Privacy Policy | Taptale

TERMINAL92 LLC (“we,” “us,” “our,” or “Company”) operates the Taptale platform, including the web application at taptale.app, the Taptale Chrome browser extension, and related services (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

By using Taptale, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address (required for registration and communication)
Name (if provided or obtained via OAuth)
Profile photo (if provided via OAuth or uploaded)
Authentication credentials (managed securely by our authentication provider)
Organization/workspace name (if provided)

1.2 Payment Information

When you subscribe to a paid plan, our payment processor (Stripe) collects:

Credit/debit card details
Billing address
Transaction history

We do not store your full credit card number on our servers. Payment data is handled entirely by Stripe in accordance with PCI-DSS standards.

1.3 Content You Create and Upload

When you use Taptale, you may upload or create:

Video recordings (browser tab, window, screen, camera, and uploaded video files)
Interactive demos (screen captures, DOM snapshots, step-by-step recordings)
Screenshots and thumbnails generated during recording
Audio recordings (narration, microphone capture, and optional system/tab audio)
Transcripts generated from your video/audio content
Edits and annotations (hotspots, text overlays, effects, HTML modifications)

1.4 Data Collected by the Chrome Extension

The Taptale Chrome extension collects recording content only during active recording sessions initiated by you. Outside a recording, the extension may process sign-in state, selected workspace, recorder settings, device selections, billing-limit checks, and upload or recovery status needed to operate the recorder. Depending on the recording mode and settings you choose, the extension may capture:

Interactive recording data such as DOM snapshots, page structure, page title, tab URL, click targets, selectors, navigation, scrolling, and cursor movement if cursor capture is enabled
Screenshots and cover images of the page or tab being recorded, generated for step replay, thumbnails, and editing
Video recording data from the tab, window, or screen surface you select through Chrome's capture UI
Optional camera and microphone data if you enable webcam or microphone recording
Optional system or tab audio if you enable system audio capture
Recording metadata such as duration, timestamps, step/event counts, selected workspace ID, upload status, and recoverable-upload metadata

Privacy safeguards built into the extension:

Form input masking: All <input>, <textarea>, <select>, editable text fields, and known sensitive field values captured in the DOM event stream are masked before transmission. Password, credit-card, one-time-code, and explicitly sensitive fields (e.g., data-sensitive, data-taptale-sensitive, data-rrweb-ignore) are additionally redacted from interactive screenshots before capture
Safe Mode: Safe Mode is enabled by default and masks page text that matches common personal-information patterns in interactive DOM snapshots and event streams
Site denylist: Recording is automatically blocked on identity providers, password managers, banking, healthcare, payments, and government domains
Upload destination allowlist: Recorded media can only be uploaded to Taptale's configured Cloudflare R2 storage origins; server-supplied URLs to any other host are rejected client-side
No passive page collection: The extension does not collect page content or media during passive browsing. Its service worker and offscreen document are used for sign-in, recording, upload, recovery, and lifecycle events
No browser-data access: The extension does not access browsing history, bookmarks, cookies, stored credentials, or autofill data
No cross-site tracking: The extension does not track your browsing activity across sites

While an interactive recording is active, the extension may follow the active tab if you switch tabs so subsequent interactions can be captured as part of the same recording. In video mode, Chrome's native capture UI controls whether you share a tab, window, or screen.

Note: Screenshots and video capture record visible pixels of the chosen tab, window, or screen. Content rendered inside cross-origin iframes, <canvas>, images, or <video> elements may be captured as visually displayed and is not subject to DOM-level masking. Interactive screenshot redaction does not apply to continuous video streams selected through Chrome's capture UI. Avoid recording pages where sensitive data is visibly rendered.

The extension communicates only with Taptale servers (taptale.app and pro.taptale.app) for authentication and content upload, and with the configured Cloudflare R2 bucket origin for media storage. No data is sent to any other third party from the extension.

1.5 Viewer Analytics Data

When someone views content shared via Taptale, we collect:

IP address (used for approximate geographic location; not stored long-term in identifiable form)
Device type, browser, and operating system
Approximate geographic location (country/region level, derived from IP)
Watch duration and engagement metrics (how long viewed, percentage watched, chapters visited)
Interaction events (play, pause, seek, CTA clicks, chapter navigation)
Referrer URL and UTM parameters (how the viewer found the link)
Email address (only if the share link requires email submission)
Session timing (when the view started and ended)

1.6 Automatically Collected Technical Data

We automatically collect:

Log data (IP address, browser type, operating system, referring URL, pages visited, timestamps)
Device information (screen resolution, device type)
Performance data (page load times, errors)
Cookies and similar technologies (see Section 6)

1.7 AI-Processed Data

When your uploaded content is transcribed, indexed, searched, or used for AI-generated chapters:

Audio or video content may be processed to generate transcripts using Mux automatic captions or OpenAI Whisper, depending on the media format and processing path
Text embeddings are generated from your video transcripts using OpenAI's embedding models and stored in our database for future searches
Search queries and transcript excerpts may be processed by Anthropic to generate Knowledge Search answers and citations
Timestamped transcript excerpts may be processed by Anthropic to generate chapter titles and descriptions
AI-generated outputs such as transcripts, answers, citations, embeddings, and chapter metadata may be stored in our database for your workspace's use
Your content is not used to train third-party AI models (see Section 3.5)

AI data storage: Audio/video files, transcript text, and transcript excerpts sent to AI or captioning providers are processed through provider APIs for the feature being used. TERMINAL92 stores the resulting transcripts, embeddings, citations, answers, and chapter metadata only as needed to provide Taptale features to your workspace.

Regulated data: The AI features are not designed to process data subject to specific regulatory frameworks such as HIPAA, PCI-DSS, ITAR, EAR, SOX, or GLBA. Do not submit regulated or sensitive data through AI-powered features.

2. How We Use Your Information

2.1 Providing and Improving the Service

Create and manage your account and workspaces
Process and store your video recordings and interactive demos
Generate transcripts from audio/video content
Provide AI-powered search and knowledge features
Display viewer analytics and engagement metrics
Process payments and manage subscriptions
Send transactional emails (invitations, notifications, receipts)

2.2 Security and Abuse Prevention

Authenticate users and validate sessions
Enforce rate limits to prevent abuse
Detect and prevent fraudulent activity
Monitor for security threats and unauthorized access

2.3 Communication

Respond to your support requests
Send service-related notices (maintenance, security alerts, policy changes)
Send product updates (you can opt out at any time)

2.4 Legal Compliance

Comply with applicable laws, regulations, and legal processes
Enforce our Terms of Service
Protect the rights, safety, and property of our users and the public

3. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

3.1 With Your Workspace Members

Content you upload is accessible to members of your workspace based on their assigned role (Admin, Editor, Viewer).

3.2 With Viewers You Choose to Share With

When you create a share link, the associated content becomes accessible to anyone with that link (subject to any password or email gate you configure).

3.3 With Service Providers (Sub-Processors)

We use the following third-party services to operate Taptale. Each processes data only as necessary to provide their service:

Provider	Purpose	Data Processed
Vercel	Web application hosting	All application data in transit
Clerk	Authentication and user management	Email, name, profile photo, session data
Stripe	Payment processing	Payment details, billing address, transaction history
Cloudflare (R2)	File storage	Uploaded videos, audio, screenshots, thumbnails, DOM snapshots, and interaction-event data
Mux	Adaptive HD video encoding, captions, and streaming delivery	Uploaded video files and caption tracks used for playback and transcripts
OpenAI	Audio/video transcription and text embeddings	Audio/video or audio tracks for transcription; transcript text for embedding generation
Anthropic (Claude)	AI-powered search answers and chapter generation	Search queries, relevant transcript excerpts, and timestamped transcript text
Upstash	Rate limiting	IP addresses, request counts (ephemeral)
Resend	Transactional email delivery	Email addresses, notification content
Sentry	Error monitoring and diagnostics	Error logs and stack traces, which may incidentally contain limited technical identifiers. We configure Sentry to minimize personal data collection

3.4 For Legal Reasons

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of TERMINAL92 LLC, our users, or the public.

3.5 AI Provider Data Usage

OpenAI: We use their API with data processing terms that prohibit using your data for model training. Your audio/video or audio tracks may be processed for transcription, and your transcripts may be processed for embedding generation.
Anthropic: We use their API with terms that prohibit using your data for model training. Your search queries and transcript excerpts may be processed to generate Knowledge Search answers, citations, and chapter metadata.

3.6 Business Transfers

If TERMINAL92 LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

4. Data Retention

Data Type	Retention Period
Account information	Until you delete your account
Uploaded content (videos, recordings)	Until you delete the content or your account
Viewer analytics	24 months from collection, then anonymized
Payment records	As required by tax and financial regulations (typically 7 years)
Server logs	90 days
AI search query logs	12 months
Extension recording data (local)	Until uploaded, manually deleted, discarded, or cleared during logout/recovery cleanup
Extension workspace, recorder settings, and upload recovery state	Until changed, logged out, uploaded, discarded, or manually deleted

When you delete your account, we delete or anonymize your personal information within 30 days, except where retention is required by law.

Note: Retention periods listed above are targets and may vary based on operational and legal requirements.

5. Data Security

We implement industry-standard security measures to protect your information:

Encryption in transit: All data transmitted between your browser/extension and our servers uses TLS 1.2+ (HTTPS)
Encryption at rest: Stored files are encrypted at rest in Cloudflare R2
Authentication: Secure session management via Clerk with JWT-based extension authentication
Access control: Role-based workspace permissions (Admin, Editor, Viewer)
Password protection: Share link passwords are hashed using PBKDF2 with SHA-256 (100,000 iterations, 256-bit key)
Rate limiting: API rate limiting to prevent brute-force attacks and abuse
SSRF protection: Image proxy blocks private IP ranges, localhost, and internal domains
Content Security Policy: Strict CSP headers to prevent cross-site scripting
Webhook verification: Stripe webhooks verified via cryptographic signatures with idempotency protection

In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law.

No system is 100% secure. If you discover a security vulnerability, please report it to security@taptale.app.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

Cookie	Purpose	Type	Duration
Session cookies	Authentication state	Essential	Session
Workspace preference	Remember selected workspace	Functional	Persistent
Clerk authentication	User session management	Essential	Per Clerk policy

6.2 What We Do NOT Use

We do not use third-party advertising cookies
We do not use cross-site tracking pixels
We do not sell data to advertisers
We do not participate in ad networks

All cookies currently used by the Service are essential for functionality and do not require consent under applicable cookie laws.

6.3 Viewer Page Analytics

When someone views shared content, we collect analytics data (as described in Section 1.5) to provide engagement metrics to content creators. This data is collected via first-party JavaScript (not third-party trackers).

7. Your Rights

7.1 All Users

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your personal information
Data portability: Request your data in a machine-readable format
Withdraw consent: Withdraw consent for optional data processing at any time
Opt out of communications: Unsubscribe from non-essential emails

7.2 European Economic Area, UK, and Swiss Residents (GDPR / UK GDPR)

In addition to the rights above:

Legal basis: We process your data based on: (a) contract performance (providing the Service), (b) legitimate interests (security, analytics, service improvement), (c) consent (optional features, marketing), or (d) legal obligation
Right to restrict processing: Request restriction of certain processing activities
Right to object: Object to processing based on legitimate interests
Right to lodge a complaint: File a complaint with your local data protection authority
Data transfers: Data may be transferred outside the EEA. We rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable
Privacy inquiries: For privacy inquiries from EEA/UK residents, contact privacy@taptale.app
Balancing tests: We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights

7.3 California Residents (CCPA/CPRA)

Right to know: You have the right to know what personal information we collect, use, and disclose
Right to delete: You have the right to request deletion of your personal information
Right to correct: You have the right to correct inaccurate personal information
Right to opt out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
Non-discrimination: We will not discriminate against you for exercising your privacy rights
Categories of information collected: Identifiers, commercial information, internet activity, geolocation data, professional information, audio/visual information
Authorized agents: You may designate an authorized agent to make requests on your behalf

7.4 Canadian Residents (PIPEDA)

You have the right to access, correct, and challenge the accuracy of your personal information
We obtain meaningful consent for the collection, use, and disclosure of personal information
You may withdraw consent at any time, subject to legal or contractual restrictions

7.5 Australian Residents (Privacy Act 1988)

You have the right to access and correct your personal information
You may make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

7.6 Exercising Your Rights

To exercise any of these rights, contact us at:

Email: privacy@taptale.app
Mail: TERMINAL92 LLC, 522 W Riverside Ave, Ste N, Spokane, WA 99201, United States

We will respond to verified requests within 30 days (or as required by applicable law).

8. Children's Privacy

Taptale is a business-to-business platform intended for users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a person under 18, we will promptly delete that information. If you believe someone under 18 has provided us with personal information, please contact us at privacy@taptale.app.

9. International Data Transfers

TERMINAL92 LLC is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

We ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Contractual obligations with sub-processors requiring equivalent data protection
Technical measures including encryption in transit and at rest to ensure adequate protection of transferred data

10. Chrome Extension Specific Disclosures

This section provides additional disclosures required for the Taptale Chrome browser extension, in accordance with the Chrome Web Store Developer Program Policies.

10.1 Single Purpose

The Taptale Chrome extension has a single purpose: to record interactive screen demos and video recordings for upload to the Taptale platform.

10.2 Permissions Justification

Permission	Why It's Needed
`activeTab`	To open the recorder on the active tab and capture screenshots or interactive content after you choose to use the recorder
`tabs`	To keep an interactive recording attached to the chosen tab as you navigate or switch tabs during that recording, and to handle tab close or recovery events
`tabCapture`	To support direct tab video/audio capture when available. Video recordings may also use Chrome's native screen-sharing picker for a tab, window, or screen
`scripting`	To inject the recorder UI and DOM-capture script into the chosen tab when you open or start the recorder, and to reconnect an active interactive recording after navigation
`storage`	To persist authentication state, selected workspace, recorder settings, in-progress recording metadata, and upload recovery state
`unlimitedStorage`	To buffer large video and screenshot data locally before upload completes
`offscreen`	To run the media capture, encoding, thumbnail, and upload context required by the Manifest V3 service-worker model
`notifications`	To notify you when a recording upload succeeds or fails
`identity`	To sign in to your Taptale account via `chrome.identity.launchWebAuthFlow`, which uses Chromium's secure redirect endpoint and a single-use cryptographic state token
`host_permissions: <all_urls>`	To allow recording on websites you choose. The extension injects scripts only after you open or start the recorder, or when reconnecting an active interactive recording after tab switches or navigation. Recording is additionally blocked by an in-product denylist on identity, banking, healthcare, government, and password-manager domains

10.3 Data Handling

Collection: Recording content is collected only during active recording sessions explicitly started by the user. Sign-in, workspace, settings, device-selection, billing-limit, upload, and recovery data may be processed outside a recording as needed to operate the recorder
Transmission: Recorded data is transmitted only to Taptale's APIs at taptale.app or pro.taptale.app and to the configured Cloudflare R2 bucket origin, both over HTTPS. Server-supplied upload URLs to any other origin are rejected client-side
Authentication: Sign-in uses chrome.identity.launchWebAuthFlow with a single-use cryptographic state token bound to Chromium's secure redirect endpoint. The auth token is held only in chrome.storage.session and is cleared when Chrome restarts
Local storage: Recording chunks, pending recordings, and recoverable uploads may be stored in IndexedDB, chrome.storage.local, or extension local storage until the upload succeeds, you retry or delete the recording, you discard it, or recovery cleanup clears it. Authentication and recording state are removed on logout
Strict CSP: The extension enforces script-src 'self'; object-src 'self' and does not load or execute remotely hosted code
No data sale: Data collected by the extension is never sold or transferred to third parties for advertising, profiling, or any purpose unrelated to operating the Taptale service
Single purpose: Extension data is used solely for creating and uploading recordings to your Taptale account

10.4 Host Permissions

The extension requests host permissions to inject content scripts for the recorder UI and interactive DOM recording on a tab you choose. Content scripts are injected when you open or start the recorder, and may be re-injected during an active interactive recording after navigation or tab switches. The extension does not inject scripts during install/update, passive browsing, or on:

Chrome internal pages (chrome://, chrome-extension://)
Browser system pages (about:, edge://)
Local files (file://)
Data or blob URLs (data:, blob:)

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website with a new “Last Updated” date
Sending an email notification for significant changes
Displaying an in-app notice

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices:

TERMINAL92 LLC
522 W Riverside Ave, Ste N
Spokane, WA 99201, United States

Email: privacy@taptale.app
Website: https://taptale.app