Analysis

AI shopping agent Phia, which recently secured an $8 million seed round led by Kleiner Perkins and high-profile investors, faces severe scrutiny over its data collection practices. Cybersecurity researchers discovered that a previous version of Phia's browser extension captured full HTML snapshots of all user-visited web pages, including highly sensitive information like bank statements and private emails, transmitting them to the company's servers without explicit consent. This practice, identified as the "logCompleteHTMLtoGCS" function, directly contradicts Phia's privacy policy and public assurances, leading experts to categorize it as a major privacy violation. While Phia removed the feature after being alerted, it did not disclose the incident to users or confirm the deletion of the collected data, raising significant transparency and legal liability concerns under regulations like GDPR and various U.S. state privacy laws. Even the updated extension, which logs only URLs, still poses privacy risks as URLs can contain sensitive PII, and Phia's ability to reconstruct browsing history via user logins remains. This incident highlights a broader trend of security vulnerabilities in the fast-paced AI startup ecosystem, where rapid development often outpaces robust security measures and regulatory oversight, creating substantial reputational and financial risks for companies and their investors.