Last updated: March 2, 2026
Version 3.0 — Version history available at the end of this document.
Stepyo is an automatic documentation tool that captures your interactions with websites to create visual step-by-step guides. We take your privacy seriously and want you to understand exactly what data we collect, how we use it, and your rights regarding that data.
This policy applies to the use of the Stepyo browser extension and the web platform at app.stepyo.com.br.
This Privacy Policy applies to all users who access or use Stepyo services, including:
Regardless of your geographic location, we process all data in accordance with Brazil's General Data Protection Law (LGPD - Law 13,709/2018) and, where applicable, the European Union's General Data Protection Regulation (GDPR).
For the purposes of this Policy, the following terms have the meanings described below, in accordance with the LGPD (Art. 5):
Personal Data: Information relating to an identified or identifiable natural person.
Data Subject: The natural person to whom the personal data relates (you, our user).
Controller: The person responsible for decisions regarding the processing of personal data. In this policy, Stepyo.
Processor: The person who processes personal data on behalf of the controller.
Data Protection Officer (DPO): The person designated by the controller to act as a communication channel between the controller, data subjects, and the ANPD.
Processing: Any operation performed with personal data, such as collection, storage, use, sharing, or deletion.
ANPD: Brazil's National Data Protection Authority, responsible for overseeing compliance with the LGPD.
Consent: A free, informed, and unambiguous expression by which the data subject agrees to the processing of their data.
Legal Name: Stepyo Tecnologia LTDA
CNPJ: 49.391.867/0001-04
Address: São Paulo, SP - Brazil
Email: [email protected]
Stepyo acts as Controller when processing account data (registration, authentication, preferences) and platform usage data. When a user creates guides containing data from their organization or third parties, Stepyo acts as a Processor, processing data according to the user's instructions (the user being the Controller of the guide content).
To exercise your rights or clarify questions about the processing of personal data, please contact our Data Protection Officer:
Name: Paulo Henrique Reis
Email: [email protected]
Response time: Up to 15 days, as required by the LGPD (Art. 18, § 5)
When you use the Stepyo extension to record a process, we collect:
When you sign up for Stepyo, we collect:
When you use our services, we automatically collect:
In accordance with Brazil's General Data Protection Law (Law 13,709/2018) and the EU General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your data:
To provide the contracted services: guide creation, screenshot and audio storage, AI processing, and platform features.
For sending marketing communications, newsletters, and optional notifications. For microphone audio recording (explicit browser consent). You may revoke consent at any time.
For aggregated usage analysis, service improvement, fraud prevention, and platform security.
To comply with applicable legal, tax, and regulatory requirements.
We use artificial intelligence models to enhance your guides:
No data sent for AI processing is used to train third-party models. Our contracts with OpenAI and Anthropic ensure that data submitted via API is not used for training purposes.
Your data is securely stored on Supabase (infrastructure hosted on AWS). Screenshots and audio recordings are stored in an optimized format and associated with your account. All data is encrypted in transit (TLS/SSL) and at rest (AES-256).
Stepyo uses automated processing with artificial intelligence to:
None of these automated decisions produce legal effects or significantly affect your interests. All AI-generated descriptions can be edited or removed by you at any time.
Under LGPD Art. 20 and GDPR Art. 22, you have the right to request a review of decisions made solely on the basis of automated processing. To do so, please contact our Data Protection Officer at [email protected].
Some of our service providers are located outside of Brazil. We ensure that these transfers occur with adequate protection, in compliance with the LGPD (Art. 33), ANPD Resolution CD/ANPD No. 19/2024, and GDPR Chapter V:
AI processing for description generation. Data processed temporarily and not stored.
AI processing for context analysis and intelligent recovery. Data processed temporarily and not stored.
Secure storage of data, screenshots, and audio recordings. Infrastructure with SOC 2 and ISO 27001 certifications.
Google OAuth authentication (when the user chooses to sign in with Google). Only public profile data (name, email, photo).
Safeguards: We use Standard Contractual Clauses (SCCs) approved by the ANPD and verify that our providers maintain adequate levels of data protection as required by the LGPD (Art. 33), ANPD Resolution CD/ANPD No. 19/2024, and GDPR Art. 46.
As required by the LGPD (Art. 5, VII), we list below all processors (sub-processors) that process personal data on our behalf:
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, and storage | USA | Account data, guides, screenshots, audio |
| Vercel | Web application hosting | USA | Access logs, IP, user-agent |
| OpenAI | AI description generation (GPT-4o-mini) | USA | Screenshots (temporary processing, no retention) |
| Anthropic | Context analysis and intelligent recovery | USA | Guide context (temporary processing, no retention) |
| Groq | Audio transcription (Whisper) | USA | Audio recordings (temporary processing, no retention) |
| Stripe | Payment processing | USA | Payment data (PCI DSS compliant) |
| Doppler | Secrets and environment variables management | USA | API keys and configurations (no user data) |
| OAuth 2.0 authentication | USA | Name, email, profile picture (when signing in via Google) |
All sub-processors have contracts that ensure an adequate level of data protection. This list is updated whenever a new sub-processor is added. Last updated: February 21, 2026.
We do NOT sell your data to third parties. We share data only in the following circumstances:
The use of information received from Google APIs complies with the Chrome Web Store Limited Use Policy, including the limited use requirements.
Under Brazil's LGPD and the EU's GDPR, you have the following rights:
View what data we hold about you through your dashboard or by requesting it from the DPO
Edit or update your personal information
Request that unnecessary, excessive, or non-compliant data be anonymized, blocked, or deleted
Export your guides in standard formats (JSON, Markdown, PDF)
Request the deletion of personal data processed based on your consent
Know which public and private entities your data has been shared with
Be informed about the possibility of not providing consent and the consequences of such refusal
Revoke permissions at any time, free of charge and with ease
Object to processing carried out on the basis of legitimate interest, in case of non-compliance with applicable law
Request a review of decisions made solely on the basis of automated data processing
How to exercise your rights: Send an email to [email protected] or use the features available in your account settings panel. We will respond within 15 days, as required by the LGPD (Art. 18, § 5).
Warning: Account deletion is permanent and irreversible. All your guides, screenshots, audio recordings, and personal data will be deleted from our servers according to the timelines described in the Data Retention section.
We use cookies and similar technologies to improve your experience. Below we detail each category:
Indispensable for the operation of the website. Include authentication and session cookies. These cannot be disabled.
Examples: sb-access-token, sb-refresh-token (Supabase Auth), next-auth.session-token (NextAuth)
Remember your preferences such as theme (light/dark), language, and interface settings.
Examples: theme, sidebar-collapsed
Collect aggregated and anonymous data about service usage for improvements. They do not personally identify you.
Examples: session_id (internal analytics)
We currently do not use any third-party marketing or advertising cookies.
The browser extension uses the Chrome Storage API to store locally:
This data is stored only on your device and can be cleared at any time through the extension settings or by removing the extension from your browser.
Management: You can disable non-essential cookies in your browser settings. Note that this may affect some service features.
We implement technical and organizational measures to protect your data:
In the event of a security incident that may pose a risk or relevant harm to data subjects, Stepyo commits to:
We retain your data while your account is active and for the period necessary to fulfill the purposes described in this policy.
Stepyo is intended for users aged 18 and older. We do not intentionally collect data from minors. If you believe we have collected data from a minor, please contact us immediately at [email protected].
If we identify data belonging to individuals under 18 in our system, we will proceed with immediate deletion, as required by the LGPD (Art. 14).
Stepyo offers an SDK (Software Development Kit) that allows our enterprise customers to embed interactive tutorials and an AI assistant into their own websites and applications. In this context, the data processing roles are as follows:
When the SDK is used: the Stepyo customer (SaaS company) acts as the Controller of their own end-users' data. Stepyo acts as a Processor, processing data exclusively according to the customer's instructions and for the purpose of providing the contracted services.
identify()Messages sent to the assistant chat are processed by the OpenAI API (gpt-4o-mini model) to generate responses. Under our contract with OpenAI, data submitted via API is not used to train models. Messages are automatically sanitized before storage -- patterns such as CPF, CNPJ, phone numbers, credit cards, and email addresses are redacted.
Data collected via SDK (events, conversations, messages) is retained for a maximum of 90 days, after which it is automatically deleted. The customer may request early deletion of a specific end-user's data at any time through the administrative dashboard or via API.
End-users who wish to exercise their rights of access, rectification, or deletion must contact the customer (the company whose website uses the Stepyo SDK), which is the Controller of the data. The customer can then use Stepyo's administrative tools to fulfill the request.
The Stepyo extension is published on the Chrome Web Store and fully complies with Google's developer program policies:
Data collected by the extension is used exclusively to provide and improve the automatic documentation functionality. We do not use extension data for advertising, sale to third parties, or any purpose unrelated to the tool's purpose.
We only request permissions strictly necessary for the extension to function. Each permission has a documented justification available on the Chrome Web Store.
All data is transmitted via HTTPS and stored with encryption. We do not use remote code. The extension follows the security practices required by Manifest V3.
We may update this policy periodically. Significant changes will be notified by email or through an in-platform notice at least 30 days in advance.
Continued use of the service after changes constitutes acceptance of the new policy. We recommend reviewing this page periodically.
For questions about privacy, to exercise your rights, or to report concerns:
We will respond to your request within 15 days, as required by the LGPD (Art. 18, § 5).
Supervisory Authorities: If you are not satisfied with our response, you may file a complaint with Brazil's National Data Protection Authority (ANPD) at www.gov.br/anpd. If you are located in the EU/EEA, you may also contact your local data protection supervisory authority.
You are responsible for the content you record. Do not capture confidential information, passwords, payment data, or third-party information without express permission. Screenshots and recordings may inadvertently contain personal data of third parties visible on screen -- ensure you have authorization before sharing guides that contain such information. Stepyo is not liable for improper use of the tool.