Last updated: May 6, 2026
The data controller for personal data processed through ExecBro and execbro.com is:
ExecBro ("the Tool") is an MCP server for AI-powered React Native debugging, paired with a web dashboard at execbro.com. This policy explains what data is collected by both the MCP package and the web platform, how it is used, the legal basis for processing, and how you can control it.
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, license validation, subscription management | Performance of a contract |
| Payment processing (via Paddle) | Performance of a contract; legal obligation (tax/accounting) |
| Anonymous telemetry & product improvement | Legitimate interest |
| Tap failure diagnostic artifacts | Legitimate interest (tool reliability) |
| Website analytics (Google Analytics) | Consent (cookie banner) |
The MCP package collects anonymous usage metrics to improve the product:
| Data | Purpose |
|---|---|
| Tool names | Which MCP tools are used most |
| Success/failure | Error rates for reliability improvements |
| Duration (ms) | Performance monitoring |
| Session start/end | Retention analysis |
| Platform | macOS/Linux/Windows distribution |
| Server version | Adoption of new versions |
Not collected: file paths, source code, network data, console log content, component names, app state, or personally identifiable information.
Telemetry can be disabled by setting the environment variable:
export EXECBRO_TELEMETRY=false
On the first tool use in each session, the MCP package automatically registers your installation with our backend. This enables license validation and optional account linking.
| Data sent | Purpose |
|---|---|
| Installation ID | Random UUID identifying this installation |
| Device fingerprint | SHA-256 hash of (username + CPU model + machine hardware UUID) |
| Platform | macOS, Linux, or Windows |
| Hostname | Your machine's hostname |
| OS version | Operating system name and release |
| Server version | Installed version of ExecBro (npm package react-native-ai-devtools) |
The device fingerprint is a one-way hash — it cannot be reversed to recover your username, CPU model, or hardware UUID individually. The raw components are never sent to our servers.
Registration data is stored in Google Firebase Firestore. Each installation creates a record with anonymous or linked status, free tier by default, and the data listed above.
Auto-registration is tied to telemetry. Disabling telemetry also prevents registration.
When the ocr_screenshot tool is used, a screenshot is sent via HTTPS to a Cloudflare Worker, which forwards it to Google Cloud Vision API for text recognition. The image is not stored — it is processed in memory and discarded immediately.
If the cloud service is unavailable, a local OCR fallback (EasyOCR) processes the image entirely on your machine.
Google Cloud Vision API usage is governed by Google Cloud's Terms of Service. Under their terms, Google does not use customer data to train its models.
When the tap tool fails or produces no visible change on screen (changeRate < 0.1%), the MCP package uploads diagnostic evidence so we can reproduce and fix tap reliability issues.
What is collected:
before.png, after.png, and after-with-marker.png (post-tap screenshot with a red-cross marker drawn at the exact pixel where the tap landed).When: only on tap failures and successful taps that produced no visible change. Successful, meaningful taps upload nothing.
Where stored: Cloudflare R2 (same Cloudflare account as the telemetry endpoint), accessed only via authenticated dashboard endpoint.
Retention: 10 days. Objects are auto-deleted by an R2 lifecycle policy.
Use: solely to diagnose and improve the tap tool. Not used to train AI models. Not shared with or sold to any third party.
Scope note: the Tool only operates against development environments (simulators, emulators, dev builds). Screenshots may include whatever is on your screen at the time of the tap. We do not run against production or release builds.
How to opt out:
"env": { "RN_AI_DEVTOOLS_DISABLE_FAILURE_ARTIFACTS": "1" }Disabling telemetry (EXECBRO_TELEMETRY=false) also disables artifact upload.
The web dashboard at execbro.com provides optional account management. You can use the MCP package without ever creating a web account.
If you choose to sign in, we use Google sign-in via Firebase Authentication. The following is stored:
| Data | Source |
|---|---|
| Email address | Your Google account |
| Display name | Your Google account |
| Sign-in provider | "google.com" |
| Linked installation IDs | From your MCP installations |
Activation tokens (one-time codes for linking MCP installations to your account) are valid for 24 hours. Only a SHA-256 hash is stored server-side; the raw token is shown once in the dashboard.
| Data | Retention |
|---|---|
| Telemetry | Stored in Cloudflare Analytics Engine. Not linked to personal identity. |
| Installation records | Stored in Firebase Firestore. Retained while active. Deleted via delete_account tool. |
| Account records | Stored in Firebase Firestore. Retained while account exists. Deleted on account deletion. |
| Activation tokens | Stored in Firebase Firestore. Expired tokens cleaned up lazily. |
| OCR images | Not retained. Processed in memory and discarded immediately. |
| Tap failure artifacts | Stored in Cloudflare R2. Auto-deleted after 10 days. Not used for AI training; not shared with third parties. |
| Local files | Remain on your machine until you delete them. |
| Service | Provider | Purpose |
|---|---|---|
| Telemetry endpoint | Cloudflare Workers | Anonymous usage metrics |
| OCR endpoint | Cloudflare Workers + Google Cloud Vision | Screenshot text recognition |
| Registration & license API | Firebase (Google Cloud) | Installation registration, license validation |
| Account storage | Firebase Firestore (Google Cloud) | Installation records, accounts, activation tokens |
| Authentication | Firebase Authentication (Google Cloud) | Google sign-in for web dashboard |
| Tap artifact storage | Cloudflare R2 | Short-term storage of diagnostic screenshots and JSON bundles for failed/unmeaningful taps (10-day retention) |
| Website analytics | Google Analytics | Page views and visitor metrics (subject to consent) |
| Payment processing | Paddle.com Market Limited (Merchant of Record) | Subscription billing, invoicing, sales tax / VAT, chargebacks. Paddle's privacy policy: paddle.com/legal/privacy |
API keys embedded in the MCP source code are write-only tokens — they cannot be used to read or access any stored data.
The MCP package creates the following files on your machine:
| File | Contents |
|---|---|
~/.execbro/telemetry.json | Random UUID, first-run timestamp |
~/.execbro/license.json | License status, cache expiry (24h TTL) |
To delete all locally stored data:
rm -rf ~/.execbro/
The data controller is established in Ukraine. Personal data may be processed in Ukraine, the European Union, the United Kingdom, and the United States, depending on the third-party processors involved (Cloudflare, Google / Firebase, Paddle). Where data is transferred outside the EU/EEA, our processors rely on the European Commission's Standard Contractual Clauses or equivalent safeguards. By using the Tool, you acknowledge that your data may be transferred internationally.
Under GDPR and applicable data-protection laws, you have the right to:
To exercise any of these rights, email [email protected]. We will respond within 30 days.
Practical controls built into the product:
delete_account MCP tool (requires confirm: "DELETE") to remove all server-side data.~/.execbro/ from your machine.EXECBRO_TELEMETRY=false.ios_screenshot or android_screenshot instead of ocr_screenshot.RN_AI_DEVTOOLS_DISABLE_FAILURE_ARTIFACTS=1. Anonymous structured signals still flow under the telemetry opt-out.This is a developer tool and is not directed at children under 13. We do not knowingly collect data from children.
We may update this privacy policy from time to time. Changes will be reflected in the "Last updated" date at the top of this page.
For questions about this privacy policy, data practices, or to exercise your rights, contact [email protected]. For technical issues, you may also open an issue on GitHub.