Privacy Policy

This Privacy Policy explains what personal information BrowserRoster, a product of OARN Services (“we,” “us”), collects about you, how we use it, who we share it with, and the rights you have over it.

We follow the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and aim to comply with the General Data Protection Regulation (GDPR) in the EU/UK and the California Consumer Privacy Act (CCPA/CPRA) where applicable.

Information you provide

• Account data: name, email address, and password hash (we never store your password in plaintext).
• Billing data: payment method tokens and billing address. Card numbers are handled directly by Square and never touch our servers.
• Communications: content of messages you send us via the contact form or email.
• Waitlist sign-ups: email address and the optional segment tag (e.g., agency, QA, marketing).

Information collected automatically

• License activation telemetry: when the desktop application activates a license, we record the machine’s hardware identifier (HWID), MAC address, hostname, Windows username, OS version, application version, and the public IP address from which the activation occurred. This data is used to enforce per-seat license terms and detect abuse.
• Web telemetry: when you visit our website, we log standard request metadata including IP address, user agent, referring URL, and pages viewed. We use Vercel’s built-in web analytics for aggregated traffic statistics; this does not use cookies or fingerprinting.
• Authentication cookies: we set httpOnly session cookies for authenticated users, managed by Supabase Auth. No third-party advertising or tracking cookies are used.

Information that stays on your machine

The contents of your browser profiles, including cookies, history, cached files, and credentials saved within a profile, remain locally on your machine, encrypted at rest with a key derived from your account. We do not have access to and cannot read your profile contents.

• To provide, maintain, and improve the Service;
• To process payments and manage subscriptions;
• To enforce license terms and detect or prevent abuse;
• To send transactional communications (account, billing, security);
• To respond to your inquiries and provide support;
• To send product updates and announcements that you can opt out of at any time;
• To comply with legal obligations and respond to lawful requests.

For customers in the EU and UK, our lawful bases for processing personal data are:

• Contract: we process data necessary to provide the Service you have purchased.
• Legitimate interest: we process activation telemetry to enforce license terms and detect abuse.
• Consent: where required, we obtain explicit consent (for example, marketing emails).
• Legal obligation: we retain certain records to comply with tax, accounting, and other legal requirements.

We do not sell personal information. We share data only with:

• Service providers that operate parts of our infrastructure: Supabase (database and authentication), Vercel (web hosting and CDN), Square (payment processing), and email delivery providers. Each acts as a data processor under our instruction and is contractually bound to protect the data they handle.
• Law enforcement and authorities when required by valid legal process, or when we reasonably believe disclosure is necessary to investigate fraud, protect the rights or safety of users, or comply with regulatory obligations.
• Successors in connection with a merger, acquisition, or sale of assets, subject to equivalent privacy protections.

Our infrastructure is hosted in the United States and Canada. If you access the Service from outside these countries, your information will be transferred to and processed in these jurisdictions. For EU/UK customers, we rely on the Standard Contractual Clauses approved by the European Commission as the lawful basis for such transfers.

• Account data: retained while your account is active and for 90 days after deletion, after which it is permanently removed (except where retention is required by law).
• Billing records: retained for the period required by Canadian tax and accounting law (currently six years).
• Activation telemetry: retained for 24 months from collection.
• Contact form submissions: retained for 24 months, then deleted.
• Web request logs: retained for 30 days.

Depending on where you live, you may have the following rights concerning your personal information:

• The right to access the information we hold about you;
• The right to correct information that is inaccurate;
• The right to delete your information (subject to certain legal retention requirements);
• The right to restrict or object to certain processing;
• The right to data portability (to receive your data in a structured, machine-readable format);
• The right to withdraw consent at any time;
• The right to lodge a complaint with a supervisory authority (such as the Office of the Privacy Commissioner of Canada, the UK ICO, or your local EU data protection authority).

To exercise any of these rights, contact privacy@browserroster.com. We will respond within 30 days.

We use industry-standard measures to protect personal information, including encryption in transit (TLS), encryption at rest for sensitive fields, role-based access controls, audit logging, and regular security reviews. No system can guarantee absolute security; if a breach affecting your personal data occurs, we will notify you and any required authority within the time frames mandated by applicable law.

The Service is not directed to anyone under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected such information, we will delete it promptly.

We use only strictly necessary cookies: an httpOnly session cookie set by Supabase Auth for authenticated users, and Vercel’s load-balancing cookie. We do not use advertising, analytics tracking, or behavioural cookies, and we do not load any third-party fingerprinting or telemetry scripts.

We may update this Privacy Policy from time to time. Material changes will be announced by email or in-product notification at least 14 days before they take effect.

Privacy questions, requests, or complaints can be sent to privacy@browserroster.com. Our designated privacy officer is the principal of OARN Services.