Legal
AutoReg is built with a privacy-first architecture. The desktop application operates almost entirely on your local machine and does not phone home.
This summary is not a substitute for the full policy below, but gives you the key facts at a glance.
We do not collect
We may collect
This Privacy Policy ("Policy") applies to:
It does not apply to third-party services you connect to through the App (such as OpenAI). Those services operate under their own privacy policies.
AutoReg ("we," "us," or "our") is the data controller responsible for personal data collected via the Site. Because the App operates locally and collects no personal data on our servers, no controller relationship arises from App usage alone.
Contact: privacy@autoreg.cloud
The AutoReg desktop application is designed to keep your data on your machine. Here is a complete inventory of what the App handles and where it goes:
You supply your own OpenAI API key during setup. The App stores this key using your operating system's native credential store:
The key is never transmitted to AutoReg servers. It is only sent to OpenAI when you initiate an AI action, and that transmission is between your machine and OpenAI directly.
Test plans (autoreg.md), generated scenario JSON files, browser test scripts, and HTML reports are stored exclusively in the project folder you choose on your local filesystem. AutoReg does not upload, sync, or back up these files.
App preferences (e.g., selected AI model, window size) are stored in the OS-standard application data directory on your device. This data never leaves your machine.
None. The App does not transmit usage statistics, feature telemetry, crash reports, or any other behavioral data to us or any third party. There are no embedded analytics SDKs in the App.
The App makes outbound network requests only in the following circumstances:
| Destination | When | What is sent | Who controls |
|---|---|---|---|
| OpenAI API (api.openai.com) | When you trigger AI test generation or autoheal | Your app URL, captured DOM snapshots, and any text in the chat composer | You — your API key, your data |
| No other destination | — | — | — |
Data sent to OpenAI is governed exclusively by OpenAI's Privacy Policy. AutoReg has no visibility into or control over how OpenAI processes your data.
When you visit autoreg.ai, our hosting infrastructure automatically records standard web server log data. This may include:
This data is used solely for security monitoring, debugging, and aggregate traffic analysis (e.g., counting downloads). Logs are retained for no more than 90 days and are not linked to any personal profile.
If you contact us (e.g., via email to privacy@autoreg.cloud), we collect the information you provide in your message, including your email address and any content you share. We use this only to respond to your inquiry.
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide and maintain the Site | Server logs | Legitimate interest (security & performance) |
| Security monitoring & abuse prevention | IP address, server logs | Legitimate interest |
| Respond to support inquiries | Email address, message content | Performance of contract / Legitimate interest |
| Aggregate analytics (non-personal) | Anonymized log data (page views, download counts) | Legitimate interest |
| Legal compliance | Any data required by law | Legal obligation |
We do not use your information for advertising, profiling, or any purpose not listed above. We do not make automated decisions about you using your data.
The App integrates with the OpenAI API using credentials you supply. When you use AI features, data (your app's URL and DOM snapshots) is transmitted from your machine directly to OpenAI. AutoReg does not intermediate or store this data. Your use of OpenAI is subject to OpenAI's Privacy Policy and Terms of Use.
This Site is hosted on infrastructure provided by a third-party hosting provider (e.g., Vercel). Server logs described in Section 3.1 may pass through or be stored on their infrastructure. Hosting providers are contractually required to handle data in compliance with applicable law.
We may disclose personal information if required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to: (a) comply with legal process; (b) protect the rights, property, or safety of AutoReg, our users, or the public; or (c) detect, prevent, or address fraud or security issues.
| Data type | Retention period | Basis |
|---|---|---|
| Web server logs | 90 days, then deleted | Security & debugging |
| Support email correspondence | Duration of support relationship + 1 year | Responding to inquiries |
| Anonymized aggregate metrics | Indefinite | Legitimate interest |
| App data (local files, API key) | Controlled entirely by you — deleted when you uninstall or delete files | User control |
You may request earlier deletion of any personal information we hold about you. See Section 9 (CCPA) or Section 10 (GDPR) for how to submit a request.
We implement industry-standard technical and organizational measures to protect the limited personal data we hold:
No method of transmission or storage is 100% secure. If you believe your security has been compromised, contact us at privacy@autoreg.cloud immediately.
AutoReg is not directed at children under the age of 13 (or 16 in the EU/EEA/UK). We do not knowingly collect personal information from children. If you are under the applicable age of consent in your jurisdiction, do not use this Site or App.
If you are a parent or guardian and believe your child has provided us with personal information, contact us at privacy@autoreg.cloud and we will promptly delete it.
If you are a California resident, the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA") affords you the following rights. This section supplements the rest of this Policy.
| Category (Cal. Civ. Code §1798.140) | Collected? | Examples | Sold or Shared? |
|---|---|---|---|
| Identifiers | Yes — Site only | IP address, browser User-Agent | No |
| Internet / electronic network activity | Yes — Site only | Pages visited, download events | No |
| Geolocation data | No | — | — |
| Commercial information | No | — | — |
| Biometric data | No | — | — |
| Audio, electronic, visual data | No | — | — |
| Professional / employment info | No | — | — |
| Education information | No | — | — |
| Sensitive personal information | No | — | — |
| Inferences drawn from above | No | — | — |
Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, the purposes, and any third parties with whom we have shared it.
Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with a legal obligation).
Request correction of inaccurate personal information we maintain about you.
Opt out of the sale or sharing of your personal information. We do not sell or share personal information, so this right is automatically fulfilled. We do not require you to submit an opt-out request.
Request that we limit use of sensitive personal information to what is necessary to provide our services. We do not collect sensitive personal information.
We will not discriminate against you for exercising any CCPA/CPRA right. We will not deny you services, charge different prices, provide a different quality of service, or suggest any of the above.
To exercise any of the above rights, submit a verifiable consumer request to:
We will respond within 45 days of receipt of a verifiable request. We may extend by an additional 45 days when reasonably necessary (with notice). We do not charge a fee unless requests are manifestly unfounded or excessive.
You may designate an authorized agent to make a request on your behalf by providing written authorization. We may require direct verification from you to confirm the agent's authority.
California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. AutoReg does not disclose personal information to third parties for direct marketing.
If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and/or the UK GDPR apply to the processing of your personal data by AutoReg as data controller.
| Processing activity | Legal basis (Art. 6 GDPR) |
|---|---|
| Web server logs for security & site operation | Art. 6(1)(f) — Legitimate interests (operating and securing the Site) |
| Responding to your support request | Art. 6(1)(b) — Performance of a contract / Art. 6(1)(f) — Legitimate interests |
| Legal compliance | Art. 6(1)(c) — Legal obligation |
We have conducted legitimate interest assessments (LIAs) for the processing activities relying on Article 6(1)(f). Copies are available on request.
Request a copy of the personal data we hold about you and information about how we process it (Art. 15).
Request correction of inaccurate or incomplete personal data (Art. 16).
"Right to be forgotten." Request deletion of your personal data where there is no compelling reason for continued processing (Art. 17).
Request that we restrict processing of your data in certain circumstances (Art. 18).
Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract (Art. 20).
Object to processing based on legitimate interests (Art. 21). We will cease processing unless we can demonstrate compelling legitimate grounds.
If processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Lodge a complaint with your local data protection authority. For EU residents, a list is at edpb.europa.eu. For UK residents, contact the ICO at ico.org.uk.
To exercise these rights, contact privacy@autoreg.cloud. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
Given the minimal personal data we process, we are not required to appoint a Data Protection Officer. Privacy inquiries should be directed to privacy@autoreg.cloud.
Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including the right to access personal information we hold about you, request correction, and challenge our compliance. Contact privacy@autoreg.cloud.
Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including the rights of access, correction, deletion, portability, and information about sharing. Contact privacy@autoreg.cloud to exercise these rights.
Australian residents may access and correct personal information we hold about them under the Australian Privacy Act 1988. Contact privacy@autoreg.cloud.
Regardless of your location, we aim to honor the strongest applicable privacy standard. If your jurisdiction provides privacy rights not listed here, contact us and we will work to accommodate your request.
The Site is hosted on infrastructure that may be located outside your country. If you are in the EU/EEA/UK, transfers of personal data to countries without an adequacy decision are governed by our hosting provider's Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR.
Because the App does not send personal data to us, no cross-border transfer of App data occurs through AutoReg. Data you send to OpenAI from the App is subject to OpenAI's own transfer mechanisms.
We may update this Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Your continued use of the Site or App after the effective date of any update constitutes your acceptance of the revised Policy. We encourage you to review this page periodically.
For any privacy-related questions, rights requests, or concerns, contact us at:
AutoReg Privacy Team
Email: privacy@autoreg.cloud
Please include "Privacy Request" in your subject line. We aim to respond to all inquiries within 5 business days and to complete formal rights requests within the timelines stated in Sections 9 and 10.
If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (see Section 10.2 for GDPR contacts).