Privacy Policy
Last updated: April 2, 2026
1. Introduction
StepsKit (“we”, “us”, “our”) is a platform that helps SaaS teams create in-app product tours for onboarding, feature adoption, and user guidance. This policy covers the stepskit.com website, the StepsKit dashboard, and the StepsKit embed script installed on our customers’ websites.
2. Information We Collect
Dashboard Users (StepsKit Customers)
- Account information (email address, password — managed by Supabase)
- Billing information (processed by Stripe — we never store credit card numbers directly)
- Project data (tours, steps, settings, themes you create)
- Usage data (pages visited and features used within the StepsKit dashboard)
End-Users (Your Customers’ Users)
- Visitor identifier (only if provided by our customer via the embed script’s
data-user-idattribute orsetUserAttributes()API) - Tour interaction events (tour started, completed, dismissed, steps viewed, button clicks)
- Session identifier (a random UUID generated per browser session)
- Referring domain (validated against the customer’s allowed domains list)
Important: User attributes such as email, plan, name, or any custom properties passed to the StepsKit embed script are processed entirely in the end-user’s browser for tour targeting purposes. These attributes are never transmitted to or stored on StepsKit servers.
3. How We Use Your Information
- To provide and maintain the StepsKit service
- To process payments and manage subscriptions
- To provide tour analytics to our customers (aggregated event data)
- To enforce frequency capping (e.g., showing a tour only once per visitor)
- To send transactional emails (account confirmation, password reset)
- To improve our product and fix bugs
- To protect against fraud and abuse
4. AI-Powered Features
StepsKit offers optional AI-powered features to help you write tour content. When you use these features (e.g., “Write with AI”), the following data may be sent to our AI provider for processing:
- Tour metadata (tour name, step titles, and step descriptions you have written)
- Page context (page URL patterns and website metadata such as your site title and description)
- UI element metadata (element tag names, button labels, heading text, ARIA labels, and nearby interface elements on the page where the tour step is targeted)
What we do NOT send to our AI provider
- Your end-users’ personal data (names, emails, session data, or any data collected by the Embed Script)
- Form input values, user-generated content on your pages, or data from iframes or third-party widgets
- Your StepsKit account credentials or billing information
AI data handling
- Our AI provider is Anthropic (Claude API). Under Anthropic’s API terms, data sent through the API is not used to train or improve their AI models.
- AI-generated content suggestions are returned directly to your browser and are not stored by Anthropic beyond their standard API log retention period (up to 30 days for safety and abuse monitoring).
- AI features are always user-initiated — we never send your data to AI providers in the background or without your explicit action.
- You can use StepsKit without ever using AI features. All tour content can be written manually.
5. Legal Basis for Processing (GDPR)
- Contract: Processing dashboard user data is necessary to provide the service you signed up for
- Legitimate Interest: Analytics, security monitoring, and product improvement
- Consent: We will obtain your consent before sending any marketing communications
6. Data Sharing & Sub-Processors
We do not sell your personal data. We do not share data with advertisers. We use the following service providers to operate StepsKit:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication & database | United States |
| Stripe | Payment processing | United States |
| Vercel | Application hosting | United States |
| Resend | Transactional email | United States |
| Anthropic | AI content generation (Claude API) | United States |
| Simple Analytics | Privacy-first website analytics | The Netherlands (EU) |
7. Cookies & Local Storage
- Authentication cookies — Set by Supabase for session management. Strictly functional and required for login. No tracking purpose.
- Session storage — The embed script uses the browser’s
sessionStorageto store a random session ID. This is not a cookie, is never shared with third parties, and is automatically cleared when the browser tab is closed. - We do not use third-party tracking cookies, advertising cookies, or analytics cookies.
8. Data Retention
- Account data — Retained while your account is active and for 30 days after deletion
- Billing records — Retained as required by applicable tax law (typically 7 years)
- Tour event data — Retained for the duration of the customer’s active subscription
- Visitor records — Deleted when the associated project is deleted
- You can request deletion of your data at any time by contacting us
9. Your Rights
Under GDPR (EU/EEA residents)
Access, rectify, erase, restrict processing, data portability, object to processing, withdraw consent.
Under CCPA/CPRA (California residents)
Right to know what data we collect, right to delete, right to correct, right to opt-out of sale (we do not sell personal data), right to non-discrimination.
How to exercise your rights
Email contact@stepskit.com or delete your account from the dashboard settings. We will respond within 30 days.
10. International Data Transfers
Your data is processed in the United States. If you are located in the European Economic Area, transfers are covered by Standard Contractual Clauses implemented by our sub-processors.
11. Children’s Privacy
StepsKit is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
12. Security
- All data encrypted in transit (TLS) and at rest
- Zero-trust backend architecture — no direct database access from client applications
- Access restricted to authenticated and authorized users only
- Regular security updates and dependency monitoring
13. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify dashboard users by email. The “Last updated” date at the top of this page will always reflect the most recent revision. Continued use of StepsKit after changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this privacy policy or our data practices, contact us at: contact@stepskit.com