How Fabrica handles your data.
Effective May 2, 2026
Fabrica is a Chrome browser extension that performs tasks on the websites you already use. The agent runs in your browser, on the tabs you open. We tried to design Fabrica so that the answer to “where is my data?” is almost always: still on your machine.
This Privacy Policy explains what we collect, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and comparable laws.
Who we are
The data controller is Ærxus, a French société par actions simplifiée registered with the Paris Trade and Companies Registry under SIREN 994 593 184, with a registered office at 60 rue François 1er, 75008 Paris, France. You can reach us at jonahhaddadmeerson@gmail.com.
We have not appointed a Data Protection Officer because we do not meet the GDPR criteria for mandatory designation (article 37). The privacy contact above is the primary point of contact for any request.
What we collect
Stored locally on your device
The following data lives in your browser’s extension storage and never leaves your machine unless you explicitly export it:
- Skills — the markdown files describing the click sequences Fabien knows for a given site. You can read, edit, and delete them at any time.
- Task history — the prompts you give Fabien and the high-level steps he took, used so you can replay and audit past tasks.
- Preferences — extension settings, theme, and keyboard shortcuts.
Sent to our backend
To turn a natural-language prompt into a plan of clicks, the extension sends the following to our Cloudflare Worker:
- The text of the prompt you typed and the URL of the active tab.
- A compact, structured representation of the visible page (the DOM accessibility tree, stripped of free-form text content where possible) — this is what allows Fabien to locate the right buttons.
- The Fabrica installation ID — a random UUID generated on first launch, used for rate-limiting and abuse prevention. It is not linked to your real identity.
The Worker forwards the prompt and the page representation to our language-model provider (see “Subprocessors” below) and returns a plan. Neither the Worker nor the model retains the request beyond the time needed to answer.
Automatically logged
Cloudflare logs the IP address, user agent, and timestamp of each request for security purposes (DDoS protection, rate limiting, fraud prevention). These logs are retained for 30 days and then deleted.
What we do not collect
- No accounts, no passwords. Fabrica does not require sign-up.
- No analytics on your tasks. We do not track which sites you visit, which prompts you run, or how often.
- No cross-site tracking, no advertising IDs, no third-party cookies.
- No selling, no sharing for ads. We do not sell your data and do not share it for advertising or marketing.
Why we use it
Legal basis (GDPR)
- Contractual necessity (art. 6(1)(b)) — processing required to deliver the service you requested.
- Legitimate interests (art. 6(1)(f)) — security, abuse prevention, and product improvement, balanced against your rights.
- Legal obligation (art. 6(1)(c)) — when we must retain or disclose data under applicable law.
How long we keep it
Subprocessors
We use the following providers to operate Fabrica. Each is bound by a data-processing agreement and is responsible only for the data listed:
We may add or replace subprocessors. Material changes will be announced on this page at least 30 days before they take effect.
International transfers
Some subprocessors are located outside the European Economic Area. When data is transferred to them, we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, on adequacy decisions or supplementary safeguards.
Your rights
If you are in the EU, UK, or Switzerland (GDPR / UK GDPR)
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion (“right to be forgotten”).
- Restriction — limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint with the French CNIL (cnil.fr) or your local supervisory authority.
If you are a California resident (CCPA / CPRA)
- Right to know what personal information we collect.
- Right to delete personal information we hold.
- Right to correct inaccurate personal information.
- Right to opt out of any sale or sharing of personal information — we do not sell or share, but the opt-out remains available.
- Right to non-discrimination for exercising any of the above.
To exercise any of these rights, write to jonahhaddadmeerson@gmail.com from the email associated with your installation, or include your Fabrica installation ID in the message. We respond within 30 days.
Security
Communication between the extension and our backend uses TLS 1.3. API requests are authenticated with a per-installation key. Skills are stored in your browser’s sandboxed extension storage and are never transmitted unless you explicitly export or sync them. Cloudflare provides DDoS protection and bot management at the edge.
No system is invulnerable. If you suspect a security issue, write to jonahhaddadmeerson@gmail.com.
Children
Fabrica is not directed at children under 16 (or under 13 in the United States) and we do not knowingly collect their data. If you believe a child has used Fabrica, contact us and we will delete the related data.
Changes to this policy
We may update this Privacy Policy. The “Effective” date at the top reflects the latest revision. Material changes will be signaled in the extension or by email when feasible.
Contact
Privacy inquiries: jonahhaddadmeerson@gmail.com. General contact: jonahhaddadmeerson@gmail.com.