 Email Address Collection

Your email address is collected when:

Account Registration: When you create an account through the Extension's sign-up flow or Google OAuth, you provide your email address voluntarily.
Subscription Purchase: When you purchase a Pro subscription via Stripe, your email is collected as part of the order process to link your subscription to your account.

3.2 AI Processing Data Flow

Important clarification about AI processing: As explained in Section 2.2, when you use AI features, prompts, webpage content snippets, and queries are transmitted directly from your browser to Google's Gemini API for processing. This data flows: Extension → Google API → Extension.

Our Firebase backend server never sees, intercepts, or stores this AI processing data. Our backend only receives and stores: (1) your email address and (2) a simple daily integer counter of prompt usage for free-tier usage limit enforcement.

4. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, our lawful basis for collecting and processing your email address is:

Contractual Necessity (Article 6(1)(b)): Processing is necessary to perform our contract with you — specifically, to create and maintain your account, provide the Extension's features, manage subscriptions, and enforce usage limits.
Consent (Article 6(1)(a)): Where required, we obtain your explicit consent before collecting your email address. You may withdraw consent at any time by contacting us.

5. Data Storage and Security

We take the security of your data seriously. Your information is stored in three distinct locations, each with appropriate security measures:

5.1 Local Browser Storage

The following data is stored only locally on your device using browser storage mechanisms (localStorage or Chrome Extension storage):

Theme preferences (light/dark mode)
Local extension settings

This data never leaves your browser and is never transmitted to our servers or any third parties. It remains on your device until you uninstall the Extension or clear your browser storage.

5.2 Stripe (Payment Processor)

The following data is stored by Stripe, our PCI-DSS compliant payment processor:

Your email address
Subscription status and history
Payment transaction records (but NOT your full card details — Stripe handles payment card information securely)

Stripe's security practices include encryption, access controls, and regular security audits. For more information, see the Stripe Privacy Policy and Stripe Security.

5.3 Firebase Backend (European Union)

Our backend infrastructure is hosted on Firebase (Google Cloud Platform) in the European Union (EU). Only the following minimal data is stored here:

Your email address: For account identification and subscription verification
Daily prompt counter: A simple integer that tracks how many free AI prompts you've used each day

IMPORTANT: Our Firebase backend never stores any of the following: prompt content, webpage snippets, AI responses, browsing history, IP addresses, or any sensitive personal data. Only email + integer counter.

5.4 Security Practices

We implement appropriate security measures:

Encryption in Transit: All data transmitted between the Extension and our Firebase backend uses TLS encryption.
Access Controls: Access to our Firebase backend is restricted to authorized personnel only with multi-factor authentication.
Data Minimization: We collect and store only the absolute minimum data necessary to operate the service.
Third-Party Security: We rely on the security practices of established providers (Google Cloud/Firebase, Stripe) who maintain industry-leading security certifications.

6. Data Retention

Data retention periods vary by storage location. We retain data only for as long as necessary:

6.1 Local Browser Storage

Retained until you uninstall the Extension or clear your browser storage.
No automatic deletion based on time — this data remains on your device until you actively remove it.

6.2 Firebase Backend (EU)

Daily Prompt Counters: Automatically reset every 24 hours. No historical counter data is retained — only the current day's count exists.
Email Address: Retained for as long as your account remains active.
Automatic Account Deletion: Accounts with 30 days of consecutive inactivity may be automatically deleted from our backend.
User-Initiated Deletion: Upon your request via email to kessawy.dev@gmail.com, we will permanently delete your email and associated data from our backend within 30 days, unless we are required by law to retain certain information longer.

6.3 Stripe

Retained according to Stripe's data retention policies, which may include legal and tax retention requirements.
Typically retained for several years for financial record-keeping purposes.
To request deletion of your Stripe customer records, you may need to contact Stripe directly or contact us for assistance.

6.4 Google AI Processing Data

Important: Prompts, webpage content snippets, and AI responses transmitted to Google's Gemini API are processed by Google. Retention of this AI data is governed by Google's Privacy Policy and data retention practices. We have no control over how long Google retains this data. Review Google's Privacy Policy for more information.

7. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for advertising or marketing purposes. However, we do share data with third parties as necessary for the Extension to function. Below is a complete disclosure:

7.1 Google Gemini API (Most Significant Data Sharing)

This is the most important data sharing relationship:

What is shared: When you actively use AI features, your prompts, queries, and webpage content snippets are transmitted to Google's Gemini API for processing.
Data flow: This data flows directly from your browser → Google's API → your browser. Our Firebase backend never sees, intercepts, or stores this AI processing data.
Why it's shared: Required for the AI features to work. This is enabled through the generative-language.retriever OAuth scope you grant when signing in.
Google's role: Google acts as an independent data controller/processor for this AI data.
Privacy reference: Google Privacy Policy | Google Terms of Service

If you have questions about how Google handles your AI processing data, you should review Google's privacy documentation or contact Google directly.

7.2 Google Account Authentication (OAuth)

What is shared: Your email address (via the email OAuth scope) and authentication tokens.
Data flow: Authentication is handled securely by Google's OAuth system.
Why it's shared: Required to authenticate your identity and access the Gemini API.
Privacy reference: Google Privacy Policy

7.3 Stripe (Payment Processor)

What is shared: Your email address, subscription status, and payment transaction information.
Why it's shared: Required to process Pro subscription payments and manage subscriptions.
Stripe's role: Stripe acts as our payment processor. We never see or store your full payment card details — only Stripe handles all payment information securely.
Privacy reference: Stripe Privacy Policy

7.4 Firebase (Google Cloud Platform)

What is shared: Your email address and daily prompt integer counter ONLY. That's it — no prompt content or webpage data.
Why it's shared: Firebase hosts our backend infrastructure in the European Union.
Location: European Union (EU)
Privacy reference: Google Cloud Terms | Google Privacy Policy

7.5 Legal Compliance

We may disclose your information if required to do so by law or in response to valid legal requests (e.g., a court order, subpoena, or government investigation). We will notify you where legally permitted.

7.6 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your data.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 Access

You have the right to request a copy of the personal data we hold about you (your email address and associated usage data).

8.2 Rectification

You have the right to request that we correct any inaccurate or incomplete data we hold about you.

8.3 Deletion ("Right to be Forgotten")

You have the right to request the deletion of your personal data. Upon verification, we will delete your email and all associated records within 30 days, subject to legal retention obligations.

8.4 Restriction of Processing

You have the right to request that we restrict the processing of your data under certain circumstances (e.g., while a correction request is being evaluated).

8.5 Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

8.6 Withdrawal of Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

8.7 Complaint to a Supervisory Authority

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your data violates applicable law.

To exercise any of these rights, please contact us at kessawy.dev@gmail.com. We will respond within 30 days.

9. Third-Party Services and Links

The Extension may contain links to third-party websites or services (e.g., payment processors, Google services). This Privacy Policy applies only to our Extension. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you interact with.

10. Children's Privacy

The Extension is not intended for use by individuals under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

11. International Data Transfers

Data may be transferred between different countries depending on the service provider. Below is a breakdown by storage/processing location:

11.1 Our Firebase Backend (EU-Based)

Good news for EU users: Our Firebase backend infrastructure is hosted in the European Union (EU). This means:

Your email address and daily prompt counter are stored on servers physically located within the EU.
No international transfer is required for this minimal data (email + counter) — it stays in the EU.

11.2 Google Gemini API (Global Processing)

This is where most international transfers occur:

When you use AI features, prompts, queries, and webpage content snippets are transmitted to Google's Gemini API servers.
Google processes this data on their global infrastructure, which may involve transfers to or processing in countries outside the EU/EEA, including the United States.
Google has established appropriate safeguards for these international transfers, including:

Standard Contractual Clauses (SCCs): Approved by the European Commission
Data Processing Agreements (DPAs): Where applicable
Google's EU-US Data Privacy Framework certification: Where applicable

For more information about Google's international data transfer practices, please review the Google Privacy Policy and Google Cloud Data Processing Terms.

11.3 Stripe (Payment Processor)

Stripe operates a global payment infrastructure with data centers in multiple countries.
Your email address and payment transaction records may be transferred to or processed in various countries as needed for Stripe's payment services.
Stripe uses Standard Contractual Clauses (SCCs) and other appropriate safeguards for international transfers.
For more information, see the Stripe Privacy Policy.

11.4 Safeguards Summary

Where international data transfers occur (primarily through Google and Stripe), we and our service providers ensure appropriate safeguards are in place through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements (DPAs) with our service providers
EU-US Data Privacy Framework certifications where applicable
Adequacy decisions where applicable

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will notify you by:

Posting the updated policy on this page with a revised "Last updated" date
Sending a notification to your email address (if the changes materially affect your rights)
Displaying a notice within the Extension

We encourage you to review this Privacy Policy periodically. Your continued use of the Extension after changes take effect constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: kessawy.dev@gmail.com

We will make every effort to address your concerns promptly.