Phia, an AI shopping agent co-founded by Bill Gates’ daughter Phoebe Gates, has been collecting more than just users’ fashion preferences through its desktop browser extension.
Four cybersecurity researchers told Fortune that the company’s browser extension, which is aimed at simplifying price comparisons for users, has been capturing a concerning amount of users’ information. In a previous version of the browser extension, researchers found that a snapshot of every web page a user of visited—including sites containing highly sensitive information such as bank statements and private emails—was transmitted back to Phia’s servers, even when users were not interacting with e-commerce sites.
The AI shopping startup is fresh off an $8 million seed round led by Silicon Valley venture capital firm Kleiner Perkins, with participation from high-profile investors including Hailey Bieber, Kris Jenner, and Sheryl Sandberg. In October, Phia was named one of TIME’s Best Inventions of 2025. Launched in April, the New York-based startup has since grown rapidly, reaching hundreds of thousands of users between the app and desktop browser extension.
Maahir Sharma, an ex-Meta software engineer based in Dublin, was the first to notice privacy issues with the AI browser extension.
“I began by testing it on Amazon,” he told Fortune. “But what really caught my attention was the number of requests being sent, transmitting product page details back to their servers.”
Transmitting retail site data for comparison and other AI-driven features was somewhat expected, he said, but after he noticed the same network calls were happening in the background while checking his Gmail, he was alarmed.
“Why was the extension making requests when I hadn’t interacted with it at all,” he said. “I discovered that the URL of every tab I visited was being logged, which was a red flag. Technically, this meant my complete browsing history could be reconstructed from this data alone.”
He went on to find that the extension wasn’t just tracking browsing behavior—it was quietly collecting full copies of every webpage a user opened and uploading it to Phia’s servers through a function buried in the code called “logCompleteHTMLtoGCS.”
In practice, that meant the extension was lifting the entire HTML—the behind-the-scenes text that tells a webpage how to look and function—compressing it, and sending the file back to the company’s servers through automated data-transfer calls known as API requests, researchers said. In other words, every page a user loaded was being replicated, packaged, and shipped off in the background, seemingly without users’ consent or knowledge.
“I tested it using a Revolut account while the extension was installed. And, unsurprisingly, that activity was logged as well,” he said, referring to the popular digital bank. “At that point, I was honestly at a loss for words.”
Sharma’s findings were reviewed by Fortune, replicated by three independent researchers, including Kushagra Sharma, a software engineer at Accolite, and reviewed by an additional two cybersecurity experts.
Late last week, after Sharma contacted Phia to alert them to the issue and request mitigation steps, the company removed the feature that collected users’ HTML pages, but did not disclose the potential privacy violation to users or confirm what had happened to the data that had been transmitted. Fortune is the first to report the privacy concerns.
Charlie Eriksen, a security researcher at Aikido Security, who reviewed the findings, said it was unclear why the original “archive” feature even existed in the browser extension.
“Not only do I not believe the ‘archive’ feature should ever have existed, and question why it was ever implemented, but they have no right to do any such thing under their own privacy policy,” he said. “I’ve seen quite a few messed-up things in my career. This one must be among some of the crazier things.”
A spokesperson for Phia said: “All versions of Phia, current and previous, performed logging in an aggregate and anonymous way for the purpose of identifying and discovering new retail websites. To determine when to appear, the extension previously logged webpage content to understand if the site was a shopping destination. It was also to identify and support additional retailers as they were discovered. Phia currently only logs URLs. Phia has never in the past, or at present stored this data.”
The company said that in order to download the browser extension, Chrome users had to click OK on a pop-up box noting that the tool can “read and change all your data on all websites.”
Privacy red flags
The amount of personal data that was transmitted to the company’s servers is highly unusual and could constitute a major privacy violation, according to cybersecurity experts and legal professionals who spoke to Fortune.
“The original version collected full page contents, and it was running as a background service. It collected pretty much all web pages for all users, which is a huge security and privacy violation,” Eyal Arazi, head of product strategy at LayerX Security which replicated Sharma’s findings, said.
According to Phia’s own privacy policy, the company “generally excludes personally identifiable information” and collects limited technical data only from “retail sites.” In a Chrome Store disclosure, the company also stated that users’ data is “not being used or transferred for purposes that are unrelated to the item’s core functionality.”
“Its privacy policy fails to highlight this scraping, and emphasizes ‘fundamental principles’ which seem to be in direct contradiction with the data they were actually collecting,” Alexandre Pauwels, a cybersecurity researcher at the University of Cambridge who also analysed the browser extension, said. “Although Phia seems to have addressed the issue, this does not tell us whether or not they have deleted the data itself.”
Experts noted these practices not only appear to contradict the company’s public assurances about limited data collection but could constitute privacy violations under various regulatory statutes, including the EU’s General Data Protection Regulation (GDPR), which restricts the processing of sensitive personal data without explicit consent, and various U.S. state-level privacy laws. The browser extension is currently not marketed for use outside the U.S., although it can be downloaded and used by customers in Europe.
“The practices described would likely breach several core principles of the UK and EU GDPR, including transparency, data minimisation, and lawful basis for processing,” Chris Linnell, associate director of Data Privacy at Bridewell, a cyber security company, told Fortune. “Similar principles apply in the United States, though the impact varies by state-level privacy laws.”
Steven Roosa, the head of the U.S. Digital Analytics and Technology Assessment Platform at law firm Norton Rose Fulbright, agreed that various state laws could potentially be implicated in similar kinds of situations.
“Speaking generally, there are various laws that can be potentially implicated in these situations: One is the general state privacy laws. If [a company] is collecting communications between a user and an endpoint, for example, like a user in their bank, they could potentially expect attention from plaintiffs’ attorneys,” he said.
In a statement, a Phia spokesperson said: “As to Phia’s identification of website traffic, this does not constitute a collected or stored usage of Personally Identifiable Information (PII), as also indicated in Phia’s Privacy Policy. Given our transparency and disclosures across Google Chrome’s Web Store, Phia’s Privacy Policy, and Phia’s cookie consent banner, we maintain our compliance standards within any regulations that protect consumers from unfair or deceptive practices.”
Researchers say despite changes, there are still privacy concerns
Even after the update, several researchers who assessed the extension said the new version still risks exposing sensitive user information.
“In the newer version, they collect only the page URLs. That said, page URLs can also contain sensitive information. For example, a lot of times they can contain search terms or certain identifiable information. If you have a customer ID or national ID in the URL, for whatever reason, that will be collected,” Arazi said.
While the Phia browser tool does not collect URL data for certain websites that the company appears to have “whitelisted”—essentially designated as off limits for data collection—researchers at LayerX Security noted this list was dynamic and resulted in some strange behaviors. They found that the browser does not collect Google search data, for example, but does collect Microsoft Bing search results.
“Since users have to log in [to Phia] with their Gmail/Apple email account, this means that Phia has the ability to perfectly reconstruct the users’ browsing history (regardless of the sites being visited) and associate that history with real user identities,” Nick Nikiforakis, the CEO of cyber security startup LinkSentry and an associate professor of computer science at Stony Brook University said. “From a software engineering point of view, this is unnecessary.”
A spokesperson for Phia said that the company’s “Chrome extension functions like any standard shopping browser extension, logging website URLs in an anonymous, aggregate manner.”
“This momentary check allows us to determine whether a site is a shopping website and to support additional retailers as they are discovered. This data is immediately discarded—it is not collected or stored for future use. Phia does not sell or distribute any user information. All permissions are transparently displayed before downloading from the official app store, and users provide explicit consent in compliance with applicable privacy laws,” they added.
Rapid AI development is creating new security gaps
For Sharma, who has been conducting security research into organizations and startups for years, the issue speaks to a larger trend he’s seen within the current AI startup ecosystem.
“The vulnerabilities I’ve seen in startups over the past year have been alarming. These companies are moving at a pace that’s easily ten times faster than what we once considered a standard software development lifecycle,” he said.
Sharma puts the blame on trends like “vibe-coding”—where developers use natural language prompts to instruct an AI to generate, refine, and debug code, rather than writing it line-by-line—for the rise in security risks. Agentic AI browsers and browser features, such as OpenAI’s Atlas and Perplexity’s Comet, also carry inherent security risks. Some security researchers have even questioned whether these browsers are worth the risk for users, considering the deep access they need to be granted to be helpful.
“While browser extensions may appear harmless, they are, in fact, extremely potent tools that can have wide-ranging access to personal data—and there’s virtually no oversight of them,” Or Eshed, CEO of LayerX Security said. “It’s difficult to say for certain whether this data exposure is the result of malice or malpractice, but the end result is the same.”
Update: The story has been updated to include the company’s comment about the Chrome pop-up consent box.
