Privacy Policy

1. Introduction

Webrec ("we", "us", "our") is a session recording and analytics platform operated by Rouic Ltd, a company registered in England and Wales. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website at webrec.app, our APIs (api.webrec.app), SDKs (@webrec/sdk), and related services (collectively, the "Service").

This policy applies to two categories of individuals:

Customers — users who create a Webrec account and use the platform to record and analyse sessions on their websites or applications.
End Users — visitors to websites and applications that use the Webrec SDK for session recording.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you should not use the Service.

2. Data Controller

The data controller for the personal data described in this policy (where Webrec acts as controller) is:

Rouic Ltd

United Kingdom

Email: legal@webrec.app

Privacy inquiries: privacy@webrec.app

3. Data Controller and Data Processor Roles

Under the GDPR and UK GDPR, the roles are as follows:

Webrec as Data Controller: We are the data controller for the personal data of our Customers (account information, billing data, usage of the Webrec dashboard).
Webrec as Data Processor: For End User data collected via the Webrec SDK deployed on Customer websites and applications, the Customer is the data controller and Webrec acts as a data processor. We process End User data solely on the Customer's behalf and in accordance with their instructions as set out in our Data Processing Agreement (see our Terms of Service).

Customers are responsible for ensuring they have a valid legal basis (such as consent or legitimate interest) for collecting End User data via the SDK, providing appropriate privacy notices to their users, and configuring the SDK's privacy controls for their specific use case.

4. Data We Collect

4.1 Account Data

When you create a Webrec account, we collect:

Registration information: name, email address, and password hash (for email/password authentication), or profile data provided by Google or GitHub when you authenticate via OAuth
Organisation information: project names, team member details, and roles
Communication data: support requests, feedback, and correspondence with our team

4.2 Billing Data

Payment information is processed securely by Stripe, our payment processor. We do not store full card numbers, CVVs, or other sensitive payment credentials on our servers. We retain a reference to your Stripe customer ID, plan details, and billing history for account management and financial record-keeping.

4.3 Usage Data

We collect information about how you interact with the Webrec dashboard, including:

Features used, pages visited within the dashboard, and session replay views
IP address, browser type, device information, and approximate location (for security and fraud detection)
Login timestamps and authentication events

4.4 Session Recording Data (Collected via SDK)

When Customers deploy the Webrec SDK (@webrec/sdk) on their websites or applications, the SDK may collect the following from End Users:

Session recordings: DOM snapshots, mutations, mouse movements, clicks, scrolls, keyboard events, and page transitions. Form input values are masked by default
Technical data: browser type and version, operating system, screen resolution, viewport size, and device type
Performance data: Core Web Vitals (LCP, CLS, INP), page load times, and resource timing
Network data: API request URLs, HTTP methods, status codes, and response times. Request and response bodies are not captured by default
Error data: JavaScript errors, stack traces, and console output
Identifiers: an anonymous session ID stored in sessionStorage, an anonymous visitor ID stored in localStorage, and optionally a user ID if the Customer uses the identify() API

4.5 Cookies and Local Storage

Our website uses essential cookies for authentication and security. For full details, see our Cookie Policy.

5. How We Use Data

We use the data we collect for the following purposes:

Service delivery: processing and storing session recordings, generating heatmaps, tracking errors, and powering analytics features on behalf of our Customers
Account management: authenticating users, managing subscriptions, and processing payments via Stripe
Service improvement: understanding usage patterns to improve features, fix bugs, and optimise performance
Communication: sending transactional emails (e.g., account verification, billing notifications, security alerts) via Resend, and with your consent, product updates and announcements
AI features (optional): if you enable AI-powered features (such as session summaries or error analysis), relevant session data may be processed by OpenAI. These features are opt-in and can be disabled at any time
Security: detecting and preventing fraud, abuse, and unauthorised access
Legal compliance: meeting legal obligations and responding to lawful requests from authorities

6. Legal Basis for Processing

Under GDPR Article 6, we process personal data on the following legal bases:

Purpose	Legal Basis
Providing the Service, account management	Performance of a contract (Art. 6(1)(b)) — processing is necessary to fulfil our agreement with you
Processing payments	Performance of a contract (Art. 6(1)(b))
Service improvement, analytics	Legitimate interest (Art. 6(1)(f)) — we have a legitimate interest in improving our Service
Marketing communications	Consent (Art. 6(1)(a)) — you can withdraw consent at any time
Security, fraud prevention	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))
Processing End User data via SDK	Performance of a contract (Art. 6(1)(b)) — we process as a data processor on the Customer's instructions under our DPA

7. Session Recording Data

This section provides additional detail about session recording data, as it is central to the Webrec Service.

7.1 Our Role

For session recording data collected via the Webrec SDK, Webrec acts as a Data Processor. The Customer who deploys the SDK is the Data Controller and determines the purposes and means of processing End User data. We process this data solely to provide the Service as instructed by the Customer.

7.2 What is Recorded

The SDK captures a faithful representation of the user's experience, including the visual state of the page (DOM structure and mutations), user interactions (clicks, scrolls, mouse movements), network requests, console output, and JavaScript errors. This data is transmitted to our servers and stored for replay and analysis.

7.3 Privacy Controls

The SDK is designed with privacy as a default. The following controls are available:

Input masking: all form input values are masked by default, replaced with asterisks in the recording
Element blocking: elements with the wr-block CSS class or data-wr-block attribute are completely excluded from recordings
Do Not Track (DNT): the SDK respects the browser's Do Not Track header. When DNT is enabled, no recording occurs
Global Privacy Control (GPC): the SDK respects the GPC signal. When GPC is set, no recording occurs
Network body exclusion: request and response bodies are not captured by default
No cross-site tracking: session identifiers are stored in sessionStorage (cleared when the tab closes) and do not track users across sites

7.4 Customer Responsibilities

Customers are solely responsible for:

Informing their End Users that session recording is in use
Obtaining any consents required under applicable law (e.g., GDPR, ePrivacy Directive, CCPA)
Configuring the SDK's privacy controls appropriately for their specific use case
Ensuring that sensitive data (e.g., payment card numbers, health information, government IDs) is excluded from recordings using the wr-block class or other masking options

8. Data Retention

We retain data according to the following schedule:

Data Type	Retention Period
Session recordings (Free plan)	7 days
Session recordings (Pro plan)	90 days
Session recordings (Business plan)	Up to 365 days (configurable)
Account data	Duration of account + 30 days after deletion
Billing records	7 years (as required by financial regulations)
Server logs	90 days

Session recordings are automatically and permanently deleted after the retention period expires. You may also manually delete individual sessions or all sessions for a specific user at any time from the dashboard.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share data only with the following categories of third-party sub-processors, and only to the extent necessary to provide the Service:

Sub-processor	Purpose	Data Location
Google Cloud Platform	Cloud infrastructure, compute, storage, and database hosting	europe-west2 (London, UK)
Stripe	Payment processing and subscription management	EU/US (payment data only)
Resend	Transactional email delivery (account notifications, alerts)	US
OpenAI (optional)	AI-powered features such as session summaries and error analysis. Only used when explicitly enabled by the Customer	US

All sub-processors are contractually bound by Data Processing Agreements to protect data and process it only as instructed by us. We will notify Customers at least 14 days before engaging a new sub-processor.

We may also disclose data if required by law, court order, or governmental authority, or where necessary to protect the rights, property, or safety of Webrec, our Customers, or others.

10. International Data Transfers

Our primary infrastructure is hosted on Google Cloud Platform in the europe-west2 (London, UK) region. All session recording data, customer account data, and associated metadata are stored within this region.

Core session recording data is not transferred to the United States or other jurisdictions outside the UK/EEA. However, certain sub-processors (Stripe, Resend, and optionally OpenAI) may process limited categories of data in the US. Where personal data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreement or Addendum where applicable
Adequacy decisions by the European Commission or UK Secretary of State

For self-hosted deployments, you control exactly where your data is stored and processed.

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

Right of access (Art. 15): request a copy of the personal data we hold about you
Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data
Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten"). We will delete your account data and all associated session recordings within 30 days
Right to restrict processing (Art. 18): request that we limit how we use your data in certain circumstances
Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON). You can export your data from the dashboard or request an export via email
Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes
Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Right to lodge a complaint: you may file a complaint with your local supervisory authority (in the UK, this is the Information Commissioner's Office at ico.org.uk)

To exercise any of these rights, contact us at privacy@webrec.app. We will respond within 30 days as required by GDPR. We may ask you to verify your identity before processing your request.

11.1 End User Rights

For End User data collected through the SDK, the Customer (website operator) is the data controller and Webrec acts as a data processor. End Users should contact the relevant website or application operator to exercise their data subject rights.

We provide Customers with tools to fulfil data subject requests, including the ability to:

Search for and retrieve sessions associated with a specific user ID
Delete all sessions for a specific user ID (supporting right to erasure requests)
Export session data in a portable format (supporting right to portability requests)

12. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@webrec.app and we will take steps to delete such information promptly.

Customers must not knowingly use the SDK to record sessions of users under 16 without verifiable parental consent where required by applicable law.

13. Cookies

Our website uses a limited number of essential cookies for authentication and security purposes. We do not use advertising, marketing, or third-party analytics cookies on our website.

For comprehensive information about the cookies we use, how the Webrec SDK uses browser storage on customer websites, and how to manage your cookie preferences, please see our dedicated Cookie Policy.

14. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption in transit: all data transmitted between clients and our servers is encrypted using TLS 1.2 or higher
Encryption at rest: all stored data is encrypted using AES-256 encryption on Google Cloud Platform
Access controls: role-based access controls, multi-factor authentication for infrastructure access, and principle of least privilege
Audit logging: comprehensive logging of access to systems and data
Secure development: code reviews, dependency scanning, and security-focused development practices
Incident response: documented incident response procedures with defined escalation paths

While we take reasonable steps to protect personal data, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability or incident, please contact us immediately at security@webrec.app.

15. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected data subjects without undue delay (Article 34).

Where Webrec is acting as a data processor, we will notify affected Customers without undue delay (and in any event within 48 hours) so they can fulfil their own notification obligations as data controllers.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Sending an email to the address associated with your account
Displaying a prominent notice on our website
Updating the "Last updated" date at the top of this policy

We will provide at least 14 days' notice before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, you should stop using the Service and contact us to delete your account.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Legal and privacy inquiries: legal@webrec.app
Privacy and data subject requests: privacy@webrec.app
Security issues: security@webrec.app
General support: support@webrec.app

We aim to respond to all inquiries within 30 days. For urgent security matters, we will respond as quickly as possible.