Legal

Privacy Policy

AutoReg is built with a privacy-first architecture. The desktop application operates almost entirely on your local machine and does not phone home.

Effective: June 28, 2026·Last updated: June 28, 2026

Summary

This summary is not a substitute for the full policy below, but gives you the key facts at a glance.

We do not collect

  • Telemetry, analytics, or crash reports from the app
  • Your test plans, scenarios, or HTML reports
  • Your OpenAI API key (stored in OS keychain only)
  • Personal data about your end-users
  • Usage patterns, feature clicks, or session recordings
  • Device identifiers or hardware fingerprints

We may collect

  • Standard web server logs when you visit this website (IP address, browser, referrer, timestamp)
  • Email address if you contact us voluntarily
We do not sell, rent, or share your personal information with third parties for advertising, marketing, or any commercial purpose. This applies to all users, including California residents under the CCPA/CPRA.

1. Scope & Data Controller

This Privacy Policy ("Policy") applies to:

  • ·The AutoReg desktop application ("App") for macOS and Windows.
  • ·This website at autoreg.ai ("Site").
  • ·Any communications between you and AutoReg.

It does not apply to third-party services you connect to through the App (such as OpenAI). Those services operate under their own privacy policies.

Data Controller

AutoReg ("we," "us," or "our") is the data controller responsible for personal data collected via the Site. Because the App operates locally and collects no personal data on our servers, no controller relationship arises from App usage alone.

Contact: [email protected]

2. Information We Collect — Desktop Application

The AutoReg desktop application is designed to keep your data on your machine. Here is a complete inventory of what the App handles and where it goes:

2.1 API Key

You supply your own OpenAI API key during setup. The App stores this key using your operating system's native credential store:

  • ·macOS: macOS Keychain Services — encrypted at rest, accessible only to AutoReg and the signed-in OS user.
  • ·Windows: Windows Data Protection API (DPAPI) — tied to your Windows user account.

The key is never transmitted to AutoReg servers. It is only sent to OpenAI when you initiate an AI action, and that transmission is between your machine and OpenAI directly.

2.2 Project Files

Test plans (autoreg.md), generated scenario JSON files, browser test scripts, and HTML reports are stored exclusively in the project folder you choose on your local filesystem. AutoReg does not upload, sync, or back up these files.

2.3 Application Configuration

App preferences (e.g., selected AI model, window size) are stored in the OS-standard application data directory on your device. This data never leaves your machine.

2.4 Telemetry & Analytics

None. The App does not transmit usage statistics, feature telemetry, crash reports, or any other behavioral data to us or any third party. There are no embedded analytics SDKs in the App.

2.5 Network Requests Made by the App

The App makes outbound network requests only in the following circumstances:

DestinationWhenWhat is sentWho controls
OpenAI API (api.openai.com)When you trigger AI test generation or autohealYour app URL, captured DOM snapshots, and any text in the chat composerYou — your API key, your data
No other destination

Data sent to OpenAI is governed exclusively by OpenAI's Privacy Policy. AutoReg has no visibility into or control over how OpenAI processes your data.

3. Information We Collect — Website

3.1 Server Logs

When you visit autoreg.ai, our hosting infrastructure automatically records standard web server log data. This may include:

  • ·IP address (may be used to infer approximate geographic region)
  • ·Browser type and version (User-Agent string)
  • ·Referring URL and exit page
  • ·Pages visited and time of visit
  • ·HTTP response codes

This data is used solely for security monitoring, debugging, and aggregate traffic analysis (e.g., counting downloads). Logs are retained for no more than 90 days and are not linked to any personal profile.

3.2 Voluntary Communications

If you contact us (e.g., via email to [email protected]), we collect the information you provide in your message, including your email address and any content you share. We use this only to respond to your inquiry.

3.3 What We Do Not Collect on the Website

  • We do not use cookies for tracking or advertising.
  • We do not use third-party analytics scripts (no Google Analytics, Mixpanel, etc.).
  • We do not use pixels, beacons, or fingerprinting technologies.
  • We do not collect payment information.

4. How We Use Your Information

PurposeData usedLegal basis (GDPR)
Provide and maintain the SiteServer logsLegitimate interest (security & performance)
Security monitoring & abuse preventionIP address, server logsLegitimate interest
Respond to support inquiriesEmail address, message contentPerformance of contract / Legitimate interest
Aggregate analytics (non-personal)Anonymized log data (page views, download counts)Legitimate interest
Legal complianceAny data required by lawLegal obligation

We do not use your information for advertising, profiling, or any purpose not listed above. We do not make automated decisions about you using your data.

5. Third-Party Services & Data Sharing

5.1 OpenAI

The App integrates with the OpenAI API using credentials you supply. When you use AI features, data (your app's URL and DOM snapshots) is transmitted from your machine directly to OpenAI. AutoReg does not intermediate or store this data. Your use of OpenAI is subject to OpenAI's Privacy Policy and Terms of Use.

5.2 Hosting Provider

This Site is hosted on infrastructure provided by a third-party hosting provider (e.g., Vercel). Server logs described in Section 3.1 may pass through or be stored on their infrastructure. Hosting providers are contractually required to handle data in compliance with applicable law.

5.3 We Do Not Sell or Share Personal Data

AutoReg does not sell, rent, license, or otherwise transfer your personal information to any third party for monetary or other valuable consideration. AutoReg does not share personal information for cross-context behavioral advertising. This applies regardless of whether you are a California resident or located elsewhere.

5.4 Legal Disclosure

We may disclose personal information if required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to: (a) comply with legal process; (b) protect the rights, property, or safety of AutoReg, our users, or the public; or (c) detect, prevent, or address fraud or security issues.

6. Data Retention

Data typeRetention periodBasis
Web server logs90 days, then deletedSecurity & debugging
Support email correspondenceDuration of support relationship + 1 yearResponding to inquiries
Anonymized aggregate metricsIndefiniteLegitimate interest
App data (local files, API key)Controlled entirely by you — deleted when you uninstall or delete filesUser control

You may request earlier deletion of any personal information we hold about you. See Section 9 (CCPA) or Section 10 (GDPR) for how to submit a request.

7. Security

We implement industry-standard technical and organizational measures to protect the limited personal data we hold:

  • ·HTTPS/TLS encryption for all data in transit on this Site.
  • ·Access controls and authentication on our infrastructure.
  • ·API keys handled via OS-level secure credential stores, never in plaintext.
  • ·No centralized database of user personal data (because we do not collect it).

No method of transmission or storage is 100% secure. If you believe your security has been compromised, contact us at [email protected] immediately.

8. Children's Privacy (COPPA)

AutoReg is not directed at children under the age of 13 (or 16 in the EU/EEA/UK). We do not knowingly collect personal information from children. If you are under the applicable age of consent in your jurisdiction, do not use this Site or App.

If you are a parent or guardian and believe your child has provided us with personal information, contact us at [email protected] and we will promptly delete it.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA") affords you the following rights. This section supplements the rest of this Policy.

9.1 Categories of Personal Information Collected (Past 12 Months)

Category (Cal. Civ. Code §1798.140)Collected?ExamplesSold or Shared?
IdentifiersYes — Site onlyIP address, browser User-AgentNo
Internet / electronic network activityYes — Site onlyPages visited, download eventsNo
Geolocation dataNo
Commercial informationNo
Biometric dataNo
Audio, electronic, visual dataNo
Professional / employment infoNo
Education informationNo
Sensitive personal informationNo
Inferences drawn from aboveNo

9.2 Purposes for Collection

  • ·Security monitoring and fraud prevention.
  • ·Operating and improving this website.
  • ·Responding to inquiries.
  • ·Legal compliance.

9.3 Your CCPA / CPRA Rights

RIGHT TO KNOW

Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, the purposes, and any third parties with whom we have shared it.

RIGHT TO DELETE

Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with a legal obligation).

RIGHT TO CORRECT

Request correction of inaccurate personal information we maintain about you.

RIGHT TO OPT-OUT

Opt out of the sale or sharing of your personal information. We do not sell or share personal information, so this right is automatically fulfilled. We do not require you to submit an opt-out request.

LIMIT USE OF SENSITIVE PI

Request that we limit use of sensitive personal information to what is necessary to provide our services. We do not collect sensitive personal information.

RIGHT TO NON-DISCRIMINATION

We will not discriminate against you for exercising any CCPA/CPRA right. We will not deny you services, charge different prices, provide a different quality of service, or suggest any of the above.

9.4 How to Submit a Request

To exercise any of the above rights, submit a verifiable consumer request to:

We will respond within 45 days of receipt of a verifiable request. We may extend by an additional 45 days when reasonably necessary (with notice). We do not charge a fee unless requests are manifestly unfounded or excessive.

You may designate an authorized agent to make a request on your behalf by providing written authorization. We may require direct verification from you to confirm the agent's authority.

9.5 Shine the Light (Cal. Civ. Code §1798.83)

California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. AutoReg does not disclose personal information to third parties for direct marketing.

10. EU, EEA & UK Rights (GDPR / UK GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and/or the UK GDPR apply to the processing of your personal data by AutoReg as data controller.

10.1 Legal Bases for Processing

Processing activityLegal basis (Art. 6 GDPR)
Web server logs for security & site operationArt. 6(1)(f) — Legitimate interests (operating and securing the Site)
Responding to your support requestArt. 6(1)(b) — Performance of a contract / Art. 6(1)(f) — Legitimate interests
Legal complianceArt. 6(1)(c) — Legal obligation

We have conducted legitimate interest assessments (LIAs) for the processing activities relying on Article 6(1)(f). Copies are available on request.

10.2 Your Rights Under GDPR

RIGHT OF ACCESS

Request a copy of the personal data we hold about you and information about how we process it (Art. 15).

RECTIFICATION

Request correction of inaccurate or incomplete personal data (Art. 16).

ERASURE

"Right to be forgotten." Request deletion of your personal data where there is no compelling reason for continued processing (Art. 17).

RESTRICTION

Request that we restrict processing of your data in certain circumstances (Art. 18).

DATA PORTABILITY

Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract (Art. 20).

OBJECTION

Object to processing based on legitimate interests (Art. 21). We will cease processing unless we can demonstrate compelling legitimate grounds.

WITHDRAW CONSENT

If processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

SUPERVISORY AUTHORITY

Lodge a complaint with your local data protection authority. For EU residents, a list is at edpb.europa.eu. For UK residents, contact the ICO at ico.org.uk.

To exercise these rights, contact [email protected]. We will respond within 30 days (extendable to 90 days for complex requests, with notice).

10.3 Data Protection Officer

Given the minimal personal data we process, we are not required to appoint a Data Protection Officer. Privacy inquiries should be directed to [email protected].

11. Other Jurisdiction Rights

Canada (PIPEDA / Law 25)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including the right to access personal information we hold about you, request correction, and challenge our compliance. Contact [email protected].

Brazil (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including the rights of access, correction, deletion, portability, and information about sharing. Contact [email protected] to exercise these rights.

Australia (Privacy Act 1988)

Australian residents may access and correct personal information we hold about them under the Australian Privacy Act 1988. Contact [email protected].

Regardless of your location, we aim to honor the strongest applicable privacy standard. If your jurisdiction provides privacy rights not listed here, contact us and we will work to accommodate your request.

12. Cookies & Tracking Technologies

This Site uses one functional cookie and no tracking technologies:

Cookie / StorageNamePurposeDurationThird-party?
localStorage (not a cookie)ar-themeRemembers your dark/light mode preferencePersistent (cleared on browser data clear)No

We do not use analytics cookies, advertising cookies, social media pixels, or any form of cross-site tracking. You may clear this storage entry at any time via your browser settings without affecting your ability to use the Site.

Under the EU ePrivacy Directive and UK PECR, a single functional cookie or equivalent storage that is strictly necessary for a user-requested feature (here, your chosen display mode) does not require consent.

13. International Data Transfers

The Site is hosted on infrastructure that may be located outside your country. If you are in the EU/EEA/UK, transfers of personal data to countries without an adequacy decision are governed by our hosting provider's Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR.

Because the App does not send personal data to us, no cross-border transfer of App data occurs through AutoReg. Data you send to OpenAI from the App is subject to OpenAI's own transfer mechanisms.

14. Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • ·Update the "Last updated" date at the top of this page.
  • ·Post a notice on the Site for at least 30 days.
  • ·Where required by law, obtain your consent before the changes take effect.

Your continued use of the Site or App after the effective date of any update constitutes your acceptance of the revised Policy. We encourage you to review this page periodically.

15. Contact Us

For any privacy-related questions, rights requests, or concerns, contact us at:

AutoReg Privacy Team

Email: [email protected]

Please include "Privacy Request" in your subject line. We aim to respond to all inquiries within 5 business days and to complete formal rights requests within the timelines stated in Sections 9 and 10.

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (see Section 10.2 for GDPR contacts).

Usage