Privacy Policy

Last updated: April 5, 2026

1. Introduction and Data Controller

BabelWrap ("we", "us", "our") operates the BabelWrap API, MCP server, website, dashboard, and related services (collectively, the "Service") at babelwrap.com.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have regarding your data.

Data controller:
BabelWrap
Rua Visconde Seabra, nº27, Alvalade, Lisbon, Portugal
founders@babelwrap.com

2. Data We Collect

2.1 Account Data

  • Email address — provided at registration, used for account identification and communication.
  • Password — stored exclusively as a bcrypt hash. We never store or have access to your plaintext password.
  • Account metadata — creation date, plan type (free or usage-based), account status.

2.2 Payment Data

  • Payment processing is handled entirely by Stripe, our third-party payment processor.
  • We store only your Stripe customer ID and Stripe subscription ID — references that link your BabelWrap account to your Stripe billing profile.
  • We do not store credit card numbers, CVVs, bank account details, or any other full payment credentials on our servers.

2.3 API Key Data

  • API keys are stored as SHA-256 hashes. We cannot recover or view your original API key after creation.
  • We store: key name, creation date, last used date, and active/inactive status.

2.4 Session and Action Data

When you use the Service, we log data about your sessions and actions for billing, debugging, security, and service improvement:

  • Session metadata: creation time, last active time, expiration time, status, current URL, custom metadata labels you provide.
  • Action logs: for each API call — action type (e.g., navigate, click, fill, extract), input parameters, output data, duration, success/failure status, error messages, and timestamps.
  • URLs of websites visited through the Service.

2.5 Usage and Billing Data

  • Monthly action counts, daily usage breakdowns, and billing-related usage records.

2.6 Site Mapping Data

  • Domains and URLs submitted for site mapping.
  • Generated site models (tools, recipes, page structures) — note that site models contributed to the public catalog are anonymized and not linked to your account.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Service: executing browser actions, resolving natural language instructions, extracting data, managing sessions.
  • Billing and payments: tracking usage, processing charges through Stripe, enforcing plan limits, sending billing alerts.
  • Security and abuse prevention: detecting unauthorized access, enforcing rate limits, investigating violations of our Terms of Service and Acceptable Use Policy.
  • Debugging and reliability: diagnosing errors, monitoring performance, improving service reliability.
  • Communication: sending account-related notifications such as billing alerts, spending cap warnings, and important service updates.
  • Legal compliance: fulfilling legal obligations, responding to lawful requests from authorities.

If you are located in the European Economic Area (EEA), UK, or another jurisdiction that requires a legal basis for processing, we rely on the following:

  • Performance of a contract (Article 6(1)(b) GDPR): processing necessary to provide the Service you signed up for, including account management, action execution, and billing.
  • Legitimate interests (Article 6(1)(f) GDPR): security, fraud and abuse prevention, service debugging and improvement, and enforcing our Terms. Our legitimate interests do not override your fundamental rights and freedoms.
  • Legal obligation (Article 6(1)(c) GDPR): tax and accounting record-keeping, responding to lawful data access requests from competent authorities.

5. Third-Party Data Sharing

5.1 Anthropic (AI Provider)

As part of normal Service operation, content from third-party websites you access through BabelWrap is transmitted to Anthropic's Claude API for:

  • Element resolution: matching your natural language instructions (e.g., "click the Login button") to actual page elements.
  • Data extraction: parsing and structuring information from web pages based on your queries.

This data is sent to Anthropic for inference (processing) only, not for model training. Anthropic's handling of this data is governed by Anthropic's privacy policy and their commercial API data usage terms.

5.2 Stripe (Payment Processor)

We share the following with Stripe to process payments:

  • Your email address and billing information.
  • Transaction amounts and subscription status.
  • Usage meter events for metered billing.

Stripe's handling of your data is governed by Stripe's privacy policy. Stripe is PCI-DSS Level 1 certified.

5.3 Infrastructure Providers

We use cloud hosting and infrastructure services to operate the Service. These providers may process data as sub-processors in accordance with our data processing agreements with them.

5.4 What We Do Not Do

  • We do not sell your personal data to third parties.
  • We do not share your data with advertisers.
  • We do not use your data to train AI models.
  • We do not share your data with any parties other than those described in this section, except as required by law.

6. Data Retention

  • Account data: retained while your account is active. Upon account deletion, your personal data is permanently deleted within 30 days.
  • Action and session logs: retained for up to 90 days for active accounts for debugging and support purposes, then automatically purged. Logs are deleted upon account deletion.
  • Billing and financial records: retained for as long as required by applicable tax and accounting laws (typically up to 7 years) even after account deletion.
  • Site mapping data: site models contributed to the public catalog are retained indefinitely in anonymized form (not linked to your account).

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using bcrypt with salting.
  • API keys are hashed using SHA-256; plaintext keys are displayed only once at creation and are never stored.
  • All data is transmitted over HTTPS/TLS encryption.
  • Database access is restricted to application servers with authenticated connections.
  • Payment card data is handled entirely by Stripe (PCI-DSS Level 1 compliant) and never touches our servers.

While we take reasonable precautions to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

8.1 All Users

  • Access: request a copy of the personal data we hold about you.
  • Correction: update your email address or password through the dashboard.
  • Deletion: delete your account and all associated personal data through the dashboard or by contacting us.

8.2 EU/EEA Residents (GDPR)

If you are located in the EU or EEA, you have the following additional rights under the General Data Protection Regulation:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / right to be forgotten (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right to lodge a complaint with a supervisory authority. The Portuguese supervisory authority is the CNPD (Comissão Nacional de Proteção de Dados).

8.3 California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected, used, and disclosed.
  • Right to delete personal information.
  • Right to opt-out of the sale of personal information. We do not sell personal information.
  • Right to non-discrimination for exercising your privacy rights.

8.4 Exercising Your Rights

To exercise any of these rights, contact us at founders@babelwrap.com. We will respond to verified requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

9. International Data Transfers

Your data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection. In particular:

  • Anthropic (our AI provider) is based in the United States. Page content processed for element resolution and data extraction is transmitted to their US-based infrastructure.
  • Stripe (our payment processor) processes payment data globally.

For transfers of personal data from the EU/EEA to countries without an adequate level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Cookies

  • Session cookies: We use essential session cookies for dashboard authentication. These are strictly necessary for the Service to function and cannot be disabled.
  • No tracking cookies: We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at founders@babelwrap.com and we will take steps to delete such data.

12. Third-Party Website Data

This is an important section regarding data you extract from third-party websites.

  • When you use BabelWrap to interact with third-party websites, the Service processes content from those websites on your behalf.
  • You are the data controller for any personal data you extract from third-party websites through the Service. BabelWrap acts as a data processor on your behalf for such data, processing it solely to provide the Service as instructed by you.
  • You are solely responsible for ensuring that your collection and processing of personal data from third-party websites complies with all applicable privacy and data protection laws, including obtaining any necessary consents or legal bases.
  • BabelWrap does not independently use, retain, or share content extracted from third-party websites beyond what is necessary to provide the Service (action logging for billing and debugging, as described in this policy).

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated policy on our website and, where practicable, by sending notice to the email address associated with your account.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

14. Contact

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

BabelWrap
Rua Visconde Seabra, nº27, Alvalade, Lisbon, Portugal
Email: founders@babelwrap.com