Privacy Policy

Last updated: May 23, 2026

This Privacy Policy explains how Demify (“Demify”, “we”, “us”) collects, uses, stores, and shares information when you use the Demify web application at app.demify.io and the Demify RecorderChrome extension (together, the “Services”).

1. Who we are

Demify is a SaaS product that helps teams record, edit, and share interactive product demos. You can contact us about privacy at privacy@demify.io.

2. What the Demify Recorder extension does

When you click Start recording in the extension popup, the extension:

• Captures screenshots of the currently active tab on each user interaction (click, input completion, scroll stop, or page navigation).
• If you accept the in-page microphone consent prompt, records audio from your microphone for the duration of the recording so your narration can be transcribed and aligned with the steps.
• Captures lightweight context for each step (click coordinates, CSS selector of the clicked element, visible text of the element, page title, current URL, and the value of any input field whose value is non-empty at blur).
• Streams those steps to your Demify workspace over HTTPS, where they are stored and made available in the editor at app.demify.io.

The extension does not capture: passwords typed in <input type="password"> fields, content from tabs you did not start recording, your browsing history outside the recorded tab, or data from other Chrome extensions.

3. Data we collect

3.1 Account data

Email address, password (hashed and handled by our authentication provider, Supabase), display name, organization name, and your role within an organization.

3.2 Recording content

Screenshots and the per-step metadata described above. If microphone narration is enabled, the recorded audio is sent to our backend solely to be transcribed (see §3.3); we keep the resulting text, not the audio file. Recordings are scoped to the organization you belong to — other organizations cannot access them.

3.3 Voice narration

When microphone narration is enabled, the audio is uploaded over HTTPS and transcribed using OpenAI's speech-to-text service. We store only the resulting transcript text and word timestamps, which are used to generate accurate step descriptions and chatbot context. The raw audio file is not persisted after transcription.

3.4 Usage and diagnostic data

Basic logs (timestamps, IP address, error messages) used to keep the Services running and debug incidents. We do not use third-party advertising trackers in the extension or the editor.

3.5 Billing data

If you subscribe to a paid plan, billing is processed by our payment provider (Hyperline). We store an internal customer reference and the plan you are on; full card details never reach Demify servers.

4. How we use your data

• Provide the Services (authentication, recording, editing, sharing).
• Generate transcripts, narration text, and AI-assisted step descriptions from the audio and screenshots you record. Audio and images are sent to AI sub-processors for that purpose (see §7).
• Send transactional emails (account, billing, recording ready).
• Improve product quality and fix bugs.

We do not sell your data. We do not use the contents of your recordings to train shared models.

5. Legal bases (GDPR)

• Contract: providing the Services you subscribed to.
• Consent: microphone access — you can decline the in-page prompt and recordings will continue without audio. You can also revoke microphone permission from Chrome at any time.
• Legitimate interest: security logging, fraud prevention, product improvement.

6. Permissions requested by the extension

• storage — store your session token and the state of the in-progress recording locally.
• activeTab + scripting — capture screenshots and inject the recording listeners into the tab you explicitly choose to record.
• offscreen — host the microphone capture in a background document, so audio survives cross-origin navigations inside the recorded session.
• Host permissions for app.demify.io, demify-beta.vercel.app (staging), and our Supabase backend — needed to upload steps and refresh authentication.

7. Sub-processors

We share data with the following sub-processors:

• Supabase — authentication, database, and file storage for recordings.
• Vercel — hosting of the Demify web application.
• OpenAI, Anthropic, and Mistral — audio transcription, narration generation, and step/chatbot description from your recordings.
• Resend — delivery of transactional emails.
• Hyperline — subscription billing and payment processing.

8. Retention

• Account data: kept while your account is active, deleted within 30 days after account closure.
• Recordings (screenshots, transcripts, metadata): kept until you delete them or close your account.
• Raw narration audio: discarded immediately after transcription.
• Diagnostic logs: 90 days maximum.

9. Your rights

You can access, export, correct, or delete your data at any time from the workspace settings or by emailing privacy@demify.io. If you are in the EU/EEA, you can also lodge a complaint with your local data protection authority.

10. Security

All traffic between the extension, your browser, and our servers runs over HTTPS. Authentication uses short-lived JWTs with refresh tokens stored in the extension's local storage. We follow standard practices to limit access to production data inside the company.

11. Children

The Services are not directed to children under 16 and we do not knowingly collect their personal data.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email or in-app notice before they take effect.

13. Contact

Questions, data requests, or security reports: privacy@demify.io.