Privacy Policy
How we handle personal data for Strawberry Browser.
Dendrite Systems, Inc. (“Strawberry,” “we,” “us,” or “our”) is committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your information. This privacy policy (“Privacy Policy”) explains our data practices in connection with your use of Strawberry Browser (the “Service”). The Service is offered only to businesses for business use; it is not offered to consumers or to individuals for personal, family, or household purposes. Where this Policy refers to “you,” it means the User (an individual representing a business customer) whose Personal Data is processed in connection with the Service. By accessing or using the Service, you agree to the collection, use, disclosure, and procedures this Privacy Policy describes. Beyond the Privacy Policy, your use of our Services is also subject to
- our Business Terms, and
- our Acceptable Use Policy,
- Our sub-processors. We engage third-party service providers that process personal data on our behalf (“Sub-Processors”). The current list of our Sub-Processors, including their identities, locations, and processing purposes, is maintained at our Subprocessor List:
We update the Subprocessor List as Sub-Processors are added or replaced, and we provide Business Customers with advance notice of changes under our Data Processing Agreement .
Feature availability. Certain features described in this Privacy Policy may not be available in all versions of the Service or in all regions, and may be added, modified, restricted, or removed by Strawberry from time to time. Where a feature is not currently available, the corresponding description applies only with respect to your data where and when the feature is enabled for you. Where a feature is not enabled for you, no data of the kind described in that section is collected or processed from you in connection with that feature.
1. Roles and Responsibilities
Strawberry acts in two capacities with respect to personal data:
As a data controller: when processing personal data for our own purposes. Specifically, Strawberry acts as a data controller for: (i) account administration and authentication; (ii) billing, invoicing, and tax compliance; (iii) fraud detection, abuse prevention, and security of the Service (including cross-Customer signals where required for abuse prevention); (iv) service operation, error monitoring, and reliability telemetry; (v) transactional and service-related communications; (vi) marketing to Strawberry's own users (subject to applicable consent and opt-out rights); (vii) compliance with Strawberry's own legal obligations; (viii) defending Strawberry's legal claims; and (ix) the creation and use of de-identified, aggregated, or anonymized data in accordance with Section 11. This Privacy Policy describes our processing activities in this capacity.
As a data processor: when processing personal data on behalf of a Customer in connection with that Customer's use of the Service. Such processing is governed by the Data Processing Agreement between Strawberry and the Customer. Because the Service is offered only for business use, Strawberry acts as a processor in respect of Personal Data contained in User Content in all cases, and the DPA always applies between Strawberry and the Customer.
Business-only Service. The Service is offered only for business use under the Business Terms of Service. The Customer (the legal entity or unincorporated business on whose behalf an authorized representative has accepted the Business Terms) is the data controller for Personal Data contained in User Content processed through the Service, including any personal data of third parties (such as contacts, leads, or recipients of communications), and Strawberry acts as data processor under the DPA, except for the limited controller-role processing identified above in this Section 1. Where an individual User accesses the Service, the User is acting on behalf of, and as part of the staff of, the Customer.
Strawberry's EU establishment for the purposes of the GDPR is Strawberry Browser AB (former Dendrite Systems AB) (Organisationsnummer: 559563-5359), Kungsgatan 54, 111 35 Stockholm, Sweden.
2. Personal Data We Collect
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under the EU GDPR, the UK GDPR, the Swiss nFADP, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable data protection laws.
Special Category and Sensitive Data
Strawberry does not require the submission of special categories of personal data (such as health information, biometric data, or data revealing racial or ethnic origin) for the use of its Service. However, because Strawberry Browser operates as an AI-powered browser assistant that can interact with any website, the Service may incidentally process such data when you direct it to interact with content that contains it. Strawberry does not actively solicit or seek out special category data. Your use of the Service in relation to special category data, sensitive personal information under US law, or other restricted-input data must comply with applicable law and with the Acceptable Use Policy (see in particular AUP §6 on Prohibited Inputs). The processing of any such data contained in User Content is governed by the DPA, under which the Customer is the controller.
2.1 Information You Provide
Account information, profile information, subscription and payment information, invitation history, newsletter subscriptions, and any information you share when contacting us (e.g., via hello@strawberrybrowser.com).
User Content. Data, documents, prompts, messages, web page content, and other materials processed by or submitted through the Service, including information the AI assistant extracts, summarizes, or interacts with on websites and Connected Apps. User Content may contain personal data relating to third parties (such as names, email addresses, or other identifiers of contacts, leads, or other individuals).
2.2 Information Collected When You Use the Service
Location information (country-level only, inferred from IP), device information (device type, device identifiers, browser type and version, OS version), and usage information (interactions, timestamps, feature usage, AI task frequency and type).
Cookies and tracking. We and our third-party partners collect information about your activities on our Services using cookies or other tracking technologies. We deploy: Strictly Necessary Cookies (sign-in, session management, security — no consent required), and Analytics and Performance Cookies used for feature adoption, error monitoring, and performance tracking. The providers we engage for these purposes are identified in the Subprocessor List. We obtain prior consent for non-essential cookies where required by applicable law. You can manage or withdraw cookie preferences through your browser controls or by enabling a Global Privacy Control signal.
2.3 Activity Memory (where enabled)
Availability. Activity Memory is an optional feature that may not be available in all versions of the Service. This Section 2.3 applies only with respect to your data where and when the feature is enabled by Strawberry and you have opted in. Where Activity Memory is not available or you have not opted in, no Activity Memory data is captured or processed from you.
What Activity Memory collects. Where you opt in to the Activity Memory feature, the Service captures periodic screenshots of your screen and analyses on-screen content while the Service is active, in order to provide continuity, personalization, and improved assistance. Activity Memory may therefore capture content from applications and websites outside the Strawberry browser (including content shown on your display, in other browser tabs, or in other applications running on your device), and it builds a persistent log of your activity. Activity Memory does not record keystrokes or capture biometric identifiers.
Opt-in, opt-out, and controls. Where the feature is available, Activity Memory is disabled by default. You will be asked to explicitly opt in before Activity Memory is enabled on your device, with a clear description of what is captured. You can disable (opt out of) Activity Memory at any time in your account settings, and you can pause it at any time using the in-app pause control. You can also view, export, and delete individual entries or the entire Activity Memory at any time. Disabling Activity Memory stops new entries from being recorded; existing entries are retained only until you delete them or until the retention period described in Section 8 expires. When the browser is in incognito or private mode, Activity Memory does not capture content unless you explicitly confirm capture for that session.
Sensitive Data warning. Because Activity Memory captures screenshots and on-screen content, it is capable of recording highly sensitive data that you may encounter on your screen, including payment card and bank-account numbers, passwords and authentication credentials, one-time codes, government-issued identification numbers, health records, confidential or trade-secret information, and special categories of personal data within the meaning of Article 9 GDPR (together, “Sensitive Data”). You should disable or pause Activity Memory when working with Sensitive Data, and you should not intentionally cause the Service to record Sensitive Data into Activity Memory. You should disable or pause Activity Memory before viewing or interacting with content reasonably likely to contain special categories of personal data, including medical portals, religious or political content, or content about sexual orientation or trade-union membership. Strawberry has no lawful basis to process such data through Activity Memory and you must not direct the Service to do so. If Sensitive Data is nevertheless captured, you are responsible for reviewing and deleting the relevant entries promptly. Strawberry applies the same cloud-security controls to Activity Memory as to other User Content, but Activity Memory is not certified as a system of record for Sensitive Data.
Other people's data. Activity Memory may record content that relates to other people (for example, the contents of emails, messages, documents, video calls, or shared screens). You are responsible for ensuring that your use of Activity Memory complies with applicable laws and with any confidentiality or workplace-monitoring obligations that apply to you.
2.4 Information from Other Sources
When you log in using third-party authentication (e.g., Google), we may collect your name, email address, and profile information as permitted by the provider and your privacy settings. When you connect the Service with Connected Apps (e.g., Google, Notion, Airtable, HubSpot), we may access your basic account information and workspace content from those tools. We also receive referral email addresses from users who invite friends, and information from trusted security partners to protect against fraud and abuse.
3. Where Your Information Is Stored and Processed
Cloud and on-device storage. Information we collect through the Service is processed and stored in two locations: (i) locally on your device, and (ii) in cloud infrastructure operated by our Sub-Processors. The balance between local and cloud storage depends on the data category and is currently undergoing transition as Strawberry progressively moves additional categories of data into primary cloud storage. Local on-device storage may include authentication tokens for your Strawberry account, application settings, synced files made available offline, chat history, operational logs generated by the Service (including data about network requests and responses processed during agentic tasks), and temporary caches used for performance. Cloud storage may include account details, billing information, server-side User Content, Activity Memory entries (where the feature is enabled and you have opted in), synced files, analytics, and the credentials and tokens you provide through the Connected Apps authentication flow (stored with application-layer encryption at rest using industry-standard algorithms; the encryption keys are held in our secrets-management system). On-device data is protected using operating-system security features (including operating-system disk encryption where enabled by you or your administrator); we do not apply additional application-level encryption to on-device data. You are responsible for the physical and access security of the device(s) on which you install the Service. On-device data is removed when you sign out or uninstall the Service. Cloud storage Sub-Processors and the regions in which they host data are set out in the Subprocessor List. Specific data categories may move between local and cloud storage as the transition progresses; the lists above are illustrative of the current state and may shift over time.
International transfers. We are based in the United States and process Personal Data in the European Union and the United States. Strawberry's EU establishment, Strawberry Browser AB (former Dendrite Systems AB), is located in Stockholm, Sweden. Personal Data of EEA users is processed within the EEA where feasible. Where Personal Data is transferred to a country that has not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards under Applicable Data Protection Law, including (as applicable) the EU Standard Contractual Clauses (Modules 2 and 3 per Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, the Swiss FDPIC modifications, and/or the EU-US Data Privacy Framework where the recipient is certified. Where required, we enter into Standard Contractual Clauses or equivalent transfer mechanisms with Sub-Processors identified in the Subprocessor List. You may request a copy of the safeguards applicable to a specific transfer by contacting security@strawberrybrowser.com.
4. How We Use Your Personal Data
We process Personal Data to:
- provide, maintain, and improve the Service, including its AI features and integrations;
- process account registration, authenticate access, and manage subscription plans;
- process payments, top-ups, and credits for Business Customers;
- monitor and analyze usage data and platform performance (performed on de-identified or aggregated data where feasible);
- facilitate Connected Apps you choose to enable;
- respond to inquiries, feedback, or support requests;
- send informational emails about how the Service works (you may opt out at any time);
- comply with legal obligations or protect our rights, property, or safety, or that of our users or others;
- detect, investigate, and respond to security incidents, including suspected prompt-injection attacks or adversarial content events involving Agent Actions.
Automated decision-making. Strawberry does not, in its own right, engage in automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR. The Service is designed with human oversight in mind: it completes tasks, but consequential decisions remain with you. The Service may, on your direction, take Actions on websites and Connected Apps that have effects on third parties (for example, sending an email or making a booking); such Actions are taken on your instruction, and where they could have legal or similarly significant effects on third parties, you remain the controller responsible for any resulting Article 22 compliance and for ensuring that meaningful human review exists in the workflow.
5. AI and Machine Learning Data Processing
How Strawberry Uses AI
The Service uses artificial intelligence and machine learning models to process User Content and generate outputs. This may include summarizing web pages, drafting messages, extracting information from websites, performing research tasks, and automating workflows across websites and Connected Apps. AI-generated output may contain errors or inaccuracies, and the user is responsible for evaluating output as appropriate for its use case.
Third-Party AI Providers
The Service may transmit User Content to third-party AI providers for processing and response generation. The current list of AI Sub-Processors is set out in the Subprocessor List. Strawberry enters into data processing agreements (and, where required, Standard Contractual Clauses or equivalent transfer mechanisms) with its AI Sub-Processors and configures them to disable retention and training where the provider supports such settings. The Service operates by reading from operational data stored locally on your device, including the operational logs described in Section 3. This means that information transmitted by websites and Connected Apps in the course of your agentic tasks — including data you may not have deliberately submitted to the Service — may be accessed by the agent and, in the course of completing your tasks, transmitted to AI Sub-Processors. Strawberry applies commercially reasonable best-effort measures designed to limit the inclusion of credentials and other sensitive data in such transmissions, but these measures are not absolute and may not detect all such data.
Use of Your Data for Model Improvement
By default, Strawberry does not use your User Content to train Strawberry's generative AI models or third-party generative AI models. We may use de-identified, aggregated, or anonymized data derived from User Content for Service improvement, analytics, and product development in accordance with Section 11.
6. Lawful Bases for Processing
We process Personal Data only where we have a legal basis to do so:
- Contract: to perform our contract with you.
- Legitimate interests: to provide and improve the Service, to fight fraud, and to respond to inquiries. We balance these interests against your privacy rights, and you may object as described in Section 9.
- Legal obligation: to comply with regulatory, tax, and accounting requirements.
- Consent: where we have asked for your consent (e.g., for direct marketing, for non-essential cookies, and, where the feature is enabled, for the Activity Memory feature). You may withdraw consent at any time.
- Special category data: Where special category data is incidentally processed through the Service as a result of your use, such processing may be based on (a) your explicit consent under Article 9(2)(a), (b) Article 9(2)(e) if you have manifestly made the data public, or (c) another valid exemption under Article 9(2). The Customer, as controller, is responsible for determining the lawful basis for processing Personal Data contained in User Content (including any Article 9(2) basis where special category data is processed).
7. How We Share Your Information
We do not sell your Personal Data. We do not share Personal Data for cross-context behavioral advertising. We may share information with:
- service providers assisting in Service operation (hosting, payment processing, analytics, error monitoring, email delivery);
- Connected Apps and AI partners you enable (subject to their own privacy policies);
- cloud infrastructure and database providers listed in the Subprocessor List;
- as required by law or legal process (we will notify you unless legally prohibited);
- in connection with a merger, acquisition, or asset sale, subject to appropriate safeguards;
- with your consent.
Sub-processor management. All Sub-Processors are bound by contractual obligations requiring compliance with applicable data protection laws and (where Personal Data is processed on behalf of a Business Customer) by the deletion-on-instruction obligations described in the DPA. The current Subprocessor List (including identities, locations, and processing purposes) is maintained at the URL identified in the introduction to this Policy. We provide notice of Sub-Processor changes to Business Customers, allowing objection within the period set out in the DPA.
8. Data Storage, Retention, and Security
We retain your information only for as long as necessary for the purposes outlined in this Policy or to comply with legal obligations. General retention periods:
- Account and contact data: as long as necessary, considering account status and applicable law.
- Billing and payment records: as required by applicable tax and accounting law (generally 7 years).
- User Content (including Activity Memory entries, where enabled by a User), processed by Strawberry as processor: as instructed by the Customer or upon termination per the DPA (default: deleted within 90 days of termination, with backup rotation within an additional 90 days).
- Automatically collected log data: 90 days, unless required by law or for security investigations.
- Cookie data: maximum 13 months for analytics cookies.
Security measures. Your information is stored and processed both locally on your device and in the cloud as described in Section 3. We apply appropriate technical and organizational security measures, including: encryption in transit (TLS 1.2 or higher) and at rest; role-based access controls and multi-factor authentication for administrative access; regular backups with defined recovery objectives; security monitoring and logging; incident response procedures with notification to affected users without undue delay upon confirming a personal data breach. On-device data is protected using operating-system security features, including the operating-system credential store for credentials where the operating system provides one, and operating-system disk encryption where you or your administrator have enabled it. Details of our technical and organizational measures are set out in Appendix B of the DPA.
SOC 2 Type 1. Strawberry has been assessed under the AICPA Trust Services Criteria for Security (SOC 2 Type 1, report as of 13 May 2026, issued by Prescient Assurance LLC). The SOC 2 report is available to Business Customers under non-disclosure agreement on request to security@strawberrybrowser.com. A SOC 2 Type 1 report assesses the design of controls at a point in time only and does not provide assurance regarding the operating effectiveness of controls over a period.
However, because no electronic transmission or storage of information can be entirely secure, we can make no guarantees as to the security or privacy of your information, to the extent permitted by applicable law.
9. Your Data Protection Rights
Depending on where you live, you may have rights under applicable data privacy laws.
EEA, UK, Switzerland
Right of Access; Rectification; Erasure; Restriction; Data Portability; Object (including to processing based on legitimate interests); Withdraw Consent; Lodge a Complaint with your local supervisory authority. EEA users may direct enquiries to our EU establishment, Strawberry Browser AB (former Dendrite Systems AB), Kungsgatan 54, 111 35 Stockholm, Sweden, or to security@strawberrybrowser.com.
United States
Your rights vary by state. The following summary is not exhaustive and we will respond to all verifiable requests in accordance with applicable law. We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We will not discriminate against you for exercising your rights.
- California (CCPA/CPRA): rights to know, delete, correct, opt out of sale/sharing, and limit the use and disclosure of sensitive personal information. We honor Global Privacy Control (GPC) signals as opt-out preference signals.
- Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Indiana, Kentucky, Rhode Island, Minnesota, Maryland: rights to access, deletion, correction, portability, and opt-out of targeted advertising, sale, and certain profiling. Where the relevant state law requires opt-in for sensitive data processing, we obtain consent before such processing.
- Washington (My Health My Data Act): where Activity Memory is enabled and captures consumer health data within the meaning of MHMDA, we obtain separate consent prior to collection and provide additional rights specific to such data (including the right to withdraw consent and to deletion).
- Illinois (BIPA): the Service does not collect biometric identifiers or biometric information for identification purposes. Activity Memory captures screenshots only and does not perform biometric identification; we do not capture keystroke patterns. If you believe we have collected biometric data about you, contact security@strawberrybrowser.com.
Exercising your rights. If you are an end user of a Customer's Account (which is the case for all Users of the Service), please direct data subject requests to your organization, as they are the data controller for User Content. Typically, the User assigned the most senior administrative Role for the Account (currently labelled “Owner”) or another administrative-Role User will be able to action your request. For matters relating to Strawberry's controller-role processing (account administration, billing, security, and compliance), you may contact us at security@strawberrybrowser.com. We respond to verified requests within thirty (30) days, or longer where permitted by law.
10. Notices to Third Parties Whose Data Is Processed (Article 14 GDPR)
Where the Service processes personal data relating to third parties encountered in websites, emails, documents, or Connected Apps (for example, contacts, leads, or recipients of communications you direct the Service to interact with), the obligations under Articles 13–14 GDPR apply.
- Business Use: the Business Customer, as controller, is responsible for providing any notices required under Articles 13–14 GDPR to third parties whose data is processed through its use of the Service, and Strawberry will assist as provided in the DPA.
11. Anonymized, Aggregated, and De-Identified Data
Strawberry may create de-identified, aggregated, or anonymized data derived from Personal Data processed through the Service, provided such data cannot reasonably be used to identify any natural person. Once irreversibly anonymized in accordance with applicable regulatory guidance (including guidance from the European Data Protection Board and the UK ICO), such data is no longer Personal Data and falls outside the scope of this Policy. Strawberry may use such anonymized data for Service improvement, analytics, and product development, and shall not attempt to re-identify the data.
12. Children's Privacy
The Service is not intended for individuals under 18, and we do not knowingly collect Personal Data from anyone under this age. If we learn that we have collected such information, we will take steps to delete it. You shall not direct the Service to process personal data relating to a child under the age at which national law sets digital consent (see AUP §6 on Prohibited Inputs).
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes that reduce your rights or expand our processing purposes, we will provide at least thirty (30) days' advance notice by email or in-product notification.
14. Contact
Email: security@strawberrybrowser.com. US: Dendrite Systems, Inc., Attn: Privacy, 28 Geary St. STE 650 #1826, San Francisco, CA 94108. EU: Strawberry Browser AB (former Dendrite Systems AB), Kungsgatan 54, 111 35 Stockholm, Sweden. For security or safety concerns, contact security@strawberrybrowser.com.
If you are not satisfied with our response, you can lodge a complaint with your local supervisory authority. In Sweden, Integritetsskyddsmyndigheten (IMY).