Privacy Policy
Last updated: April 17, 2026 · Effective: April 17, 2026
Stepr ("we", "us", "our") provides a browser extension and web application that lets users record workflows in their browser (clicks, form input, screenshots, page URLs) and turn those recordings into step-by-step documents. This policy explains what data we collect, how we use it, where it lives, and your rights over it.
Controller: aziviled@gmail.com (sole developer / operator). Contact us at that email for any privacy question or request.
What Stepr collects
Data you actively create
When you press "Start recording" in the Stepr browser extension, Stepr captures the following from the tab you are recording:
- Interactions — the type (click / type / scroll / keyboard shortcut / navigation), the target element's visible text, its role and ARIA label, and CSS / XPath selectors used to locate it on replay.
- Screenshots — a PNG of the visible viewport at the moment of each captured interaction. We do not record video or audio.
- Page URLs and titles — the URLs and titles of the tabs you record.
- Typed text — characters you type inside input fields of the tab you chose to record. We do not read background tabs.
Recording is explicit and user-initiated. Stepr never records until you press "Start recording" and stops when you press "Stop". No data is captured outside of an active recording session.
Account data
To create an account, we store:
- Your email address (from direct sign-up or Google OAuth).
- Your display name (if provided or returned by Google).
- A hashed password (only for email sign-ups — we never store your plain password).
Technical data
When you use the app we log the standard request metadata any web service needs to operate: IP address, user agent, request path, response status, timestamps. These logs are retained for 30 days.
What Stepr does not collect
- We do not read pages or capture input from tabs you are not actively recording.
- We do not track your browsing history across the web.
- We do not capture passwords or payment card details during recording (password fields are masked by browsers and are logged as "[redacted]").
- We do not sell, rent, or trade your data to any third party.
- We do not use your data to train machine-learning models without explicit, separately-collected consent.
Where the data goes
Captured recordings, screenshots, and account data are transmitted over HTTPS to our backend at https://api.stepr.kz and stored in:
- PostgreSQL (Yandex Cloud Kazakhstan Managed PostgreSQL) for workflows, accounts, and team membership.
- Object Storage (Yandex Cloud Kazakhstan Object Storage, S3-compatible, in a private bucket with scoped keys) for screenshots.
- Redis (Yandex Cloud Kazakhstan Managed Redis) for ephemeral session state and queueing.
All data is hosted within the Republic of Kazakhstan and governed by Kazakh law. We do not transfer personal data outside the hosting region.
Third-party processors
- Google — if you choose to sign in with Google, Google supplies us with your email, display name, and profile picture URL via OAuth. Google's privacy policy applies to that flow.
- Let's Encrypt — issues the TLS certificate that secures traffic to our domains. They see only the fact that we requested certificates for
stepr.kz. - Yandex Cloud Kazakhstan — hosts our servers and databases under a standard cloud services agreement.
Sharing & visibility
Workflows are private to their owner by default. You may explicitly make a workflow:
- Visible to specific people (by email invite),
- Visible to a team you created,
- Visible to anyone with the link.
These visibility changes are under your control. We do not re-share your workflows beyond the scopes you set.
Retention & deletion
- Workflows and screenshots — kept as long as your account exists. Deleting a workflow removes its screenshots from Object Storage within 24 hours.
- Account — you can delete your account at any time from the dashboard settings; this removes your workflows, screenshots, team memberships, and profile data.
- Logs — 30 days, rolling.
To request data export or immediate deletion outside the in-app flow, email aziviled@gmail.com.
Browser permissions — why the extension asks for them
The Stepr extension requests these Chrome permissions. Each is used only for the feature noted, and none are used for tracking or advertising.
| Permission | What it's used for |
|---|---|
activeTab, tabs, scripting | Inject the recording script into the tab you explicitly choose to record. |
<all_urls> | Record workflows on any website you choose. We only act on a tab when you start a recording in it. |
storage | Remember your login token and preferences locally in the browser. |
sidePanel | Render Stepr's controls in Chrome's side panel. |
offscreen | Capture microphone input for optional voice-annotated steps, when you opt in. |
webNavigation | Detect page transitions inside a recording so the captured steps reflect navigation accurately. |
notifications | Notify you when a long-running recording upload finishes. |
identity | Complete the Google Sign-In OAuth flow when you choose that login option. |
alarms | Refresh your login token before it expires so you don't have to sign in repeatedly. |
Your rights
Regardless of jurisdiction you can:
- Access a copy of your data via dashboard export.
- Correct data via your profile page.
- Delete your account and associated data via dashboard settings or by emailing us.
- Ask us what data we hold about you.
Residents of the EU / UK have GDPR rights (access, rectification, erasure, restriction, portability, objection); residents of Kazakhstan have rights under the Law "On Personal Data and their Protection". Contact aziviled@gmail.com to exercise any of these.
Security
- All traffic uses TLS 1.2+.
- Passwords are hashed with bcrypt before storage.
- OAuth tokens are issued and verified server-side.
- Object Storage access uses scoped static credentials issued to a dedicated service account with read/write only to the Stepr bucket.
No service can guarantee perfect security, but we treat credentials and screenshots with the same care we'd want for our own accounts.
Changes to this policy
If we materially change this policy we will update the "Last updated" date above and, for account holders, post a notice in the app before the change takes effect.
Contact
Email: aziviled@gmail.com
Operator: Stepr (sole developer, Republic of Kazakhstan)