Legal

Privacy Policy

Last updated 2026-04-25Questions? [email protected]

On this page

What we collect

  • Account data: email, name, hashed password (or OAuth identity if you sign in with Google), and image URL where supplied by an OAuth provider.
  • Session metadata: session token, IP address, and user-agent string for each authenticated session, used to detect session hijacking and to let you sign out of other devices.
  • Walkthrough content you author: screenshots (full-page and cropped), DOM fingerprints (CSS selectors, ARIA roles, accessible names, surrounding text, page URL and title, viewport dimensions), click coordinates, target URLs, intent descriptions, and tooltip copy.
  • End-viewer telemetry (people who watch published walkthroughs): per-view anonymous viewer ID (UUID), referrer URL, user-agent string, ISO country code derived from IP (the IP itself is not stored), and per-step events (reached / clicked / advanced / abandoned) with timestamps.
  • Billing data: Stripe customer ID, subscription ID, and subscription status. Card numbers and payment methods are held by Stripe and never reach our databases.
  • API tokens: stored as SHA-256 hashes; the plaintext token is shown to you exactly once at creation time.

How we use it

We use your data to deliver the service: render and serve walkthroughs, detect drift in target applications, generate intent and tooltip copy, embed walkthrough text for similarity search, render help-center articles, operate billing, and surface analytics dashboards to you. We do not sell personal data and we have not enabled training-data opt-in with any of our AI subprocessors.

PII handling

When PII redaction is enabled, our enrichment pipeline asks an AI vision model (Anthropic Claude) to identify regions of each screenshot that look like emails, phone numbers, US Social Security numbers, credit-card numbers, API keys, or similar identifiers, and we replace those regions with opaque rectangles before storing the redacted version. The original (un-redacted) screenshot is also retained for healing and re-rendering until you delete the walkthrough.

You should treat the recorder as if everything visible on screen will be retained. Avoid recording flows that expose data you are not authorized to capture or store, and configure target applications with test data when possible.

Data retention

Free and Starter tier accounts: end-viewer step events are retained for 90 days. Team tier accounts: 13 months. Account data and the walkthrough content you author (screenshots, DOM fingerprints, intent and tooltip copy) are retained until you delete the walkthrough or close the account. On account closure we delete or return all personal data within 30 days of receipt of the request, except where law requires longer retention (for example, tax records associated with paid subscriptions).

Subprocessors

We rely on the following third-party providers to operate the service. Each is bound by its own data-processing terms, and we will give at least 30 days' advance notice via our status page before adding a new one.

  • Stripe — payment processing and subscription management.
  • Cloudflare R2 — object storage for screenshots and compiled viewer bundles.
  • Neon — managed Postgres for account data, walkthrough metadata, and analytics events.
  • Upstash — managed Redis for background-job queues and session cache.
  • Anthropic — Claude API for intent and tooltip generation, vision-based element detection, and (when enabled) PII region detection.
  • OpenAI — text-embedding API for walkthrough similarity search.
  • Modal — image-embedding service used by the optional tier-3 anchor healing pipeline.
  • Browserless — headless browser execution used during healing eval runs.
  • Sentry — error and performance telemetry from web, worker, and viewer processes.
  • PostHog — product analytics on the marketing and dashboard pages (enabled only when configured by the operator; never receives walkthrough content).
  • Google — OAuth identity provider, only when you choose "Sign in with Google."
  • Resend — delivery of transactional emails (invitations, account notifications).
  • Railway — hosting for the web application, background worker, and standalone viewer when deployed as a Railway service.

Your rights

If you are based in the EEA, UK, or California, you have rights of access, correction, deletion, portability, and (where applicable) restriction or objection to the processing of your personal data. You can export or delete your account data directly from the Privacy & data section in your dashboard settings. For any request you cannot complete through the dashboard, or to exercise rights as a data subject whose personal data was processed by a third party using Heal Demo, email [email protected] — we will respond within 30 days. Rights requests from end viewers of a walkthrough should be directed to the customer who published it; we will assist that customer as their processor.

Contact

Privacy questions, rights requests, and data-protection enquiries: email [email protected].

GeoIP attribution

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com. GeoLite2 data is licensed under CC BY-SA 4.0. The GeoLite2 database file ships with the application and is queried locally; no end-viewer IP address is sent to MaxMind.