Privacy Policy
Effective: April 25, 2026 · Last updated: April 25, 2026
1. Summary at a Glance
TQ Automator is a Chrome Extension that automates browser workflows. We designed TQ around a simple principle: most of your data never leaves your browser.
- Your workflows, settings, and history live in your browser. We do not run a server that stores them.
- AI features run with your own OpenAI API key. When you use AI, page content (with sensitive data removed) is sent directly from your browser to OpenAI.
- We do not collect data unrelated to running your workflows.
- We use a small number of vendors for our website, payments, and analytics — listed in Section 4.
- You can remove your data at any time using the in-app “Clear All Data” control or by uninstalling the extension.
This Policy explains the details. If you only read one section, read this one.
2. Who We Are
TQ Automator (“TQ”, “we”, “us”, “our”) is a product operated by an individual data controller based in Hungary, in the European Union.
- Product website: https://tqautomator.com
- Privacy contact: privacy@tqautomator.com
- Establishment in the EU: Hungary
The full identification of the data controller is available upon written request to privacy@tqautomator.com and will be provided to data subjects exercising their rights under applicable law and to competent supervisory authorities upon lawful inquiry. If a separate legal entity is registered in the future, we will update this Policy accordingly.
3. What Data We Process
We group the data TQ touches into three buckets.
3.1 Data that stays in your browser (local-only)
The following data is stored on your device and is not transmitted to TQ servers (we do not operate any):
- Workflows — your recorded steps, configurations, and instructions
- Variables — the values you provide when running a workflow
- Execution history — records of your runs and their outcomes
- Settings — your preferences and configuration
- Your OpenAI API key — stored locally; we do not receive or have access to it
- Page snapshots — held only briefly while a step runs (except when sent to OpenAI for AI features, with sensitive data removed first — see Section 3.2.1)
To remove this data from your device, use the in-app “Clear All Data” control or uninstall the extension.
3.2 Data sent to third parties
3.2.1 OpenAI (AI features only — Bring Your Own Key)
When you use AI-powered features, TQ sends a snapshot of the relevant page directly from your browser to OpenAI using your own API key. Before any data leaves your browser:
- Sensitive data is automatically removed from page content. This includes categories such as payment card numbers, contact details, identifiers, and authentication tokens that may appear in URLs.
- The values you fill into workflow variables are not sent to AI. Only the variable names and descriptions you set up are included.
- Protections are applied to reduce the risk of malicious page content manipulating AI requests.
Requests go directly from your browser to OpenAI. TQ does not see, log, or store the request or the response.
About OpenAI's retention.Under OpenAI's standard API Terms, OpenAI may retain API request and response data for up to 30 days for abuse monitoring before automatic deletion. OpenAI does not use API data to train its models by default. Please review OpenAI's Privacy Policy for full details.
The AI model used is the one you select in TQ Settings. When you save an API key, your browser makes a single validation request to OpenAI to confirm the key works; we do not store the response.
3.2.2 LemonSqueezy (payments)
If you purchase a paid plan, payment processing is handled by LemonSqueezy as Merchant of Record (MoR). LemonSqueezy collects payment information (card number, billing address, tax identifiers) directly from you — we never receive or store your payment details.
We receive from LemonSqueezy: your billing email, country (for tax purposes), a license key, and subscription status. This is the minimum needed to entitle your account.
LemonSqueezy is U.S.-based with EU operations; their privacy policy: https://www.lemonsqueezy.com/privacy.
3.2.3 PostHog (product and website analytics)
Our website (tqautomator.com) and the extension use PostHog (EU instance) for pseudonymous usage analytics. We use this to understand which features are used, where workflows fail, and how to prioritize fixes — not to track individuals.
- PostHog is hosted in the European Union, so analytics data does not leave the EU.
- We do not link PostHog data to your identity. The extension uses a randomly generated pseudonymous device identifier; we do not send your email, license key, or OpenAI account information to PostHog.
- What we capture (extension): pseudonymous events related to running workflows, such as run counts, outcomes, and feature usage. We do not include the content of pages you automate or the values you fill into workflows.
- What we capture (website): standard web analytics such as page views and link clicks, loaded only after you accept analytics cookies.
- No data sharing with advertisers today. If we add advertising or marketing analytics in the future (such as Meta or Google Ads), we will update this Policy and ask for your consent before activation.
You can disable analytics at any time via the extension settings and via the cookie banner on our website.
PostHog's privacy details: https://posthog.com/privacy.
3.2.4 Vercel (website hosting)
Our website is hosted on Vercel. When you visit tqautomator.com, Vercel processes standard server-log information (IP address, user agent, request path, timestamp) for the purpose of delivering the website and protecting it against abuse. This information is retained by Vercel under their data processing terms. The Chrome Extension itself does not communicate with Vercel — it runs entirely in your browser.
Vercel's privacy policy: https://vercel.com/legal/privacy-policy.
3.3 Data we do NOT collect
For clarity, TQ does not collect:
- Your browsing history or the websites you visit
- Login credentials, passwords, or website session cookies
- The values you enter into workflows or forms (beyond the brief page snapshots used for AI features, which are scrubbed before leaving your browser)
- Your OpenAI API key (stored locally; we do not have access)
- Telemetry when analytics are disabled
The Chrome Extension does not currently include advertising SDKs, fingerprinting code, or third-party trackers beyond the optional pseudonymous analytics described in Section 3.2.3.
Marketing communications. We do not currently send marketing emails. If you opt in (for example, via a checkbox at checkout) to receive product updates, we will use your email solely for that purpose and you may unsubscribe at any time. Service-related emails (such as billing receipts issued via LemonSqueezy and security notices) are sent on the basis of contractual necessity and cannot be opted out of while you have an active subscription.
4. Sub-Processors
A “sub-processor” is a vendor who handles data on our behalf. The complete current list:
| Sub-processor | Purpose | Region | Data shared |
|---|---|---|---|
| OpenAI | AI features | United States | Page content (sensitive data removed), sent directly from your browser using your own API key |
| LemonSqueezy | Payment processing (Merchant of Record) | United States + EU | Billing email and country (payment details are collected by LemonSqueezy directly; TQ does not receive card data) |
| PostHog | Pseudonymous product and website analytics | European Union | Pseudonymous device identifier and usage events |
| Vercel | Website hosting | Global edge network | Standard web server logs (website only; the extension does not contact Vercel) |
We will update this table when sub-processors change. Material additions will be communicated as described in Section 14.
5. Legal Bases for Processing (GDPR / UK GDPR)
Under the GDPR and UK GDPR, we rely on the following legal bases (Article 6) for processing personal data:
| Processing activity | Legal basis |
|---|---|
| Operating the extension; storing your local data; routing your requests to OpenAI with your own key | Performance of a contract — necessary to deliver the service you signed up for (Art. 6(1)(b)) |
| Pseudonymous product and website analytics (PostHog) | Consent — collected via the cookie banner / Settings toggle (Art. 6(1)(a)) |
| Payment processing (via LemonSqueezy) | Performance of a contract + legal obligation for tax/accounting (Art. 6(1)(b) and (c)) |
| Security and abuse prevention (e.g., rate-limiting, fraud signals from LemonSqueezy) | Legitimate interests — protecting the service and other users (Art. 6(1)(f)) |
| Responding to your support, deletion, or access requests | Legal obligation + legitimate interests (Art. 6(1)(c) and (f)) |
For Special Category Data (Article 9): we do not knowingly process special category data. Please do not include sensitive personal data in workflow variables.
6. Data Retention
| Data | Retention |
|---|---|
| Workflows, variables, history, settings (in your browser) | Until you delete them or uninstall the extension. We have no copy. |
| Pseudonymous analytics events | For a limited period (typically up to 12 months) |
| Billing records | Retained by LemonSqueezy under their terms; for invoicing and tax records, as required by applicable law (typically up to 8 years) |
| Website server logs | Per the hosting provider's standard retention |
| Marketing email subscribers (if you opt in) | Until you unsubscribe |
| Email correspondence | Retained for the duration of the conversation and a reasonable follow-up period |
If you exercise your right to erasure (Section 11), we will delete data we control within 30 days and instruct sub-processors to do the same, except where retention is legally required (e.g., tax records).
7. International Data Transfers
Some of our sub-processors are based in the United States (OpenAI, LemonSqueezy, Vercel). When personal data is transferred from the EU/EEA or UK to a country outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, or
- The EU–U.S. Data Privacy Framework (DPF) where the sub-processor is certified, or
- An adequacy decision where one applies.
OpenAI, LemonSqueezy, and Vercel all publish their transfer mechanisms in their respective privacy policies. PostHog data does not leave the EU.
8. Cookies and Tracking
8.1 Chrome Extension
The extension uses chrome.storage.local to persist your settings, API key, and the pseudonymous device identifier for analytics (if enabled). It does not set cookies, does not include advertising or fingerprinting code, and does not read cookies from websites you automate.
8.2 Website (tqautomator.com)
The website uses a small number of cookies and similar technologies:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Site functionality and security | No (required for the site to work) |
| Analytics (PostHog) | Pseudonymous usage analytics | Yes — we ask via the cookie banner |
| Advertising / marketing | Not used today. If we add advertising or retargeting cookies in the future (e.g., Meta Pixel, Google Ads), they will be presented in the cookie banner and require your opt-in consent before activation. | Yes — when added |
If you reject analytics cookies, PostHog is not loaded. You can change your choice at any time via the “Cookie preferences” link in the website footer.
9. Chrome Extension Permissions
When you install TQ, Chrome shows the permissions the extension requests. Each permission is used for a specific functional purpose:
| Permission | Why we need it |
|---|---|
activeTab | Interact with the current tab when you activate TQ |
scripting | Inject the content script that performs automation |
storage | Save your settings and API key locally |
sidePanel | Display the TQ sidebar interface |
tabGroups | Visually group the automation tab during execution |
tabs | Open and manage the automation tab on your behalf and detect when navigation completes |
Host access (all websites). TQ requests permission to run on any website (<all_urls>) because workflows can be recorded and replayed on any site you choose. The TQ content script is loaded on websites you visit so that it is ready when you start a workflow on that page. The content script does not collect, store, or transmit page content unless you have explicitly started a workflow on that page; what we do not collect is described in Section 3.3.
We do not request webRequest interception, cookies, or history access, and we do not access pages other than those on which you choose to record or run a workflow.
10. Children's Privacy
TQ is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@tqautomator.com and we will delete it.
11. Region-Specific Rights
11.1 European Economic Area (EEA) and United Kingdom (GDPR / UK GDPR)
If you are in the EEA or UK, you have the following rights regarding your personal data:
- Right of access (Article 15) — request a copy of the personal data we hold about you
- Right to rectification (Article 16) — correct inaccurate or incomplete data
- Right to erasure / “right to be forgotten” (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format. Workflows can be exported in JSON via the in-app export feature.
- Right to object (Article 21) — including objecting to processing based on legitimate interests
- Rights related to automated decision-making (Article 22) — TQ does not make automated decisions with legal effects on you
- Right to withdraw consent (Article 7) — for any processing based on consent (e.g., analytics)
- Right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) (https://naih.hu). You may also complain to the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, email privacy@tqautomator.com. We will respond within 30 days and may ask you to verify your identity.
11.2 California (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights:
- Right to Know — what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties we share with
- Right to Delete — request deletion of personal information we have collected
- Right to Correct — request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing— we do not currently sell or share your personal information for cross-context behavioral advertising. If this changes (for example, if we enable advertising or retargeting features), we will provide a “Do Not Sell or Share My Personal Information” link in the website footer and update this Policy.
- Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes that would trigger this right
- Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights
Categories of personal information collected in the past 12 months (CPRA disclosure):
- Identifiers (pseudonymous device UUID, billing email if you purchase)
- Commercial information (subscription status, license key)
- Internet or other electronic network activity (pseudonymous usage events on the extension and website)
- Geolocation (country only, for tax purposes — collected by LemonSqueezy)
We do not currently sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA. We have not done so in the past 12 months.
To exercise your CCPA rights, email privacy@tqautomator.com. You may also designate an authorized agent to make a request on your behalf.
11.3 Türkiye (KVKK)
If you are a resident of Türkiye, the Personal Data Protection Law of Türkiye (KVKK, Law No. 6698) applies to your personal data. Our practices under GDPR generally meet or exceed KVKK requirements.
Under KVKK Article 11, you have the right to:
- Learn whether your personal data is being processed
- Request information about the processing
- Learn the purpose of processing and whether the data is used for that purpose
- Know third parties to whom data is transferred (see Section 4)
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of your personal data
- Object to outcomes resulting from automated processing
- Claim compensation for damages from unlawful processing
To exercise your KVKK rights, email privacy@tqautomator.com. We will respond within 30 days.
12. Data Processing Agreements (B2B)
TQ Automator is designed as a tool that runs entirely in your browser; data processing occurs on your device. We generally do not act as a “processor” of your customers' personal data within the meaning of GDPR Article 28, because the data you input into workflow variables stays on your device and is never transmitted to TQ servers.
If you operate TQ on behalf of your own customers and your compliance team requires a Data Processing Agreement, contact us at privacy@tqautomator.com and we will provide a DPA tailored to TQ's architecture.
13. Security
We follow security practices appropriate to the data we handle:
- Local-first design — your workflows and data live on your device, so there is no central database to breach
- Sensitive data is removed before page content is sent to AI services (see Section 3.2.1)
- Workflow values stay private — the values you fill into workflow variables are not shared with AI services
- Human-in-the-Loop controls — supervision controls help you review and intervene in AI-driven actions
- Permissions used only for their stated purpose — see Section 9 for what we request and why
- HTTPS for all network traffic
- A comprehensive security review of the extension was completed in April 2026
No system is 100% secure. If you discover a security issue, please report it to privacy@tqautomator.com.
Personal data breach notification. In the event of a personal data breach affecting personal data we control, we will notify the competent supervisory authority (in our case, the Hungarian National Authority for Data Protection and Freedom of Information, NAIH) without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay, in accordance with Article 34. Equivalent obligations apply under the UK GDPR and the KVKK in Türkiye where applicable.
14. Changes to This Policy
We may update this Policy from time to time to reflect changes in our services, practices, legal requirements, or for clarity.
When we update this Policy:
- The “Last updated” date at the top of this page will change
- For material changes (such as new categories of data we process, new purposes, or new sub-processors), we will provide reasonable advance notice through appropriate means before the changes take effect
- Continued use of TQ after the effective date of an update constitutes your acceptance of the updated Policy
The current version of this Policy is always available at https://tqautomator.com/privacy. We encourage you to review it periodically.
15. Contact
Questions, requests, or complaints about this Policy or our data practices:
We commit to responding within 30 days for rights requests under GDPR, CCPA, and KVKK.