Privacy Policy

This policy explains what data Web Tutorial AI collects, why we collect it, and how it is handled. We believe in being straightforward about our practices.

Last updated: March 8, 2026

Quick Summary

  • Privacy-First Architecture: Page content and AI questions are sent directly from your browser to your chosen AI provider (e.g., Google Gemini, OpenRouter, Perplexity) using your own API key. Our servers never see, receive, or store your page content, questions, or AI responses.
  • User-Triggered Processing Only: Page content is only extracted when you submit a chat prompt — your question is the explicit trigger. The extension never passively scans or reads pages in the background.
  • Local Storage: Your chat history, API keys (encrypted with AES-GCM), and AI responses are stored locally in your browser and never leave your device.
  • Limited Server Data: We only collect your email (via Google Sign-In), a device ID, and a device fingerprint to manage your subscription and session limits.
  • No Data Sales: We do not run advertising trackers, use third-party analytics SDKs, or sell your data to anyone.

Table of Contents

  1. What We Collect
  2. How We Use Your Data
  3. Third-Party Services
  4. Data Storage & Retention
  5. Data Sharing
  6. Your Rights
  7. Children's Privacy
  8. Chrome Extension Permissions
  9. Changes to This Policy
  10. Contact Us

1. What We Collect

Data Collected Automatically

When you install and use the extension, the following data is collected automatically:

  • Email address — collected via Google Sign-In when you authenticate
  • Persistent device ID — a UUID generated and stored in chrome.storage.local. This ID persists across browser sessions and reinstalls. It is sent to our server for session management and authentication recovery.
  • Device fingerprint — a randomly generated unique identifier (UUID) stored in Firestore alongside your userId, createdAt timestamp, lastSeen timestamp, and userAgent. Used for device verification and abuse prevention.
  • IP address — logged in Firestore as part of your session record
  • User agent — your browser identifier, logged in Firestore session records
  • Session activity — a heartbeat is sent approximately every 30 seconds while the extension is active, tracking total usage time, heartbeat count, and last activity timestamp (no page content, URLs, or browsing data is included in this heartbeat)
  • Subscription status — your plan type and status, stored in Firebase and managed via Stripe

Data Collected on User Action

The following data is only collected when you take a specific action:

  • Page content — when you ask a question, the content of the current page is sent directly from your browser to your chosen AI provider using your own API key. The AI reads the page content to understand what you are viewing. No URL is transmitted. Our server never receives this data.
  • AI questions — your questions are sent directly from the extension to your chosen AI provider using your own API key. Our server never receives this data.
  • Text-to-speech content — when you use the TTS feature, text is sent directly from the extension to your chosen TTS provider (ElevenLabs or Google Cloud Text-to-Speech) using your own API key. Our server never receives this data.
  • Research queries — when you use research tools (Semantic Scholar, ArXiv, PatentsView, Google Patents, OpenFDA, spam checker), your search queries are routed through our server as a stateless proxy. No query content is stored.
  • Web search queries — when you use web search (Brave, Perplexity, Serper, or Exa), queries are sent directly from your browser to the search provider using your own API key.
  • Feedback — when you use the feedback feature, we collect your rating, message, name (optional), email, the page URL, extension version, user agent, subscription status, newsletter opt-in preference, and prompt guide opt-in preference. Feedback is stored in Firestore.

What We Do NOT Collect

  • No browsing history or list of sites you visit
  • No persistent conversation logs on our servers (AI interactions are per-request only)
  • No advertising or marketing trackers
  • No third-party analytics SDKs (e.g., Google Analytics)

How Page Reading Works: The extension can read the content of any page you visit, but it only does so when you submit a chat prompt — your question serves as the explicit trigger. Page content is never passively scanned, collected, or transmitted in the background. When you submit a question, the page content is extracted and sent directly from the extension to your chosen AI provider using your own API key — our server never receives it. To minimize redundant processing, extracted content is cached locally for up to 5 minutes and automatically cleared when you navigate away or close the tab.

Rate Limiting: Per-user rate limits are enforced on server-routed API endpoints to prevent abuse. Rate limit status is communicated via standard X-RateLimit response headers. No personal content is stored as part of rate limiting.

2. How We Use Your Data

DataPurpose
Email addressAccount authentication, linking your subscription, responding to feedback
Persistent device IDSession management, enforcing per-device limits, authentication recovery, abuse prevention
Device fingerprintDevice verification, detecting multi-account abuse, enforcing session limits across devices
IP address & user agentSession record keeping, security monitoring, abuse prevention
Session activity (heartbeat)Enforcing usage-time limits per subscription tier, detecting inactive sessions
Subscription statusDetermining access level (free trial, limited, premium), processing payments
Page content, URL & AI questionsGenerating AI responses to your questions. Sent directly from the extension to your chosen AI provider using your own API key — our server never receives this data
FeedbackImproving the extension, fixing reported issues

3. Third-Party Services

We rely on the following third-party services to operate Web Tutorial AI. Each service receives only the data necessary for its function.

How Data Flows to Third-Party Services

Web Tutorial AI connects to third-party services in two ways:

  • Direct from browser (your API key): The extension calls the service directly from your browser using your own API key. Our server is never involved. We have zero access to your account, usage, or billing with these services. Examples: Google Gemini, OpenRouter, Serper, Exa, ElevenLabs, Perplexity, Brave Search.
  • Server-routed proxy (stateless pass-through): Your query is sent to our server, which forwards it to the third-party service and returns the result. No query content is stored on our server — it acts as a stateless proxy. Examples: Semantic Scholar, ArXiv, PatentsView, Apify, OpenFDA, Postmark SpamAssassin, MCP documentation servers.

Infrastructure & Payments

Google Firebase

Used for: Authentication (Google Sign-In), Firestore database (session records, feedback, subscription data, device fingerprints)

Data received: Email address, device ID, device fingerprint, IP address, user agent, session activity, subscription status, feedback

Firebase Privacy Policy

Stripe

Used for: Subscription billing and payment processing

Data received: Email address, payment information (handled directly by Stripe)

Stripe Privacy Policy

AI Providers (Direct from Browser)

Google Gemini API

Used for: Primary AI-powered question answering and content analysis

Data received: Page content, page URL, and your questions, sent per-request

Connection: The extension connects directly to the Google Gemini API from your browser using your own API key. Our server is not involved in this data flow and never receives your page content or questions. Because you provide your own API key, we (the developer) have zero access to your Google AI account, usage logs, or billing.

Google Privacy Policy

OpenRouter

Used for: AI-powered question answering (alternative provider)

Data received: Page content, page URL, and your questions, sent per-request

Connection: The extension connects directly to OpenRouter from your browser using your own API key. Our server is not involved in this data flow and never receives your page content or questions. Because you provide your own API key, we (the developer) have zero access to your OpenRouter account, usage logs, or billing. Your use of OpenRouter is subject to OpenRouter's own privacy policy.

OpenRouter Privacy Policy

Anthropic Claude API (via OpenRouter)

Used for: AI-powered question answering (when Claude model is selected via OpenRouter)

Data received: Page content, page URL, and your questions, routed through OpenRouter

Connection: When you select a Claude model, requests are sent directly from your browser to OpenRouter, which routes them to Anthropic's Claude API. Our server is not involved. Your use is subject to both OpenRouter's and Anthropic's privacy policies.

Anthropic Privacy Policy

Web Search Providers (Direct from Browser)

Brave Search

Used for: Web search (when you enable Brave as your search provider)

Data received: Your search queries, sent per-request only when Web Search is enabled for a specific prompt

Connection: The extension connects directly to the Brave Search API from your browser using your own API key. Our server is not involved in this data flow.

Brave Privacy Policy

Perplexity

Used for: AI-powered web search (when you enable Perplexity as your search provider)

Data received: Your search queries, sent per-request only when Web Search is enabled for a specific prompt

Connection: The extension connects directly to Perplexity from your browser using your own API key. Our server is not involved in this data flow.

Perplexity Privacy Policy

Serper.dev

Used for: Google search results (when you enable Serper as your search provider)

Data received: Your search queries, sent per-request

Connection: The extension connects directly to Serper.dev from your browser using your own API key. Our server is not involved in this data flow.

Serper Privacy Policy

Exa.ai

Used for: Semantic search (when you enable Exa as your search provider)

Data received: Your search queries, sent per-request

Connection: The extension connects directly to Exa.ai from your browser using your own API key. Our server is not involved in this data flow.

Exa Privacy Policy

Text-to-Speech Providers (Direct from Browser)

ElevenLabs

Used for: Text-to-speech (when you use the TTS feature)

Data received: Text content to be spoken aloud

Connection: The extension connects directly to ElevenLabs from your browser using your own API key. Our server is not involved in this data flow.

ElevenLabs Privacy Policy

Google Cloud Text-to-Speech

Used for: Text-to-speech (when you select Google Cloud TTS as your TTS provider)

Data received: Text content to be spoken aloud, voice selection, speaking rate, and pitch settings

Connection: The extension connects directly to Google's Text-to-Speech API from your browser using your own API key. Our server is not involved in this data flow.

Google Privacy Policy

Chrome Built-in Text-to-Speech

Used for: Text-to-speech using Chrome's native TTS engine (when you select Chrome as your TTS provider)

Data received: Text content to be spoken aloud, processed locally by the browser

Connection: Chrome's built-in TTS runs entirely on your device. No data is sent to any external server. No API key is required.

Research Tools (Server-Routed Proxy)

Semantic Scholar

Used for: Academic paper search and citation data

Data received: Your search queries (paper titles, authors, keywords)

Connection: Queries are routed through our server as a stateless proxy. No query content is stored on our server.

Semantic Scholar Privacy Policy

ArXiv

Used for: Preprint paper search

Data received: Your search queries (paper titles, authors, keywords)

Connection: Queries are routed through our server as a stateless proxy. No query content is stored on our server.

ArXiv Privacy Policy

PatentsView (USPTO)

Used for: US patent search via the USPTO PatentsView API

Data received: Your patent search queries (keywords, patent numbers, assignee names)

Connection: Queries are routed through our server as a stateless proxy. No query content is stored on our server.

PatentsView About

Apify (Google Patents & Trademark Search)

Used for: Google Patents search across 100+ patent offices and trademark search

Data received: Your patent/trademark search queries

Connection: Queries are routed through our server as a stateless proxy to Apify's cloud actors. No query content is stored on our server.

Apify Privacy Policy

OpenFDA

Used for: FDA drug, device, and food safety data lookup

Data received: Your FDA search queries (drug names, device types, food categories)

Connection: Queries are routed through our server as a stateless proxy. No query content is stored on our server.

OpenFDA About

Postmark SpamAssassin

Used for: Email spam analysis (when you use the spam checker feature)

Data received: Email content you submit for spam analysis

Connection: Email content is routed through our server as a stateless proxy to Postmark's SpamAssassin API. No email content is stored on our server.

Postmark Privacy Policy

MCP Documentation Servers (Server-Routed Proxy)

MCP Documentation Integration

The extension integrates with specialized documentation servers to provide up-to-date technical information from:

  • AWS Knowledge Base — Amazon Web Services documentation
  • Microsoft Learn — Microsoft Azure and developer documentation
  • Cloudflare Docs — Cloudflare developer documentation
  • Google Developer Knowledge — Google developer documentation
  • FDA Compliance — FDA regulatory documentation

Data received: Query strings only (search terms for documentation lookup)

Connection: Queries are routed through our server as a stateless proxy to the respective MCP documentation servers. No query content is stored on our server.

4. Data Storage & Retention

Stored in Firestore (server-side)

  • Session records — device ID, device fingerprint, IP address, user agent, usage time, heartbeat data. Auto-deleted after 7 days.
  • Daily usage data — aggregated per-user daily usage metrics. Auto-deleted after 60 days.
  • Subscription data — plan type, status, Stripe customer ID. Retained until subscription ends and account is deleted.
  • Feedback — rating, message, email, page URL, extension version, user agent, subscription status. Retained indefinitely until addressed or you request deletion.
  • Authentication data — email address, Firebase user ID. Retained until you delete your account.
  • Device fingerprints — fingerprint hash, userId, createdAt, lastSeen, userAgent. Retained until you delete your account.

Stored locally (your browser only)

  • Device ID — a persistent UUID in chrome.storage.local. Remains until you clear extension data or uninstall.
  • API keys — your Gemini, OpenRouter, Anthropic, Brave Search, Perplexity, Serper, Exa, ElevenLabs, Google Cloud TTS, and Apify API keys are stored in chrome.storage.local or chrome.storage.sync. They are never sent to our server.
  • Chat history — your complete conversation history with the AI is stored locally and never leaves your browser.
  • AI responses — all AI-generated responses are stored locally only.
  • User preferences — theme, TTS voice settings, max tokens, active role, and other settings are stored locally.
  • Authentication tokens — JWT tokens cached in chrome.storage.session for authenticating API requests to our server (session management, rate limiting, and premium verification).

API Key Encryption: Your API keys are encrypted using AES-GCM before being stored locally. Encrypted keys are identified by an enc_ prefix. Keys are decrypted only in memory when needed for API calls and are never sent to our servers in any form.

Never received by our servers

  • Page content — sent directly from the extension to your chosen AI provider; our server never receives it
  • AI questions and responses — sent directly from the extension to your chosen AI provider; our server never receives them
  • API keys — stored locally and sent only to the respective third-party services directly from the extension

Account Deletion

When you delete your account, all associated data in Firestore (session records, subscription data, feedback, device fingerprints) is deleted within 30 days. Stripe retains payment records according to their own retention policy. Local data can be cleared by removing the extension.

5. Data Sharing

We do NOT sell, rent, or share your personal data with third parties for advertising or marketing purposes.

Your data is shared only with the service providers listed in Section 3, and only to the extent necessary for the service to function. Specifically:

Infrastructure

  • Firebase receives authentication, session, and device fingerprint data
  • Stripe receives payment and billing data

Direct from Browser (your API key)

  • Google Gemini receives page content and questions directly from the extension
  • OpenRouter / Anthropic Claude receives page content and questions directly from the extension
  • Brave Search, Perplexity, Serper, Exa receive search queries directly from the extension
  • ElevenLabs, Google Cloud TTS receive text directly from the extension when you use TTS
  • Chrome Built-in TTS processes text-to-speech entirely on your device — no data is sent externally

Server-Routed Proxy (stateless pass-through)

  • Semantic Scholar, ArXiv receive academic search queries via our server proxy
  • PatentsView (USPTO), Apify (Google Patents) receive patent/trademark search queries via our server proxy
  • OpenFDA receives FDA data queries via our server proxy
  • Postmark SpamAssassin receives email content for spam analysis via our server proxy
  • MCP Documentation Servers (AWS, Microsoft, Cloudflare, Google, FDA) receive documentation search queries via our server proxy

We do not use advertising networks, data brokers, or marketing partners.

Legal Requirements

We may disclose information if required by law (e.g., court orders, subpoenas) or to protect the safety of our users or the public.

6. Your Rights

You have the following rights regarding your data:

  • Access — You can request a copy of the data we hold about you.
  • Deletion — You can request that we delete your account and all associated data.
  • Correction — You can update your email address through Google Sign-In.
  • Opt out of feedback — Feedback is voluntary. Simply don't use the feedback feature if you prefer not to share that data.
  • Clear local data — You can clear your device ID and local data at any time by removing or resetting the extension.

To exercise any of these rights, contact us at privacy@webtutorial.ai or use the feedback feature in the extension.

7. Children's Privacy

Web Tutorial AI is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. Google Sign-In requires users to meet Google's minimum age requirements.

If we learn that we have collected personal information from a child under 13, we will promptly delete that information. If you believe a child under 13 has provided us with personal data, please contact us at privacy@webtutorial.ai.

8. Chrome Extension Permissions

The Web Tutorial AI extension requests the following browser permissions. Each permission follows the Principle of Least Privilege — we request only what is strictly necessary for the extension to function.

  • <all_urls> (Content Scripts) — Essential for injecting the chat overlay and extracting text from the page you are viewing. Text extraction is triggered only when you submit a chat prompt. The extension does not passively scan, monitor, or record your browsing activity. Extracted content is cached locally for up to 5 minutes to avoid redundant processing.
  • scripting — Used to dynamically load the content extractor and user interface onto the webpage.
  • storage — Used to securely save your API keys (encrypted with AES-GCM), local chat history, authentication tokens, and personal preferences on your device.
  • tabs — Used to communicate between the background logic and the chat overlay, and to manage tab lifecycle for cache cleanup.
  • tts — Enables the browser's native Text-to-Speech engine to read AI responses aloud upon your request.
  • downloads — Used exclusively to allow you to export and save your local chat history as a text file.
  • Host Permissions — The extension connects to authorized services from your browser:
    • AI providers: Google Gemini API, OpenRouter, Anthropic
    • Search providers: Brave Search, Perplexity, Serper.dev, Exa.ai
    • TTS providers: ElevenLabs, Google Cloud Text-to-Speech
    • Our server & Firebase: Session management, authentication, server-routed research APIs

Each permission is used solely for the functionality described above. We do not use permissions to collect data beyond what is disclosed in this policy.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • The updated policy will be posted on this page with a new "Last updated" date.
  • For material changes that expand data collection, we will notify users through the extension or by email.
  • Continued use of the extension after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights:

  • Email: privacy@webtutorial.ai
  • In-extension: Use the feedback feature to reach us directly

© 2026 Web Tutorial AI. All rights reserved.

Terms of ServicePricing