Privacy Policy

Last updated: February 9, 2026

1. Overview

DOSAYGO Corporation ("we," "us") operates the BrowserBox service. This Privacy Policy explains what data we collect, why, and how we protect it. We are committed to minimal data collection — we gather only what is necessary to operate the Service and process payments.

2. Data We Collect

2.1 Account Data

• Email address — provided during purchase, used for API key delivery and billing communications
• API key — generated by us, used to authenticate your requests
• Stripe customer ID — created by Stripe to manage your payment relationship

2.2 Usage Data

• Session metadata — session ID, creation time, duration, region, minutes allocated/consumed
• IP address — hashed and used for rate limiting and geo-routing; raw IPs are not stored
• Cookie identifier — a random token stored in your browser for rate limiting on the free demo tier

2.3 Data We Do NOT Collect

• Browsing activity — we do not log, record, or store the websites you visit, pages you view, or content you interact with inside BrowserBox sessions
• Screenshots or viewport data — viewport frames are streamed directly to your client in real time and are not persisted on our servers
• Form inputs or passwords — input within browser sessions is forwarded to the remote browser and never stored
• Downloaded files — files downloaded within sessions exist only in the ephemeral container and are destroyed on session end

3. How We Use Your Data

• Service operation — to create, manage, and terminate browser sessions
• Billing — to track minute consumption, process payments, and issue refunds
• Rate limiting — to prevent abuse of the free demo tier (IP hash + cookie)
• Geo-routing — to deploy sessions to the nearest cloud region for low latency
• Security — to detect and prevent unauthorized access, fraud, and sanctions violations
• Communication — to send API keys, billing receipts, and critical service notifications. We do not send marketing emails.

4. Third-Party Services

We use the following third-party services that may process your data:

• Stripe, Inc. — payment processing. Stripe receives your email and payment information. See Stripe's Privacy Policy.
• Google Cloud Platform — infrastructure hosting. Browser sessions run on Google Cloud Run. Google processes server-side data under their Data Processing Addendum.

We do not sell, rent, or share your personal data with any other third parties.

5. Data Retention

• Session data — ephemeral. Container and all data are destroyed immediately on session end.
• Account data (email, API key, balance) — retained while your account is active. Deleted within 30 days of account termination upon request.
• Usage records (session IDs, minutes consumed) — retained for 12 months for billing disputes and then deleted.
• IP hashes — rate limit records are automatically purged after 24 hours.

6. Data Security

We implement industry-standard security measures including:

• TLS encryption for all data in transit
• FIPS 140-3 compliant encryption at rest for stored data
• API key authentication with deny-by-default access control
• Ephemeral, isolated containers per session (no shared state between users)
• Regular security audits and vulnerability scanning

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your personal data ("right to be forgotten")
• Portability — request your data in a machine-readable format
• Objection — object to processing of your data for certain purposes

To exercise any of these rights, contact privacy@dosaygo.com. We will respond within 30 days.

8. CCPA Notice (California Residents)

Under the California Consumer Privacy Act, California residents have the right to know what personal information is collected, request its deletion, and opt out of its sale. We do not sell personal information. To make a CCPA request, contact privacy@dosaygo.com.

9. GDPR Notice (EEA Residents)

For users in the European Economic Area, our legal basis for processing personal data is:

• Contract performance — processing necessary to provide the Service you purchased
• Legitimate interests — rate limiting, fraud prevention, and infrastructure security

You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

10. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. Continued use of the Service constitutes acceptance of the revised policy.

12. Contact

DOSAYGO Corporation
Privacy inquiries: privacy@dosaygo.com
General: sales@dosaygo.com
API Support: api@browserbox.io
Web: dosaygo.com