Privacy Policy

Last updated: 9 March 2026

Stepify ("we", "our", "us") is a product of Landing Pad Digital Co., Ltd., a company registered in Thailand (BOI-approved). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Stepify platform at stepify.it.

By using Stepify, you agree to the data practices described in this policy. If you do not agree, please do not use the service.

Data Controller
Data We Collect
Platform Connection and Remote Browser
Session Cookie Storage and Encryption
Tutorial Generation and Your Data
Screenshot Processing and Automatic PII Redaction
Tutorial Generation Pipeline
AI Processing (Third-Party)
How We Use Your Data
Data Sharing and Third Parties
Data Retention
Data Security
Your Rights
International Data Transfers
Thai PDPA Compliance
Children's Privacy
Changes to This Policy
Contact Us

1. Data Controller

The data controller responsible for your personal data is:

Landing Pad Digital Co., Ltd.
Chiang Mai, Thailand
Email: hello@stepify.it
Website: https://stepify.it

2. Data We Collect

2.1 Account Information

When you create a Stepify account, we collect:

Your name and email address
Password (stored as a one-way hash — we cannot read your password)
Account preferences and settings

2.2 Payment Information

Payment processing is handled by Stripe, Inc. We do not store your credit card number, CVV, or full card details on our servers. Stripe acts as the data processor for payment information. Please refer to Stripe's Privacy Policy for details.

2.3 Usage Data

We collect information about how you use Stepify, including pages visited, tutorials created, features used, timestamps, and device/browser information. This data is collected through Matomo Analytics, which is self-hosted on our own servers. No usage data is sent to third-party analytics providers.

2.4 Platform Connection Data

When you connect a third-party platform to Stepify, we store encrypted session cookies from that platform. This is described in detail in Section 3 and Section 4.

3. Platform Connection and Remote Browser

This section describes how Stepify's "Connect a Platform" feature works. Please read this carefully, as it involves the processing of your login credentials on our server.

3.1 How It Works

When you connect a third-party platform (such as HubSpot, Asana, or any web application), Stepify launches a secure, isolated browser session on our server. This browser is streamed to your screen in real time, allowing you to log in to the platform as you normally would.

During this process:

A browser runs on Stepify's server (not on your device)
The browser display is streamed to your screen as a series of images over an encrypted WebSocket connection (WSS)
Your mouse clicks and keyboard input are relayed from your device to the server browser
You log in to the third-party platform through this remote browser
Once login is detected, Stepify captures the resulting session cookies

3.2 What We Do NOT Store

Your passwords or login credentials: Your keystrokes are relayed to the remote browser in real time and are not logged, recorded, or stored at any point. Once the browser session ends, keystroke data is permanently gone.
Screen recordings: The visual frames streamed to your screen are transient. They exist only in memory during the session and are not saved, recorded, or archived.
Keystroke logs: We do not log or store any record of the keys you press during a remote browser session.

3.3 What We DO Store

Session cookies only: After you successfully log in, we capture and store the session cookies issued by the third-party platform. These cookies allow Stepify to access the platform on your behalf for tutorial generation. Cookies are encrypted before storage (see Section 4).
Connection metadata: The platform URL, a display name, connection type, and timestamps (when connected, last used, expiry date).

3.4 Session Isolation and Destruction

Each remote browser session runs in a completely isolated environment. When the session ends (either after successful login or after the timeout), the entire browser context is destroyed. No browsing history, cache, local storage, or temporary files persist beyond the session.

3.5 Concurrent Session Limits

Our server supports a limited number of concurrent remote browser sessions. If all sessions are in use, you may be asked to wait briefly. This is a capacity constraint, not a data concern.

4.1 Encryption Method

All session cookies captured during platform connection are encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) before being stored in our database. This is the same encryption standard used by financial institutions and government systems.

4.2 Key Derivation

Each user-platform pair has a unique encryption key derived from a server-side master key. The master key is stored only as an environment variable on the server and never appears in code, databases, or logs. If the database were compromised, encrypted cookies would be unreadable without the master key.

4.3 Expiry

Encrypted session cookies expire automatically after 30 days from the date of connection. After expiry, you will need to reconnect the platform. You can also manually revoke a connection at any time from the Platforms page.

4.4 What Happens on Deletion

When you remove a platform connection or delete your account, the encrypted cookie data is permanently deleted from our database. There is no recovery period or soft delete for encrypted authentication data.

5. Tutorial Generation and Your Data

5.1 Content Generated on Your Platform

When Stepify generates a tutorial on a platform you have connected, it navigates the platform using your session cookies. This means the tutorial will reflect your instance of the platform, including your data, your settings, and your interface.

Tutorials generated on your connected platforms may contain screenshots that include your business data, customer names, email addresses, financial figures, or other sensitive information visible on screen.

5.2 PII Redaction

Stepify includes an automated PII (Personally Identifiable Information) redaction system that attempts to blur or obscure sensitive data such as email addresses, phone numbers, and names that appear in screenshots. However, this system is not guaranteed to catch all sensitive information. You are responsible for reviewing generated tutorials before sharing them publicly.

5.3 Tutorial Visibility

By default, tutorials you generate are private to your account. You control whether to publish, share, or keep them private. Tutorials made public via a share link or published to the Stepify showcase are accessible to anyone with the link or who visits the showcase.

5.4 Tutorial Storage

Tutorial assets (screenshots, videos, metadata) are stored on our servers. You can delete your tutorials at any time. When deleted, all associated files (screenshots, video, captions) are permanently removed.

5b. Screenshot Processing and Automatic PII Redaction

When you generate a tutorial, Stepify's capture system takes screenshots of the platform you are documenting. These screenshots may incidentally capture personally identifiable information (PII) belonging to third parties visible on screen — for example, customer names, email addresses, or phone numbers in a contact list or CRM record.

What We Do With This Data

Stepify applies automatic PII redaction to every screenshot before it is stored or processed. This happens in two stages:

We analyse the page structure to detect fields and elements that are known to contain personal data (email fields, phone fields, contact record tables).
We use an AI model (Anthropic Claude) to detect any additional personal data visible as rendered text on screen.

Detected regions are blurred using image processing software before the screenshot is saved. The unredacted screenshot exists only in working memory during this process and is immediately discarded. It is never stored to disk or transmitted to any external service.

What This Means for You

Screenshots stored in your tutorials will have personal data of third parties automatically blurred.
Your own account information (your name, your username) visible on screen is not redacted — this is expected content in tutorials you generate for your own use.
We maintain an audit log of redaction operations (number of regions blurred per screenshot, type of data detected) for compliance purposes. This log does not contain the actual PII — only the fact that redaction was applied.

Limitations

Automatic redaction is highly accurate but not perfect. If you notice personal data that has not been redacted in a tutorial you have generated, please contact hello@stepify.it immediately. We will manually redact the affected screenshots and update the tutorial within 24 hours.

Do not publish or share tutorials that you believe may contain unredacted personal data of third parties until you have verified the screenshots.

5c. Tutorial Generation Pipeline

When you submit a tutorial generation request, your request is processed through the following pipeline:

Job queuing — Your request (goal text, platform URL, your user ID) is added to a secure job queue stored in our infrastructure. Queue data is encrypted at rest.
Platform authentication — Your stored platform session cookies (encrypted at rest using AES-256-GCM) are decrypted temporarily in working memory to verify your platform session is active. Decrypted cookies are never logged or written to disk.
Tutorial planning — Your goal text is sent to Anthropic's Claude API to plan the steps required to complete the goal. We do not send any personal data about you to Anthropic — only the goal text and platform name you provided.
Screenshot capture and redaction — Screenshots are captured from the platform and automatically redacted as described above before storage or further processing.
Step analysis — Redacted screenshots are sent to Anthropic's Claude API for analysis of UI elements and actions captured. No personal data is present in these screenshots at this point.
Content generation — Step descriptions and tutorial content are generated by Anthropic's Claude API using the analysis output. No personal data is sent in this stage.
Quality review — The completed tutorial is scored by an AI quality review process before being made available to you.
Storage — Redacted screenshots are stored in Amazon Web Services S3 (Singapore region). Tutorial content and metadata are stored in our PostgreSQL database hosted on our VPS server in Jakarta, Indonesia.

Real-Time Progress Updates

While your tutorial is generating, progress events are streamed to your browser via Server-Sent Events (SSE). These events contain only status messages (e.g. "Capturing step 3 of 8") and percentage progress. No personal data or screenshot content is included in SSE events.

If you navigate away from the page while generation is in progress, your tutorial will continue generating. You will receive an email notification when it is complete.

6. AI Processing (Third-Party)

6.1 How AI is Used

Stepify uses Anthropic's Claude AI to:

Analyse screenshots and determine the next navigation action during tutorial generation
Generate human-readable step descriptions and titles
Detect when a tutorial goal has been achieved
Score tutorial quality

6.2 What Data is Sent to Anthropic

We use Anthropic's Claude API at multiple stages of tutorial generation. Data sent to Anthropic includes:

Your tutorial goal text (plain text)
Platform name and URL (plain text)
Redacted screenshots (images with personal data automatically blurred before transmission)
Step analysis data derived from screenshots (structured text, no personal data)

6.3 What is NOT Sent to Anthropic

Your name, email address, or account details
Your platform login credentials or session cookies
Unredacted screenshots
Personal data of any third parties
Your payment information

6.4 Anthropic's Data Handling

Anthropic processes data in accordance with their Privacy Policy. Stepify uses Anthropic's API, which does not use customer inputs for model training. Data is processed in the United States.

7. How We Use Your Data

Purpose	Data Used	Legal Basis
Account creation and management	Name, email, password hash	Contractual necessity
Payment processing	Payment details (via Stripe)	Contractual necessity
Platform connection	Encrypted session cookies, platform URL	Explicit consent (given at connection)
Tutorial generation	Screenshots, goal text, platform content	Contractual necessity / Consent
AI analysis	Screenshots and goal text sent to Anthropic	Contractual necessity / Consent
Service improvement	Anonymised usage analytics (Matomo)	Legitimate interest
Customer support	Name, email, support messages	Contractual necessity
Service communications	Email address	Contractual necessity / Legitimate interest

We do not sell your personal data. We share data only with the following third parties, solely for the purposes described:

Third Party	Purpose	Data Shared	Location
Anthropic (Claude AI)	AI-powered tutorial generation (multi-stage pipeline)	Goal text, platform name, redacted screenshots	United States
Stripe	Payment processing	Payment details, billing email	United States
Resend	Transactional email delivery	Email address, name	United States

We do not use third-party advertising, tracking, or analytics services. Our analytics (Matomo) are self-hosted.

9. Data Retention

Data Type	Retention Period
Account information	Until you delete your account
Encrypted session cookies	30 days from connection (auto-expire), or until manually revoked
Tutorials and assets	Until you delete them, or when your account is deleted
Payment records	As required by Thai tax law (up to 5 years)
Usage analytics	Anonymised, retained for 12 months
Remote browser session data	Not retained — destroyed immediately when session ends
Screenshot data (S3)	Retained for the duration of your account plus 30 days after account deletion. Redaction audit logs retained for 12 months.
Job queue data	Retained in the queue system for 30 days after completion (completed jobs) or 90 days (failed jobs, for debugging purposes).
Generation progress events	Retained in database for 90 days, then deleted.
Platform session cookies	Retained until you disconnect the platform via your dashboard, or until the session expires (typically 30 days). Stored encrypted at all times.

10. Data Security

We implement the following security measures to protect your data:

Encryption at rest: Session cookies encrypted with AES-256-GCM. Passwords hashed with bcrypt.
Encryption in transit: All connections use TLS/SSL (HTTPS). Remote browser streams use WSS (WebSocket Secure).
Infrastructure isolation: Remote browser sessions run in isolated containers that are destroyed after use.
Access control: Server access is restricted. Database credentials are managed through environment variables.
No credential storage: We architecturally cannot access your platform passwords because we never store them.

While we take all reasonable measures to protect your data, no system is 100% secure. If we become aware of a security breach affecting your personal data, we will notify you in accordance with applicable law.

11. Your Rights

Under the Thai Personal Data Protection Act (PDPA) and the EU General Data Protection Regulation (GDPR) (where applicable), you have the following rights:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate data.
Deletion: Request deletion of your data. You can delete your account, tutorials, and platform connections at any time through the Stepify dashboard.
Portability: Request your data in a machine-readable format.
Withdrawal of consent: You can revoke platform connections at any time. You can withdraw consent for data processing, though this may mean we can no longer provide the service.
Objection: Object to processing based on legitimate interest.
Restriction: Request that we limit how we use your data.

To exercise any of these rights, please contact us at hello@stepify.it. We will respond within 30 days.

12. International Data Transfers

Stepify's servers are hosted in Singapore. Some data is processed by third parties in the United States (Anthropic, Stripe, Resend). Where data is transferred outside Thailand, we ensure appropriate safeguards are in place, including contractual obligations with our service providers to protect your data in accordance with applicable law.

12b. Thai PDPA Compliance

Stepify is operated by Landing Pad Digital Co., Ltd., a company registered in Thailand and approved by the Thailand Board of Investment (BOI). We process personal data in accordance with the Personal Data Protection Act B.E. 2562 (PDPA).

With respect to tutorial generation specifically:

We apply automatic PII redaction to screenshots to prevent incidental collection of third-party personal data.
Platform session cookies (which may be considered personal data) are stored encrypted and accessed only when required for tutorial generation.
You retain the right to request deletion of your tutorials and associated screenshot data at any time via your account settings or by contacting hello@stepify.it.
We do not sell, share, or transfer tutorial content or screenshots to third parties except as described in this policy (AI processing, cloud storage).

13. Children's Privacy

Stepify is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@stepify.it and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice on stepify.it. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Contact Us

If you have any questions about this Privacy Policy or how we handle your data:

Landing Pad Digital Co., Ltd.
Email: hello@stepify.it
Website: https://stepify.it