Privacy Policy

Webrec ("we", "us", "our") is a session recording and analytics platform operated by Rouic Ltd, a company registered in England and Wales. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website at webrec.app, our APIs (api.webrec.app), SDKs (webrec), and related services (collectively, the "Service").

This policy applies to two categories of individuals:

• Customers — users who create a Webrec account and use the platform to record and analyse sessions on their websites or applications.
• End Users — visitors to websites and applications that use the Webrec SDK for session recording.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you should not use the Service.

The data controller for the personal data described in this policy (where Webrec acts as controller) is:

Under the GDPR and UK GDPR, the roles are as follows:

• Webrec as Data Controller: We are the data controller for the personal data of our Customers (account information, billing data, usage of the Webrec dashboard).
• Webrec as Data Processor: For End User data collected via the Webrec SDK deployed on Customer websites and applications, the Customer is the data controller and Webrec acts as a data processor. We process End User data solely on the Customer's behalf and in accordance with their instructions as set out in our Data Processing Agreement (see our Terms of Service).

Customers are responsible for ensuring they have a valid legal basis (such as consent or legitimate interest) for collecting End User data via the SDK, providing appropriate privacy notices to their users, and configuring the SDK's privacy controls for their specific use case.

4.1 Account Data

When you create a Webrec account, we collect:

• Registration information: name, email address, and password hash (for email/password authentication), or profile data provided by Google or GitHub when you authenticate via OAuth
• Organisation information: project names, team member details, and roles
• Communication data: support requests, feedback, and correspondence with our team

4.2 Billing Data

Payment information is processed securely by Stripe, our payment processor. We do not store full card numbers, CVVs, or other sensitive payment credentials on our servers. We retain a reference to your Stripe customer ID, plan details, and billing history for account management and financial record-keeping.

4.3 Usage Data

We collect information about how you interact with the Webrec dashboard, including:

• Features used, pages visited within the dashboard, and session replay views
• IP address, browser type, device information, and approximate location (for security and fraud detection)
• Login timestamps and authentication events

4.4 Session Recording Data (Collected via SDK)

When Customers deploy the Webrec SDK (webrec-sdk) on their websites or applications, the SDK may collect the following from End Users:

• Session recordings: DOM snapshots, mutations, mouse movements, clicks, scrolls, keyboard events, and page transitions. Form input values are masked by default
• Technical data: browser type and version, operating system, screen resolution, viewport size, and device type
• Performance data: Core Web Vitals (LCP, CLS, INP), page load times, and resource timing
• Network data: API request URLs, HTTP methods, status codes, and response times. Request and response bodies are not captured by default
• Error data: JavaScript errors, stack traces, and console output
• Identifiers: an anonymous session ID stored in sessionStorage, an anonymous visitor ID stored in localStorage, and optionally a user ID if the Customer uses the identify() API

4.5 Cookies and Local Storage

Our website uses essential cookies for authentication and security. For full details, see our Cookie Policy.

We use the data we collect for the following purposes:

• Service delivery: processing and storing session recordings, generating heatmaps, tracking errors, and powering analytics features on behalf of our Customers
• Account management: authenticating users, managing subscriptions, and processing payments via Stripe
• Service improvement: understanding usage patterns to improve features, fix bugs, and optimise performance
• Communication: sending transactional emails (e.g., account verification, billing notifications, security alerts) via Resend, and with your consent, product updates and announcements
• AI features (optional): if you enable AI-powered features (such as session summaries or error analysis), relevant session data may be processed by OpenAI. These features are opt-in and can be disabled at any time. See the AI & Data Processing section for more details
• Security: detecting and preventing fraud, abuse, and unauthorised access
• Legal compliance: meeting legal obligations and responding to lawful requests from authorities

Under GDPR Article 6, we process personal data on the following legal bases:

7.1 Our Role

For session recording data collected via the Webrec SDK, Webrec acts as a Data Processor. The Customer who deploys the SDK is the Data Controller and determines the purposes and means of processing End User data. We process this data solely to provide the Service as instructed by the Customer.

7.2 What is Recorded

The SDK captures a faithful representation of the user's experience, including the visual state of the page (DOM structure and mutations), user interactions (clicks, scrolls, mouse movements), network requests, console output, and JavaScript errors. This data is transmitted to our servers and stored for replay and analysis.

7.3 Privacy Controls

The SDK is designed with privacy as a default. The following controls are available:

• Input masking: all form input values are masked by default, replaced with asterisks in the recording
• Element blocking: elements with the wr-block CSS class or data-wr-block attribute are completely excluded from recordings
• Do Not Track (DNT): the SDK respects the browser's Do Not Track header. When DNT is enabled, no recording occurs
• Global Privacy Control (GPC): the SDK respects the GPC signal. When GPC is set, no recording occurs
• Network body exclusion: request and response bodies are not captured by default
• No cross-site tracking: session identifiers are stored in sessionStorage (cleared when the tab closes) and do not track users across sites

7.4 Customer Responsibilities

Customers are solely responsible for:

• Informing their End Users that session recording is in use
• Obtaining any consents required under applicable law (e.g., GDPR, ePrivacy Directive, CCPA)
• Configuring the SDK's privacy controls appropriately for their specific use case
• Ensuring that sensitive data (e.g., payment card numbers, health information, government IDs) is excluded from recordings using the wr-block class or other masking options

Webrec offers optional AI-powered features, including automated session summaries and error analysis. These features use the OpenAI API to process session data. The following safeguards apply:

• Opt-in only: AI features are disabled by default. They must be explicitly enabled by a Customer at the project level. No data is sent to OpenAI unless you choose to activate these features
• No model training: we use the OpenAI API with data processing terms that explicitly prohibit the use of your data for training, fine-tuning, or improving OpenAI's models. Your session data is processed solely to generate the requested output (e.g., a summary) and is not retained by OpenAI beyond the time required to produce the response
• Minimal data sent: we send only the minimum data necessary to generate a useful summary or analysis. Full session recordings are not transmitted — we extract and send only relevant metadata, page URLs, user actions, and error information
• Can be disabled at any time: you may disable AI features at any point from your project settings. Previously generated summaries will remain unless you choose to delete them
• Sub-processor obligations: OpenAI is listed as a sub-processor in our Data Processing Agreement and is contractually bound to protect your data

If you have concerns about AI data processing, contact us at privacy@webrec.app and we will be happy to discuss your options.

We retain data according to the following schedule:

Session recordings are automatically and permanently deleted after the retention period expires. You may also manually delete individual sessions or all sessions for a specific user at any time from the dashboard.

All sub-processors are contractually bound by Data Processing Agreements to protect data and process it only as instructed by us. We will notify Customers at least 14 days before engaging a new sub-processor.

We may also disclose data if required by law, court order, or governmental authority, or where necessary to protect the rights, property, or safety of Webrec, our Customers, or others.

Our primary infrastructure is hosted on Google Cloud Platform in the europe-west2 (London, UK) region. All session recording data, customer account data, and associated metadata are stored within this region.

Core session recording data is not transferred to the United States or other jurisdictions outside the UK/EEA. However, certain sub-processors (Stripe, Resend, and optionally OpenAI) may process limited categories of data in the US. Where personal data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): we use the European Commission's approved SCCs (Commission Implementing Decision (EU) 2021/914) with each sub-processor that processes data outside the EEA. These clauses impose contractual obligations on the data importer to protect your data to EEA standards
• UK International Data Transfer Agreement (IDTA): for transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs as approved by the Information Commissioner's Office (ICO), ensuring compliance with UK GDPR requirements
• Adequacy decisions: where the European Commission or UK Secretary of State has issued an adequacy decision for the recipient country, we rely on that decision as a valid transfer mechanism
• Transfer Impact Assessments: we conduct transfer impact assessments for each sub-processor to evaluate the legal framework in the recipient country and any supplementary measures required
• EU-US Data Privacy Framework: where applicable, we verify that US sub-processors are certified under the EU-US Data Privacy Framework

For self-hosted deployments, you control exactly where your data is stored and processed. No data leaves your infrastructure unless you explicitly configure external integrations.

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten"). We will delete your account data and all associated session recordings within 30 days
• Right to restrict processing (Art. 18): request that we limit how we use your data in certain circumstances
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON). You can export your data from the dashboard or request an export via email
• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint: you may file a complaint with your local supervisory authority (in the UK, this is the Information Commissioner's Office at ico.org.uk)

To exercise any of these rights, contact us at privacy@webrec.app. We will respond within 30 days as required by GDPR. We may ask you to verify your identity before processing your request.

End User Rights

For End User data collected through the SDK, the Customer (website operator) is the data controller and Webrec acts as a data processor. End Users should contact the relevant website or application operator to exercise their data subject rights.

We provide Customers with tools to fulfil data subject requests, including the ability to:

• Search for and retrieve sessions associated with a specific user ID
• Delete all sessions for a specific user ID (supporting right to erasure requests)
• Export session data in a portable format (supporting right to portability requests)

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), provides California residents with specific rights regarding their personal information. This section applies to you if you are a California resident.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

Your CCPA Rights

As a California resident, you have the right to:

• Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
• Delete: request deletion of personal information we have collected from you, subject to certain exceptions
• Correct: request correction of inaccurate personal information
• Opt out of sale or sharing: we do not sell personal information and do not share personal information for cross-context behavioural advertising, so no opt-out is required
• Limit use of sensitive personal information: we use sensitive personal information only for purposes permitted under the CCPA (account security)
• Non-discrimination: we will not discriminate against you for exercising any of your CCPA rights

To exercise your CCPA rights, contact us at privacy@webrec.app with the subject line "CCPA Request". We will verify your identity and respond within 45 days as required by law. You may also designate an authorised agent to make a request on your behalf.

Financial Incentives

We do not offer financial incentives or price differences in exchange for the retention or sale of personal information.

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@webrec.app and we will take steps to delete such information promptly.

Customers must not knowingly use the SDK to record sessions of users under 16 without verifiable parental consent where required by applicable law.

Our website uses a limited number of essential cookies for authentication and security purposes. We do not use advertising, marketing, or third-party analytics cookies on our website.

For comprehensive information about the cookies we use, how the Webrec SDK uses browser storage on customer websites, and how to manage your cookie preferences, please see our dedicated Cookie Policy.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: all data transmitted between clients and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: all stored data is encrypted using AES-256 encryption on Google Cloud Platform
• Access controls: role-based access controls, multi-factor authentication for infrastructure access, and principle of least privilege
• Audit logging: comprehensive logging of access to systems and data
• Secure development: code reviews, dependency scanning, and security-focused development practices
• Incident response: documented incident response procedures with defined escalation paths

While we take reasonable steps to protect personal data, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability or incident, please contact us immediately at security@webrec.app.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected data subjects without undue delay (Article 34).

Where Webrec is acting as a data processor, we will notify affected Customers without undue delay (and in any event within 48 hours) so they can fulfil their own notification obligations as data controllers.

We are committed to making our privacy information accessible to all users. This policy is available in a screen-reader-friendly format on our website. If you have difficulty accessing or understanding this policy due to a disability, please contact us at privacy@webrec.app and we will provide the information in an alternative format.

We strive to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level across our website and dashboard. Our commitment to accessibility extends to ensuring that privacy controls within the SDK — such as the ability to opt out of recording — are accessible to all users, including those using assistive technologies.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Sending an email to the address associated with your account
• Displaying a prominent notice on our website
• Updating the "Last updated" date at the top of this policy

We will provide at least 14 days' notice before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, you should stop using the Service and contact us to delete your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Legal and privacy inquiries: legal@webrec.app
• Privacy and data subject requests: privacy@webrec.app
• Security issues: security@webrec.app
• General support: support@webrec.app

We aim to respond to all inquiries within 30 days. For urgent security matters, we will respond as quickly as possible.