Legal
Privacy Policy
Last updated 1 May 2026 · Version 1.0
1. Who we are
Tanvrit Automator is a free, local-first autonomous browser-test agent operated by Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India. We are the data fiduciary for any data processed through this product under India's Digital Personal Data Protection Act, 2023 (DPDPA).
2. Data Protection Officer
Vivek Singh, Founder, acting as Data Protection Officer until Tanvrit appoints a separate DPO. Reach the DPO at dpo@tanvrit.com. Response within 7 days; resolution within 30 days for any data principal request under DPDPA Section 11.
3. Local-first by default — what stays on your machine
Tanvrit Automator is designed to run entirely on your laptop. The default install ships with Ollama as the LLM backend; the planner model (qwen2.5-coder), embedding model (nomic-embed-text), and vision model (qwen2.5-vl) all execute on your hardware and never reach our servers. The local SQLite trajectory database (~/.automator/automator.db) holds every observation, action, and verification result from your agent runs. It stays on your disk. We do not phone home with its contents. Browser sessions, page screenshots, accessibility tree extracts, and OCR output produced during agent runs are processed locally and persisted only to your machine.
4. Personal data we collect (only when you opt in)
Account (cloud tier only, future): name, email used for sign-in if you ever opt into the upcoming Plus / Team tiers. Telemetry: OFF by default. If you explicitly enable telemetry in Settings, we collect anonymised crash reports, agent-loop step counts, and model latency metrics. No URLs you visited, no DOM contents, no screenshots, no passwords. You can turn this off at any time and revoke previously sent data via dpo@tanvrit.com. Tagged trajectories: only trajectories you explicitly tag and upload (e.g. to share a regression case with us) are transmitted. Untagged trajectories never leave your device. Communications: any message you send to support@automator.tanvrit.com or dpo@tanvrit.com.
5. Lawful basis (DPDPA Section 4 + 7)
Account data — processed under your consent given at signup if and when you opt into a cloud tier (Section 6). Opt-in telemetry — processed under your explicit consent. Opt-in tagged trajectories — processed under your explicit upload action.
6. Sharing and sub-processors
Sub-processor list is intentionally short because Tanvrit Automator is local-first. Cloudflare — CDN and TLS termination for the public surface (automator.tanvrit.com) and for downloading installers; receives only your IP address during download. GitHub — distributes installer binaries via GitHub Releases until Mac App Store / Microsoft Store listings exist. Anthropic / OpenAI / Gemini / Groq / DeepSeek / Mistral — only receive prompts if you explicitly set the relevant API key environment variable AND set AUTOMATOR_LLM_PROVIDER to use them. Default is ollama with no cloud calls. When opted in, the provider you chose receives the prompt content per their terms. Cloud-tier (future) sub-processors — to be disclosed before any cloud feature ships; current code path makes zero cloud calls. We do not sell data and do not share your data for advertising.
7. Data principal rights (DPDPA Section 11)
Because the free / local tier stores nothing on our servers, most rights resolve at the OS level by deleting ~/.automator/. For account-tier or telemetry-tier data: Access — request a copy of all data we hold about you. Email dpo@tanvrit.com from your registered email. Correction — request correction of inaccurate or outdated data. Erasure — request deletion of your account and personal data. Grievance redressal — escalate to the Data Protection Board of India under DPDPA Section 28 if a request is not resolved within 30 days. Nominate — appoint another person to exercise your rights in case of death or incapacity (Section 14).
8. Children's data
Tanvrit Automator is a developer tool intended for adults building software. We do not knowingly collect data from users under 18. If you believe a minor has signed up to a cloud tier, email dpo@tanvrit.com and we will delete the account within 72 hours.
9. Security
Local-first architecture means there is little server-side surface to harden — your trajectory data is protected by your OS file permissions. For the public download surface: TLS 1.3 in transit via Cloudflare; signed installers (Apple Developer ID notarised on macOS, Authenticode on Windows). Cloud-tier endpoints, when shipped, will use JWT authentication with mutex-protected token refresh and AES-256-GCM field-level encryption on PII. We do not currently claim ISO 27001 or SOC 2 certification.
10. Breach notification (72-hour clock)
In the event of a personal data breach affecting any cloud-tier or telemetry data, we will notify the Data Protection Board of India within 72 hours of detection per DPDPA Section 8(6), and notify each affected data principal of the nature of the breach, the categories of data involved, and the steps we have taken in response.
11. Retention
Local trajectory database — retained on your machine until you delete it. We never retain a copy. Opt-in telemetry — 90 days, then automatically purged. Opt-in tagged trajectory uploads — retained until you request deletion or 365 days, whichever comes first. Financial records (cloud tier, future) — 7 years per Indian Income Tax Act § 44AA and GST Act § 35(1).
12. Cookies and local storage
The marketing site at automator.tanvrit.com sets no advertising cookies. We do not run a Cookie Consent banner because the only cookies we set are essential (TLS session, anti-CSRF). The desktop app does not interact with our servers in the default configuration.
13. Updates to this policy
We will publish material policy changes at least 30 days before they take effect. Non-material clarifications may be applied with the Last Updated date below being the only signal.
14. Contact and grievance redressal
Data Protection Officer — dpo@tanvrit.com. Postal — Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India. Escalation to the Data Protection Board of India per DPDPA Section 28 if a request is not resolved within 30 days.