Causabi and Causabi Capturer Privacy Policy

Effective Date: April 25, 2025
Last Updated: April 25, 2025

1. Scope

Your privacy is important to us. This policy describes how Causabi, Inc. (hereinafter "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use:

• Our web application Causabi, available at https://demo.causabi.com (and its local/development versions, hereinafter "Web Application" or "Service").
• Our Chrome browser extension Causabi Capturer (hereinafter "Extension").
• All related services, APIs, and documentation.

This Privacy Policy applies to all interactions with the Service and the Extension. By using them, you agree to the terms of this policy.

2. Information We Collect

We collect information to provide and improve our services. The types of information collected depend on how you interact with our products.

2.1. Information Collected by the Causabi Web Application:

• Account Information (via PropelAuth):

  When you register or log in through our authentication provider, PropelAuth, we gain access to the information you provide to PropelAuth, such as your name, email address, and a unique user identifier. We do not store your passwords; PropelAuth manages the authentication process. Your use of PropelAuth is also governed by their PropelAuth Privacy Policy.

  This information is stored in our database (Neon DB, with servers located in the USA) to manage your account.

• Demonstration Data (Demos):

  Information you create within the Web Application, including Demo names, configurations, variables, uploaded data (e.g., CSV for find and replace, if applicable), and recording metadata.

  This data is stored in our database (Neon DB in the USA).

• Usage Data (via PostHog):

  We use PostHog to analyze how users interact with the Web Application (not with the Extension during recording on third-party sites). This helps us improve the Service.

  Collected data may include: pages visited within the Web Application, features used, clicks on interface elements, session duration, browser and operating system type, IP address (we may configure PostHog to anonymize it), unique user identifiers (linked to your account).

  The use of PostHog is governed by their PostHog Privacy Policy.

• Payment Information (via Stripe):

  If you subscribe to a paid plan, our third-party payment processor, Stripe, will collect and process your payment information (e.g., credit card details) to handle payments. We do not store your full credit card details on our servers. Your use of Stripe is governed by the Stripe Privacy Policy.

• Server Logs:

  Our backend servers (hosted on Hetzner in Germany) automatically record standard log information, such as your IP address, browser type, access times, and actions related to our API when interacting with the Web Application or the Extension.

2.2. Information Collected by the Causabi Capturer Extension (Only upon Your Initiative):

The Extension collects data only when you actively initiate a recording ("Capture Step" or Start Recording" ) on a webpage.

• Authentication Token:

  When you are logged into the Web Application, it passes an authentication token (provided by PropelAuth) to the Extension.

  The token is stored locally in your browser`s secure storage (chrome.storage.local) and is used to authorize requests from the Extension to our API (hosted on Hetzner in Germany). It is deleted when you log out via the Extension or uninstall the Extension.

• Selected Demo Information:

  The ID and name of the Demo you select in the Extension`s interface to save the recording to.

  This information is also stored locally (chrome.storage.local) and is deleted upon logout, changing the selection, or uninstalling the Extension.

• Interaction and Page Structure Data (rrweb events):

  During active recording, the Extension collects data using the rrweb library:

  • DOM (Document Object Model) structure and changes of the webpage, including visible text, excluding masked input fields (maskAllInputs: true).
  • Mouse movements, clicks, scrolling, window resizing on the recorded page.
  • The URL (Base URI) of the page.

  This "raw" recording data is transmitted to our backend (API on Hetzner, Germany) and stored in Cloudflare R2 object storage.

• Click Data (rrweb Custom Events):

  During Session Recording, when you click on interactive elements, we additionally collect and send as part of the rrweb events:

  • The CSS selector of the element.
  • The timestamp of the click.
  • The cleaned text content or value of the element.
  • The HTML tag and certain attributes of the element (id, name, role, aria-label, data-*, placeholder, title, alt, href, type).

  This data is also stored in Cloudflare R2 as part of the session recording.

• "Step Capture" Data:

  A DOM snapshot and the CSS selector of the element clicked last before activating the function.

  This data is transmitted to our backend and stored in Cloudflare R2.

3. How We Use Information

• Providing and Maintaining the Service: To operate the Web Application and Extension, authenticate users, process and store recordings, display Demos, and process payments.
• Improving and Personalizing: To analyze Service usage (via PostHog), identify issues, develop new features, and personalize your experience.
• Customer Support: To respond to your inquiries and resolve problems.
• Communicating with You: To send service notifications (e.g., about changes to the Service or Policy), and marketing communications (if you have consented, with the option to unsubscribe).
• Security: To protect our systems, prevent fraud, and ensure compliance with our terms.
• Legal Compliance: To fulfill legal obligations.

4. Legal Bases for Processing (for EEA/UK Users)

We process your personal information on the following legal bases:

• Performance of a Contract: Processing is necessary to provide the Service and Extension to you according to our Terms of Service, including processing payments.
• Consent: In some cases (e.g., for marketing emails or non-essential cookies/analytics), we will ask for your consent. You can withdraw your consent at any time. Activating a recording in the Extension is also considered your consent for data collection for that specific recording.
• Legitimate Interests: We process some information for our legitimate interests (e.g., improving the Service, security, usage analysis), provided these interests are not overridden by your rights and freedoms.
• Legal Obligations: Processing is necessary to comply with our legal obligations.

5. Data Sharing and Third-Party Services

We do not sell your personal information. We may share your information with third parties only in the following circumstances:

• Service Providers (Subprocessors): We use third-party companies to provide various aspects of our Service. These include:
  • PropelAuth: For user authentication (located in the USA). (Privacy Policy)
  • Neon: For hosting our primary database (servers in the USA). (Neon Terms of Service)
  • Cloudflare R2: For storing raw recording data (global network). (Cloudflare Privacy Policy)
  • Hetzner Online GmbH: For hosting our backend/API servers (in Germany). (Hetzner Privacy Policy)
  • PostHog: For Web Application usage analytics (may process data in the USA). (PostHog Privacy Policy)
  • Stripe: For payment processing (global company, processes data in the USA and other countries). (Stripe Privacy Policy)
  • [Others, if any: Email providers, etc.]
  These providers only have access to your information to perform tasks on our behalf and are obligated not to disclose or use it for other purposes.
• Legal Compliance: We may disclose your information if required by law or in response to valid requests by public authorities (e.g., a court or government agency).
• Protection of Rights: We may disclose information when we believe it necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: If we are involved in a merger, acquisition, or asset sale, your information may be transferred.

6. Data Retention Periods

We retain your personal information only for as long as necessary for the purposes set out in this Privacy Policy, or as required by law.

• Account Information (Neon DB): Retained as long as your account is active. Upon account deletion, we may retain some information for a reasonable period (e.g., 90 days) to comply with legal obligations, resolve disputes, prevent fraud, and for backup purposes. After this period, data is anonymized or deleted.
• Raw Recording Data (Cloudflare R2): Retained until you delete the corresponding Demo or individual step/session recording via the Web Application interface. Deleted data may persist in our backups for up to 30 days after removal from the active system.
• Usage Data (PostHog): Retained for 1 month, after which it is anonymized or deleted.
• Server Logs (Hetzner): Typically retained for 14 days for security and debugging purposes, then deleted or anonymized.
• Local Extension Data (Token, Demo Selection): Retained until logout, Extension uninstallation, or browser storage clearing by the user.

7. Data Security

We take reasonable technical and organizational measures to protect your personal information from loss, theft, unauthorized access, disclosure, alteration, and destruction. This includes data encryption in transit (HTTPS), access controls for databases and servers, and regular software updates. However, no security system is impenetrable, and we cannot guarantee the absolute security of your information.

8. International Data Transfers

Your information, including personal data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. Specifically:

• Our backend/API servers are located in Germany (Hetzner).
• Our database is hosted in the USA (Neon).
• Recording data storage uses the global network of Cloudflare R2.
• Third-party service providers like PropelAuth, PostHog, and Stripe are based in and/or process data in the USA and other countries.

If you are located outside Germany or the USA, please note that we transfer data, including personal data, to these and other countries for processing. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and appropriate data transfer mechanisms (e.g., EU Standard Contractual Clauses, Data Privacy Framework, where applicable).

9. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: Request a copy of the information we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete information.
• Right to Erasure ("Right to be Forgotten" ): Request deletion of your information under certain conditions.
• Right to Restrict Processing: Request restriction of the use of your information under certain conditions.
• Right to Data Portability: Request transfer of your information to you or a third party in a structured, machine-readable format under certain conditions.
• Right to Object: Object to the processing of your information based on our legitimate interests.
• Right to Withdraw Consent: If processing is based on consent, you can withdraw it at any time.
• Right to Lodge a Complaint: File a complaint with a data protection supervisory authority.

You can manage your account information and privacy settings through the Web Application. To exercise other rights, please contact us using the details below. We may ask you to verify your identity before processing your request.

10. Children`s Privacy

Our Service and Extension are not intended for individuals under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us.

11. Cookies and Tracking Technologies

The Web Application uses cookies and similar technologies (e.g., Local Storage) for:

• Authentication (managed by PropelAuth).
• Storing user settings and preferences.
• Payment processing (managed by Stripe).
• Usage analytics (via PostHog). PostHog may set its own cookies for tracking sessions and users.

You can manage cookie settings through your browser. Note that disabling necessary cookies may affect the functionality of the Web Application. The Extension uses chrome.storage.local, not traditional cookies.

12. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we may provide a more prominent notice (e.g., via email or an in-Service notification). You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Causabi, Inc.
founder@causabi.com