Privacy Policy
This Privacy Policy explains how Taosquare Group Limited ("we", "us", or "our") collects, uses, shares, and protects information when you use Autousers (the "Service") at autousers.ai. We aim for plain language; the indented summaries are non-binding plain-English overviews and the numbered text is the operative policy.
Effective 25 April 2026 · Last updated 25 April 2026
1. Who we are
The Service is operated by Taosquare Group Limited, a company incorporated in Hong Kong SAR. Our registered office is 1104 Crawford House, 70 Queens Road Central, Central, Hong Kong. For privacy questions or to exercise your rights, contact us at privacy@autousers.ai.
For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws, we are the controller of personal data we collect about you when you use the Service. Under the Hong Kong Personal Data (Privacy) Ordinance (PDPO) we are a data user.
2. Information we collect
2.1 Information you provide
- Account information: your name, email address, and (for accounts created via Google) profile image. If you sign in with Google we also receive a stable Google account identifier.
- Profile information: any avatar you choose to upload, plus your team membership and role.
- Evaluation content: designs, prototypes, URLs, task instructions, autouser configurations, dimensions, templates, rubrics, and notes you create or upload to run an evaluation.
- Run artifacts: when an autouser agent executes an evaluation it produces video recordings of the simulated browser session, screenshots, and structured transcripts. These artifacts are stored against the evaluation that produced them.
- Communications: messages you send us via the contact form, support requests, or feedback channels.
2.2 Information collected automatically
- Device and usage data: IP address, browser type, operating system, referring URL, pages viewed, and timestamps. We use this for security, debugging, and aggregate analytics.
- Cookies and similar technologies: see Section 7.
- Diagnostic data: when an error occurs we capture a stack trace, the route or feature involved, and (where unavoidable) minimal contextual data such as your user identifier so we can reproduce the issue.
- Token usage and cost data: each autouser agent run consumes inference tokens from upstream AI providers. We record input/output token counts and estimated cost per run for billing, quotas, and capacity planning.
2.3 Information from third parties
If you sign in with Google we receive your name, email address, profile picture URL, and Google account identifier from Google, subject to your Google account permissions. We do not receive any other Google account data unless you explicitly grant additional scopes.
3. How we use your information
We use your information for the following purposes:
- Service delivery — to provide, maintain, and improve the Service, including authenticating you, running autouser agents you initiate, storing run artifacts, and showing you results.
- Account management — to create and manage your account, your team memberships, and your role-based permissions.
- Communications — to send transactional emails (confirmations, password resets, run notifications), respond to your inquiries, and (with separate opt-in where required) send product updates.
- Security and abuse prevention — to detect and prevent fraud, abuse, security incidents, and policy violations.
- Compliance — to meet legal, regulatory, and contractual obligations.
- Product improvement— to analyse aggregate, de-identified usage patterns so we can prioritise improvements. We do not use your evaluation content, run artifacts, or conversation transcripts to train any AI model — yours or anyone else's.
3.1 Legal bases (EU/UK users)
Where the GDPR or UK GDPR applies we rely on the following legal bases: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to keep the Service secure, debug issues, and improve it (you can object at any time); (c) consent — for optional cookies and any marketing communication; and (d) legal obligation — when we must process data to comply with applicable law.
4. How we share your information
4.1 Sub-processors
We rely on the following sub-processors to operate the Service. Each is bound by data processing terms and contractually limited to using your data to provide their service to us:
| Provider | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting, edge delivery, and serverless compute. | United States (global edge) |
| Supabase Inc. | Authentication, primary database (PostgreSQL), realtime subscriptions, and file storage. | United States (us-west-2 / Oregon) |
| Google LLC (Google Cloud Platform) | Object storage for autouser run artifacts (videos, screenshots, transcripts) and OAuth identity provider. | United States (us-central1) |
| Google LLC (Gemini API) | Large language model inference that powers autouser agents during evaluation runs. | United States |
| Functional Software, Inc. (Sentry) | Application error monitoring and crash reporting. | United States |
| Resend, Inc. | Transactional email delivery (account emails, contact replies). | United States |
4.2 Within your team
Content you create inside a team is visible to other members of that team according to their role. Evaluations marked as shared (via a share link or share ACL) are visible to anyone with the link, subject to the access controls you select.
4.3 Legal disclosures
We may disclose information when we believe in good faith that disclosure is required by applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Taosquare Group Limited, our users, or others.
4.4 Business transfers
If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (e.g. by email and/or a prominent notice on the Service) before your information becomes subject to a different privacy policy.
4.5 With your consent
We may share your information for any other purpose with your consent.
5. International transfers
Our infrastructure providers are primarily located in the United States. If you access the Service from outside the United States your personal data will be transferred to, stored in, and processed in the United States and other countries where our sub-processors operate. For transfers from the European Economic Area, the United Kingdom, or Switzerland we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable) executed with our sub-processors.
6. Data retention
We retain personal data only as long as necessary to:
- provide the Service to you;
- comply with our legal, accounting, or reporting obligations (typically 7 years for billing records);
- resolve disputes and enforce our agreements; and
- maintain the security and integrity of the Service.
When you delete your account, we delete or de-identify your personal data within 30 days, except where we are legally required to retain it. Run artifacts (videos, screenshots, transcripts) older than 365 days may be deleted automatically as part of routine storage management; you can export them at any time before then.
7. Cookies and similar technologies
We use a small number of cookies and similar technologies. None are used for cross-site advertising.
- Strictly necessary: authentication session cookies set by Supabase Auth so you stay signed in. Without these the Service cannot function.
- Diagnostic: Sentry error monitoring uses a first-party tunnel to capture client-side errors. No third-party tracking cookies are set in connection with this.
- Analytics: Vercel Analytics records aggregate page views without setting cross-site tracking cookies.
You can clear cookies through your browser, but doing so will sign you out and may degrade error reporting.
8. Your rights
Depending on where you live you may have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request that we correct inaccurate or incomplete data.
- Erasure — request that we delete your personal data ("right to be forgotten").
- Restriction — request that we restrict processing of your personal data.
- Portability — receive a copy of your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on our legitimate interests.
- Withdraw consent — where we rely on consent, you can withdraw it at any time.
- Complaint — lodge a complaint with your local data protection authority (e.g. the Office of the Privacy Commissioner for Personal Data in Hong Kong; an EU supervisory authority for EU/EEA residents; the ICO for UK residents).
To exercise any of these rights, email privacy@autousers.ai. We will respond within 30 days. We may need to verify your identity before fulfilling your request.
8.1 California residents
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the rights set out above, and additionally the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA.
9. Security
We implement administrative, technical, and physical safeguards designed to protect your personal data, including:
- encryption in transit (TLS) and at rest;
- row-level security policies on the database so users can only read their own team's data;
- short-lived federated credentials for cloud storage access (no long-lived service-account keys);
- principle-of-least-privilege access controls for our team and sub-processors;
- error monitoring and incident response procedures.
No system is perfectly secure. If we become aware of a breach affecting your personal data we will notify you and the relevant regulators as required by applicable law.
10. Children's privacy
The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us and we will delete it.
11. AI and your evaluation content
Operating an autouser agent requires sending the evaluation instructions, screenshots captured during the run, and the agent's evolving conversation state to a large language model (currently Google Gemini) for inference. These transmissions are encrypted in transit and processed under the terms applicable to Google's Gemini API, which prohibit training on customer inference data.
We do not use your evaluation content, run artifacts, conversation transcripts, or any other customer data to train, fine-tune, or improve our own models or anyone else's.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Effective" and "Last updated" dates at the top of this page reflect the current version. Material changes will be announced via email and/or a prominent notice on the Service at least 14 days before they take effect (subject to shorter notice periods required by law). Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. How to contact us
For privacy questions, requests, or complaints, contact us at:
Taosquare Group Limited
Attn: Privacy
1104 Crawford House
70 Queens Road Central
Central, Hong Kong
Email: privacy@autousers.ai