Agentic browsers navigate websites, fill forms, and complete multi-step tasks on your behalf. To do that, they read everything on every page they process. What happens to that content after that is the question you need to be asking.
Three vendor positions have emerged. Google streams full page content to its cloud for Gemini inference, under retention terms that are vague at best. OpenAI’s Atlas builds a persistent behavioural profile across sessions. Kagi’s Orion collects nothing. If your organisation handles regulated data — patient records, payment information, EU personal data — these differences are not just preferences. They are compliance-determining factors.
This article goes through what each vendor collects, how long they keep it, what they might do with it, and what you should do about it. It is part of the agentic browser strategy guide covering architecture, security, and enterprise governance.
What Happens to Your Data When an Agentic Browser Runs a Task?
Let’s start with the fundamental question: where does the AI inference happen?
Cloud-based AI inference means page content is transmitted to the vendor’s servers for LLM processing. Every page that Chrome Auto Browse or Atlas processes is shared with the vendor. That is not a configuration option you can change — it is how these products work.
Zero-telemetry architecture means the browser transmits nothing. Kagi Orion collects no usage data, no analytics identifiers, no tracking information. There is no inference pipeline because there is no channel through which to run one.
Here is the practical consequence. When Auto Browse processes a page containing customer records, that content goes to Google’s servers. When Atlas is operating inside an authenticated CRM session, that content goes to OpenAI’s infrastructure. Neither vendor’s current documentation provides the specificity you would need to certify those transfers as lawful under GDPR.
One other structural point worth knowing: approximately 70% of browsers run on Google’s Chromium engine, and Atlas is no exception. Orion is built on WebKit instead. That is not just a technical footnote — it removes the data dependencies that Chromium-based browsers inherit from Google, which has direct implications for data sovereignty.
What Data Does Chrome Auto Browse Send to Google and How Long Is It Retained?
Auto Browse streams all content from the active tab to Google’s cloud for Gemini 3 processing. Google calls this “remote browser data”: cookies (including authentication cookies), screen captures, and full page content.
Google says Auto Browse is governed by its Gemini in Chrome policy. The relevant term: page content is “logged to your Google Account temporarily.” What “temporarily” means is not defined anywhere.
There is a “Keep Activity” toggle in Gemini Apps Activity that controls whether browsing data is stored for potential model improvement. Disabling it is the available mitigation — but its specific effect on Auto Browse session data, as distinct from general Gemini interactions, is not documented.
When Ars Technica asked Google in January 2026 whether Auto Browse page content is used for model training, a spokesperson declined to provide specifics. That is not a minor oversight. An unresolved training data question means you cannot certify lawful basis for processing under GDPR Article 6.
Until Google provides written confirmation on training data use, a defined retention period for Auto Browse sessions, and a Data Processing Agreement covering agentic browsing data under Article 28, you should treat Auto Browse as unsuitable for any session involving regulated data.
How Does Atlas Browser Memory Work and Why Is It a Security Risk?
Atlas’s Browser Memory logs browsing patterns, form inputs, and cross-session interaction data to build a persistent behavioural profile. Over time this makes the AI more useful. It also creates a centralised store that accumulates sensitive enterprise data across every session ever run.
Atlas operates at the architectural level — not as an extension, but as a privileged component with direct access to every open tab, authenticated session, and DOM element across all domains simultaneously. That design bypasses the Same-Origin Policy that normally stops cross-domain data access.
The security implications are well mapped in OWASP‘s LLM framework. LLM-01 (Memory Poisoning) documents how attackers use CSRF to inject malicious instructions into Browser Memory that then persist across future sessions. LLM-06 (Excessive Agency) applies when an injected instruction propagates across multiple domains using the user’s own authentication tokens. Within 24 hours of Atlas’s October 2025 launch, security researchers had already demonstrated successful attacks. OpenAI CISO Dane Stuckey acknowledged the problem directly: “Prompt injection remains a frontier, unsolved security problem.”
The compliance picture is equally clear. OpenAI’s enterprise documentation states Atlas is not covered by SOC 2 or ISO 27001 and explicitly advises against use with “regulated, confidential, or production data.” Atlas also lacks SIEM integration, SSO enforcement, and IP allowlists.
One configuration detail that matters particularly for SMBs: Atlas is enabled by default for ChatGPT Business tier users with no admin approval workflow. Enterprise tier disables it by default. Your employees may already have it running before you have made any governance decision.
Before deploying Atlas with company data, you need SOC 2 Type II certification covering Atlas specifically, written confirmation of Browser Memory data residency and retention, and confirmation that Business tier auto-enablement can be locked by admin policy. The absence of SOC 2 is a current disqualification for regulated environments — full stop.
What Does Kagi Orion’s Zero-Telemetry Architecture Actually Mean in Practice?
Orion ships with no AI code in its core. No inference engine, no vendor cloud pipeline, no behavioural profiling. Kagi’s stated position is straightforward: “Your browser should be a secure gateway, not an unvetted co-pilot wired into everything you do.”
Zero telemetry does not mean no AI access. Orion users can still use AI tools through websites — the browser is a vehicle, not a participant. The browser itself does not process page content through any vendor infrastructure. That is the distinction, and it is an important one.
Orion’s WebKit foundation is not a coincidence. It removes the structural dependencies Chromium-based browsers carry from Google. Combined with Kagi’s subscription-only revenue model — no advertising, no incentive to monetise your browsing data — the architecture creates genuine data independence.
On enterprise readiness: Orion 1.0 launched November 2025 for macOS, iOS, and iPadOS. Linux is in alpha; Windows targets late 2026. Six developers, 1 million+ downloads, 2,480 paid subscribers. A viable product, not a boutique experiment.
The compliance advantage is concrete. Zero telemetry eliminates the third-party data processing relationship entirely. No GDPR Article 28 DPA required. No HIPAA Business Associate Agreement. No PCI-DSS third-party assessment for the browser layer. The entire class of cloud-inference compliance obligations simply disappears.
Before standardising on Orion, verify the Windows timeline against your deployment schedule, confirm MDM compatibility, and assess whether a six-person development team meets your vendor risk threshold. Also get written confirmation that the zero-telemetry commitment will extend to any future AI feature additions.
What Are the GDPR, HIPAA, and PCI-DSS Implications of Cloud-Based Browser AI Inference?
Data handling is one dimension of the broader browser-agent platform race — but it is the dimension with the most immediate compliance consequences for organisations handling regulated data.
When Auto Browse processes a page containing EU personal data, GDPR applies. Your organisation is the data controller. Google is the data processor. Any compliance gap in how that processing is documented, retained, or disclosed falls on your organisation, not Google’s. GDPR Article 28 requires a Data Processing Agreement, and Google’s current Gemini agreements have not been demonstrated to explicitly cover agentic browsing as a processing activity.
Atlas’s documentation explicitly prohibits use with Protected Health Information (HIPAA) and payment card data (PCI-DSS). Chrome Auto Browse has no equivalent prohibition — and absence of documentation is not permission.
Here is where each product currently stands:
Chrome Auto Browse: sends data to vendor cloud; retention defined as “temporarily” with no further specification; training data use declined to answer; SOC 2 coverage not documented; GDPR Article 28 DPA required but gaps exist; no explicit HIPAA or PCI-DSS prohibition.
ChatGPT Atlas: sends data to vendor cloud; retention is persistent with no stated limit; SOC 2 absent per OpenAI’s own documentation; GDPR Article 28 DPA required but gaps exist; HIPAA and PCI-DSS use explicitly prohibited.
Kagi Orion: no data sent to vendor; no retention applicable; SOC 2 not applicable; no GDPR Article 28 DPA required; no HIPAA or PCI-DSS obligations from the browser layer.
No agentic browser product currently satisfies all enterprise compliance requirements simultaneously. Opera Neon adds a further complication: it routes page content through both OpenAI and Google infrastructure, which means dual vendor exposure and two separate sets of documentation gaps to manage.
What Should You Ask Vendors and What Do the Answers Mean for Procurement?
The analysis above translates directly into specific actions.
Chrome Auto Browse: Get written confirmation on training data use and a defined retention period for Auto Browse sessions specifically. Request a DPA covering agentic browsing data under Article 28. If Google cannot answer those questions with specificity, you cannot certify the processing. That is a disqualification condition, not a yellow flag.
Atlas: Require SOC 2 Type II before deploying with any company data. Require documentation of Browser Memory data residency and deletion. Confirm whether Business tier auto-enablement can be locked by admin policy. Until SOC 2 coverage is independently verified, Atlas is out of scope for regulated environments.
Orion: Verify the Windows timeline against your deployment schedule, confirm MDM compatibility, and assess whether a six-person development team clears your vendor risk threshold. If those factors check out, Orion is the only option that eliminates cloud inference compliance obligations entirely.
On governance: if you do not make a decision, your employees will make one for you. Zenity reports agentic browsers appearing on enterprise device fleets “without approval or governance” as one of the fastest-growing sources of shadow AI. Chrome Auto Browse can be controlled through Chrome Enterprise policies; Atlas can be blocked via MDM tools like Jamf or Intune. Get your acceptable use policy updated to define which agentic browser features are approved for which data classification levels, before adoption outpaces governance.
Understanding how data handling standards feed into browser agent acceptable use policy is the natural next step — that article covers AUP templates, shadow AI detection, and the full enforcement framework.
Frequently Asked Questions
Does Chrome Auto Browse train Google’s AI models with my browsing data? Google has not confirmed or denied this. When Ars Technica asked directly in January 2026, Google declined to provide specifics. The “Keep Activity” toggle in Gemini Apps Activity governs whether data is stored for potential model improvement, but its specific effect on Auto Browse data is undocumented. An unresolved training data question means you cannot certify lawful basis for processing under GDPR.
Is ChatGPT Atlas GDPR compliant? Atlas is not covered by SOC 2 or ISO 27001 certifications, per OpenAI’s own documentation, which advises against use with regulated, confidential, or production data. Without a DPA covering Browser Memory data and without explicit compliance documentation, your organisation cannot certify Atlas as GDPR compliant without independent legal assessment.
Can I use Chrome Auto Browse with work data? Auto Browse streams all page content to Google’s cloud, including from authenticated sessions. If that content includes personal data (GDPR), patient records (HIPAA), or payment information (PCI-DSS), you have third-party processing obligations that existing Google agreements may not cover.
What data does Orion browser collect? None. Kagi Orion operates under a zero-telemetry policy: no usage data, no analytics identifiers, no tracking. The browser does not embed an AI inference engine and does not route page content through any vendor infrastructure.
Does using a VPN protect me from browser agent data collection? No. A VPN encrypts traffic in transit and does not prevent the browser from transmitting page content to vendor cloud infrastructure at the application layer, which happens before network-level protection applies.
Is Atlas enabled by default for enterprise users? It depends on your plan. Business tier users have Atlas enabled by default with no admin approval required — your team could be running it, with active Browser Memory, before any governance decision has been made. Enterprise tier disables it by default.
What compliance certifications should I require before deploying an agentic browser? At minimum: SOC 2 Type II covering the agentic feature specifically; a DPA naming agentic browsing data as a covered processing activity; written confirmation of retention periods and training data use; SIEM integration capability. Currently, no agentic browser satisfies all of these requirements simultaneously.
The Bottom Line on Agentic Browser Data Handling
The vendor differences here are not edge-case technical distinctions. Chrome Auto Browse and Atlas both route your employees’ browsing sessions through external cloud infrastructure under terms that are currently insufficient for regulated data environments. Orion eliminates that problem entirely but comes with its own constraints around platform coverage and vendor maturity.
Your procurement decision should be driven by the questions in the previous section, not by feature comparisons. If Google cannot tell you how long Auto Browse session data is retained, that is your answer. If OpenAI cannot produce SOC 2 documentation covering Atlas before you need to deploy, that is your answer too.
Data handling is one piece of a larger decision. The full browser-agent platform race covers architecture, security risk, reliability benchmarks, and the governance framework that ties all of it together.
