webSlinger Privacy Policy

Last Updated: November 12, 2024

1. INTRODUCTION

webSlinger ("we," "our," or "the Extension") is a browser extension that helps you automate web-based workflows by recording your interactions and generating executable automation scripts. This Privacy Policy explains how we collect, use, and protect your information.

This policy should be read in conjunction with our Acceptable Use Policy and Terms of Service, which govern your use of webSlinger.

2. INFORMATION WE COLLECT

2.1 Account Information

When you register for webSlinger, we collect:

• Email address (for account creation and verification)
• Password (hashed with bcrypt before storage, never stored in plaintext)
• API key (generated automatically for extension-server authentication)
• Subscription tier (free, basic, or pro)

2.2 Usage Statistics

We track the following usage metrics for billing and service management:

• Server API call counts (monthly totals)
• Automation script generation counts (monthly totals)
• Session map creation timestamps
• API request timestamps and operation types

This data is stored in AWS DynamoDB and aggregated per user account. We use this data solely for enforcing subscription tier limits and understanding service usage patterns.

2.3 Session Maps

When you record automation sessions, we store:

• Website URLs you visited during recording
• DOM element data (tag names, attributes, text content) from interactive elements
• XPath selectors for elements you interacted with
• Navigation sequences and action chains
• State signatures (hashed page structure data)
• Data extraction points and their metadata
• Task descriptions and goals you provide through the launch interface

Session maps are stored under your user account in AWS S3. We do NOT access the content of session maps except when you request script generation.

2.4 Automation Scripts

Generated automation scripts are stored:

• Under your user account in AWS S3
• With metadata including input/output specifications
• Creation timestamps and generation parameters

Scripts contain only the automation logic; they do NOT contain:

• Your actual credentials
• Personal data you enter during automation
• Extracted data values from automation runs

2.5 Operation Logs

We maintain operational logs for debugging and service monitoring:

• API request timestamps
• Hashed API keys (for privacy, not the actual keys)
• Operation types (tree generation, selector requests, script generation)
• Session map and script filenames

Logs are batched and written to AWS S3 every 5 minutes. Logs do NOT contain:

• Page content from websites you automate
• Form data you enter during automation
• Credentials or authentication tokens
• Extracted data values

2.6 What We DO NOT Collect

webSlinger does NOT collect, store, or transmit:

• Website credentials (passwords, API keys for third-party services)
• TOTP secrets or multi-factor authentication codes
• Personal data entered into forms during automation
• Credit card numbers, SSNs, or other sensitive personal information
• Browsing history outside of recording sessions
• Data extracted during automation execution

3. HOW WE USE YOUR INFORMATION

3.1 To Provide Core Services

• Authenticate your extension with our servers using API keys
• Generate decision trees for selector creation
• Process session maps to generate automation scripts via LLM
• Store your session maps and scripts under your account
• Enforce subscription tier limits based on usage statistics

3.2 To Improve Our Services

• Analyze aggregated usage patterns (not individual user data)
• Monitor server performance and error rates
• Identify common automation patterns for feature development
• Debug issues reported by users

3.3 To Communicate With You

• Send account verification emails during registration
• Provide usage notifications if approaching tier limits
• Send service announcements and security updates
• Respond to support requests

4. CREDENTIAL MANAGEMENT (ZERO-KNOWLEDGE ARCHITECTURE)

webSlinger uses a zero-knowledge credential architecture:

4.1 How Credentials Work

• webSlinger NEVER handles your website passwords directly
• Credentials are stored in keyBunker (local native application)
• keyCocoon extension acts as a secure bridge
• When automation needs credentials:
  1. webSlinger requests login from keyCocoon
  2. keyCocoon retrieves credentials from keyBunker
  3. keyCocoon injects credentials into the target website
  4. Credentials NEVER pass through webSlinger code

4.2 Credential Isolation

• Passwords stored locally on your device in keyBunker
• Encrypted with AES-256 using master password-derived key
• keyCocoon handles credential injection (not webSlinger)
• Credentials NEVER transmitted to webSlinger servers
• Credentials NEVER appear in session maps or scripts

4.3 TOTP and Multi-Factor Authentication

• TOTP secrets stored in keyBunker alongside passwords
• keyCocoon generates time-based codes locally using RFC 6238
• Codes generated on-demand, not pre-calculated
• Shared secrets never leave your device

5. DATA STORAGE AND SECURITY

5.1 Where Data is Stored

• User accounts: AWS DynamoDB (encrypted at rest)
• Session maps: AWS S3 (encrypted at rest, stored per user)
• Automation scripts: AWS S3 (encrypted at rest, stored per user)
• Operation logs: AWS S3 (encrypted at rest)
• API key mappings: AWS DynamoDB (encrypted at rest)

5.2 Data Security Measures

• All data encrypted at rest in AWS storage
• API communications use HTTPS/TLS encryption
• Passwords hashed with bcrypt (never stored in plaintext)
• API keys use bearer token authentication
• User data isolated per account (cannot access other users' data)

5.3 Data Retention

• Active user accounts: Retained until account deletion
• Session maps and scripts: Retained until deleted by user
• Operation logs: Retained for 90 days then automatically deleted
• Deleted accounts: All associated data removed within 30 days

6. DATA SHARING AND THIRD PARTIES

6.1 We DO NOT Sell Your Data

webSlinger does not sell, rent, or trade your personal information to third parties for marketing purposes.

6.2 Third-Party Services We Use

AWS (Amazon Web Services)

• Purpose: Cloud hosting for storage and databases
• Data shared: Session maps, scripts, user accounts, logs
• Privacy policy: https://aws.amazon.com/privacy/

Anthropic Claude / OpenAI (LLM Providers)

• Purpose: Generate automation scripts from session maps
• Data shared: Session map contents, task descriptions, API references
• Privacy policy: https://www.anthropic.com/privacy
• Note: LLM providers receive session map data during script generation but do NOT receive credentials or personal data entered during automation

6.3 Legal Requirements

We may disclose information if required by law, such as:

• Responding to subpoenas or court orders
• Protecting our legal rights
• Preventing fraud or abuse
• Complying with regulatory obligations

7. YOUR DATA RIGHTS AND CHOICES

7.1 Access Your Data

• View session map metadata through the web interface
• View automation script names and descriptions
• Access usage statistics and account information
• Monitor API usage and subscription status

7.2 Data Export Requests

To export your data, contact privacy@webslinger.ai with:

• Subject: "Data Export Request"
• Include: Your registered email address
• We will provide exports within 30 days in JSON format

Available exports:

• Session maps (JSON format with all recorded navigation and interactions)
• Automation script metadata (excluding executable code)
• Account information and usage statistics

Note: Automation scripts contain proprietary execution logic and require an active subscription to run. Scripts may be editable to premium tier subscribers in future releases.

7.3 Data Deletion

• Delete individual session maps through the web interface at https://webslinger.ai
• Delete automation scripts through the web interface at https://webslinger.ai
• Request account deletion by contacting privacy@webslinger.ai
• All associated data deleted within 30 days of account deletion

7.4 Account Control

• Change your password at any time
• Regenerate API keys if compromised
• Upgrade or downgrade subscription tier
• Monitor monthly usage statistics

8. BROWSER EXTENSION PERMISSIONS

webSlinger requests the following browser permissions:

8.1 tabs

• Purpose: Coordinate three-tab automation (main, validation, copy)
• Use: Monitor navigation, detect tab creation, maintain state sync
• Privacy: We do NOT track browsing outside of active recording sessions

8.2 activeTab

• Purpose: Access current page when starting recording
• Use: Initialize session recording on user-selected websites
• Privacy: Only active during explicit recording sessions

8.3 scripting

• Purpose: Inject automation code to execute workflows
• Use: Run automation scripts in target websites
• Privacy: Scripts run locally, results not transmitted to servers

8.4 debugger

• Purpose: Bypass anti-bot measures requiring trusted events
• Use: Submit forms on security-conscious websites (e.g., AccuWeather)
• Privacy: Used sparingly, only when programmatic submission fails

8.5 storage

• Purpose: Save settings and session data locally
• Use: Store API keys, session configuration, preferences
• Privacy: Local storage only, not synchronized across devices

8.6 host_permissions (<all_urls>)

• Purpose: Automate any website you choose
• Use: Required to inject content scripts on target websites
• Privacy: We only access pages during active recording or automation

8.7 nativeMessaging

• Purpose: Communicate with taskSpinner scheduling app
• Use: Enable scheduled automation execution
• Privacy: Local communication only, no network transmission

8.8 downloads

• Purpose: Save execution reports and extracted data
• Use: Download automation results to your device
• Privacy: Files saved locally to your downloads folder

8.9 system.display

• Purpose: Detect multi-monitor setups
• Use: Optimize window placement for three-tab workflows
• Privacy: Only queries display configuration, no content access

8.10 contextMenus

• Purpose: Right-click shortcuts for recording configuration
• Use: Mark inputs, designate data extraction, request credentials
• Privacy: Menu options only appear during recording sessions

8.11 management

• Purpose: Detect if keyCocoon extension is installed
• Use: Enable/disable credential features based on keyCocoon availability
• Privacy: Only queries installed extension list, no access to other extensions

9. CHILDREN'S PRIVACY

webSlinger is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children. If we discover that we have collected information from a child under 13, we will delete it immediately.

10. INTERNATIONAL DATA TRANSFERS

webSlinger servers and data storage are located in the United States. If you use webSlinger from outside the US, your information will be transferred to and processed in the United States. By using webSlinger, you consent to this transfer and processing.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically. When we make changes:

• We will update the "Last Updated" date at the top
• Significant changes will be announced via email
• Continued use after changes constitutes acceptance
• Previous versions available upon request

12. CONTACT US

For privacy-related questions, data requests, or concerns:

• Email: privacy@webslinger.ai
• Website: https://webslinger.ai/privacy

For data deletion requests or exercising your privacy rights:

• Email: privacy@webslinger.ai
• Subject: Data Request - [Your Request Type]

We will respond to privacy requests within 30 days.

13. CALIFORNIA PRIVACY RIGHTS (CCPA)

California residents have additional rights under CCPA:

Right to Know

• What personal information we collect
• How we use and share it
• Categories of third parties we share with

Right to Delete

• Request deletion of your personal information
• Exceptions: Information needed for legal compliance

Right to Opt-Out

• We do NOT sell personal information
• No opt-out needed as we don't engage in data sales

To exercise these rights, contact privacy@webslinger.ai

14. EUROPEAN PRIVACY RIGHTS (GDPR)

European users have rights under GDPR:

Right to Access

• Request copies of your personal data
• Receive data in portable format (JSON)

Right to Rectification

• Correct inaccurate personal data
• Complete incomplete data

Right to Erasure ("Right to be Forgotten")

• Request deletion of your data
• We will comply within 30 days

Right to Restrict Processing

• Limit how we use your data
• Available during dispute resolution

Right to Data Portability

• Receive your data in JSON format
• Transfer to another service

Right to Object

• Object to data processing
• We will cease unless compelling grounds exist

To exercise GDPR rights, contact privacy@webslinger.ai