App Logo

Reduck Privacy Policy

Last Updated: June 10, 2026

Conception AI Inc. ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Reduck, our AI-powered browser automation platform accessible via Model Context Protocol (MCP).

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, we recommend that you do not use the Services.

Conception AI Inc., a Delaware corporation, at 2261 Market Street STE 85701, San Francisco, CA 94114 is the data controller responsible for processing personal information under this Privacy Policy.

Let's begin with some information about our Services

Automation Flow (or Flow): any sequence of automated Actions carried out through Reduck on your behalf, whether executed locally on your machine within a dedicated Chromium instance managed by the CLI ("Local Run") or on Reduck-managed infrastructure ("Hosted Run"). A Flow encompasses the exploratory execution performed during a Build, the diagnosis and repair performed during a Fix, and the deterministic execution of a deployed Script during a Run.

Actions: operations, steps, or transactions executed by Automation Flows, including screenshots and content of websites visited.

Incidental Data Subjects: individuals other than Users whose personal data may be incidentally captured through their use of the Services, including when appearing in screenshots or web content processed by the Services.

Input: any data, file, document, or content you provide to the Automation Flows, including natural language prompts, CSV files, scripts, configuration parameters, website credentials, target URLs, and workflow instructions.

Output: results produced by Automation Flows, including downloaded files, extracted data, execution logs, error notifications, and any other results generated by Flow executions.

CLI: the Reduck command-line tool that enables a User to run Flows from their terminal, including initiating Builds and Fixes and triggering Runs, and that launches the dedicated Chromium instance used for Local Runs.

MCP Integration: integration with Model Context Protocol servers that enable Reduck to interact with external services and APIs, or that enable third-party applications and AI agents to access Reduck's capabilities as an MCP server.

Third-Party Agent: any software, AI agent, automation framework, or application that (i) is not developed, owned, or operated by Conception AI, (ii) accesses or interacts with the Services programmatically through the MCP Integration, and (iii) operates under the authorization and responsibility of a User's Account, whether acting on direct user instruction or autonomously within the scope of permissions granted by that User.

Browser Extension: means the software component installed within a User's web browser that is used solely for Account authentication and Device registration.

You, User: any person who uses or accesses the Services.

Information We Collect

Account Information

We collect information you provide directly when you register or use the Services, including name, email address, account credentials, payment method details, and profile information such as company name, job title, and role (admin or user). This data must be collected in order for you to access the services.

Analytics

When you visit Reduck.ai, we collect analytics and behavioral data through PostHog. This includes:

  • Navigation and behavior: pages visited, referral sources, mouse movements, clicks, scrolls, rage clicks, dead clicks, and web performance metrics (Core Web Vitals);
  • Device and browser: browser type and version, operating system, device type, screen and viewport dimensions, and raw user agent string;
  • Geolocation: country, city, region, postal code, timezone, and approximate GPS coordinates, all derived from your IP address at the time of collection. Your IP address itself is not retained;
  • Acquisition data: UTM parameters (source, medium, campaign, content, term) and search engine of origin;
  • Session data: duration, entry and exit URLs, acquisition channel, bounce status, and session recordings;
  • Errors: JavaScript exceptions and Content Security Policy violations, which may contain technical information such as stack traces.

We will ask for your consent before collecting this data through a cookie banner. You may withdraw your consent at any time via your account settings or by contacting [email protected].

Automation Data

When you use the Services and execute Flows, we collect and process data related to your automation activities and their execution. This includes screenshots and visual content captured from your browser (such as website content, personal information visible on screen, data from browser tabs and windows, notifications, and pop-ups), as well as data processed through the platform, Flows you execute, websites you automate, natural language prompts and commands, performance metrics, MCP Integration data, data transmitted by Third-Party Agents acting on your behalf. We do not store your website credentials on our servers; where a Flow requires authentication, the necessary cookies are injected from your local browser at execution time and are not persisted by us.

When you access our Services through MCP Integration, we additionally collect MCP session events, including tool calls and responses, resource reads, prompt accesses, execution duration, error status, and client context provided by the calling agent.

We also collect AI and LLM observability data, including input prompts, generated responses, model used, estimated cost, and token consumption. Prompts and LLM responses may contain personal data if you include such information in your requests. You are responsible for ensuring that any personal data included in prompts complies with applicable law.

Usage Information

When you are using our Services, we automatically collect log data (IP address, browser type, pages visited, time spent), device information (type, operating system, browser version), location derived from IP address, usage patterns and preferences, and Flow execution history, success rates, and error logs.

Cookies

We use cookies only for essential Services functionality (authentication, security). We do not use tracking cookies.

Sensitive data

Our service is not designed to process sensitive data and distinguish from any other personal data as part of Automation Flows. Accordingly, Automation Flows may incidentally process sensitive data, depending on the content visible in your browser during execution. Sensitive data typically includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life or sexual orientation, as well as genetic and biometric data, and may also include highly confidential personal or business information. You are responsible for ensuring that the use of the Services does not involve the processing of such sensitive data. If you wish to automate tasks that may involve sensitive data, please contact us at [email protected] to assess appropriate arrangements.

How We Use Your Information

Service Provision

Execute your Automation Flows, process transactions, manage your account, and provide customer support particularly by debugging issues and optimizing Automation Flows. It also includes the communication of technical notices, updates, security alerts and the monitoring of threats.

Lawful Basis: Our contract with you.
Concerned data: Account Information, Automation Data (including MCP session events and AI/LLM observability data), Usage Information.

Our Services require the installation of an MCP on your device in order to function. We will ask for your consent to perform this installation. You may withdraw your consent at any time.

This includes in particular the processing of MCP session events to execute and monitor integrations, and AI/LLM observability data (including input prompts and generated responses) to ensure reliability and debug issues. Note that prompts may contain personal data submitted by you; such data is processed solely to deliver the requested service and is not used for any other purpose.

Similarly, we may install cookies on your device for specific purposes such as authentication and security, for which we have a legitimate interest to do so.

Services Improvement

Analyze usage patterns, develop new features and use cases, and conduct research to improve our technology.

Lawful Basis: We have a legitimate interest in ensuring that Automation Flows remain functional and reliable in very diverse web environments. Because websites frequently update their structure, content, and authentication mechanisms, processing Automation Data is necessary to detect where Automation Flows fail, understand why, and adapt the underlying systems and selectors.
Concerned data: Account Information, Automation Data, Usage Information.

Website analytics

When you visit Reduck.ai, we collect analytics and behavioral data through PostHog. This includes page views, referral sources, approximate geographic location, mouse movements, clicks, scrolls, and session recordings. This data helps us understand how visitors interact with our website in order to improve its design and content. We will ask for your consent before collecting this data through a cookie banner. You may withdraw your consent at any time.

Lawful Basis: Your consent.
Concerned data: Analytics, Usage Information.

Marketing

Personalize your experience and send promotional communications if you have opted in or if you have not opted out when you already use our services.

Lawful Basis: We have a legitimate interest in sending you our latest commercial offers. When consent is necessary for marketing, we rely on your consent to do so. You may opt-out at any time through the dedicated link included in each communication.
Concerned data: Usage Information, Account Information.

Data privacy compliance and compliance with authorities' request

Manage requests from individuals to exercise their rights and comply with our legal obligations in case of authorities' request.

Lawful Basis: Our legal obligations.
Concerned data: potentially any kind of data.

No Sale or Sharing of Personal Data. We do not sell your personal data. We do not disclose, rent, or otherwise make your personal data available to third parties in exchange for monetary consideration or for their own independent marketing or commercial purposes. Any sharing of personal data is limited to what is necessary to provide the Services, comply with legal obligations, or operate our business as described in this Privacy Policy.

Information Sharing and Disclosure

When a Third-Party Agent accesses the Services on your behalf via the MCP Integration, we process the data transmitted by that agent in accordance with this Privacy Policy. We are not responsible for the data collection practices or terms of service of Third-Party Agents. You are responsible for reviewing and agreeing to the privacy policies of any Third-Party Agent you use with the Services.

On our side, your data is only transmitted to trusted partners who are strictly authorized to process it, as detailed below. These recipients are bound by strict confidentiality obligations:

  • Our subsidiaries and affiliates
  • Our service providers such as:
    • Hosting providers
    • Payment service providers
    • AI model providers
    • Communication service providers (e-mail/text message)
    • Analytics providers (PostHog)

We may also communicate your data to public authorities and bodies to whom we must communicate some of your personal data to comply with legal obligations, to protect our rights or those of third parties, or to any potential or actual purchaser of our assets and business.

Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

  • Account Information is retained while your account is active. We consider your account to be inactive two years after your last login and will delete your account.
  • Analytics data does not contain any information that could personally identify you and is provided solely in aggregate form.
  • Product telemetry generated through your use of the Services, including MCP session events and AI/LLM observability data (such as input prompts and generated responses), forms part of your Automation Data and is retained for up to the life of your account, after which it is deleted or anonymized. We may retain anonymized or aggregated telemetry for longer to maintain and improve the Services.
  • Automation Data is stored for as long as you have an account with us, so that you can access your Flows. Downloaded files and Outputs are not retained on our servers unless you explicitly choose to store them.
  • Usage Information is aggregated and anonymized ninety (90) days after collection.

Apart from these general cases, specific situations require us to maintain data for longer periods:

  • Billing information must sometimes be retained for several years due to national accounting laws in the countries where we operate.
  • In the event of a pre-litigation or litigation dispute with you, we will retain all necessary data until all possible legal remedies have been exhausted.

Your Rights and Choices

Access and Update

You can access and update certain account information through your account settings.

Data Subject Rights

Depending on your location and applicable law, you may have the right to: request access to and a copy of your personal information, request correction of inaccurate or incomplete data, request deletion of your personal information, request restriction of processing, request data portability, object to processing for certain purposes, withdraw consent where processing is based on consent. You may withdraw consent at any time via your Account settings or by contacting [email protected], and file a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days and may verify your identity before responding.

Incidental Data Subjects

Reduck does not intentionally collect personal data relating to individuals other than its users. However, depending on the specific use cases defined and executed by users, personal data of third-party individuals may be incidentally captured (for example, through screenshots or automated interactions with web content). Such collection is neither deliberate nor targeted by Reduck and results solely from the actions and instructions of users. Reduck does not create or maintain any independent database of such third-party individuals. If an individual becomes aware that their personal data may have been processed in this context, they may contact us at any time at [email protected]. In all cases, such data is processed only transiently and will be deleted together with the data of the user whose activities led to its incidental collection, in accordance with our retention policies.

California Privacy Rights (CCPA)

California residents have the right to know what personal information is collected, used, shared, or sold; the right to delete personal information held by us; the right to opt out of the sale of personal information (note: we do not sell personal information); and the right to non-discrimination for exercising privacy rights.

Children's Privacy

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected such information without parental consent, we will delete it promptly. If you believe we have information from a child under 18, please contact us at [email protected].

International Data Transfers

We are based in the United States. Information we collect may be transferred to, processed, stored, and used in the United States and other jurisdictions. When we engage in cross-border data transfers, we ensure appropriate safeguards are in place to comply with applicable data protection laws.

If you are an EU resident we undertake to ensure an adequate level of protection for your data, in particular by signing standard contractual clauses with our service providers. You can contact us to obtain a copy of these protections.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time by posting the revised version on this page and updating the "Last Updated" date. For material changes that significantly impact your rights or how we process your data, we will provide at least 30 days' notice via email or a notice within the Services. Your continued use of the Services after changes take effect constitutes acceptance of the revised Privacy Policy.