Privacy Policy
Last updated: March 11, 2026
1. Introduction
StepsKit (“we”, “us”, “our”) is a platform that helps SaaS teams create in-app product tours for onboarding, feature adoption, and user guidance. This policy covers the stepskit.com website, the StepsKit dashboard, and the StepsKit embed script installed on our customers’ websites.
2. Information We Collect
Dashboard Users (StepsKit Customers)
- Account information (email address, password — managed by Supabase)
- Billing information (processed by Stripe — we never store credit card numbers directly)
- Project data (tours, steps, settings, themes you create)
- Usage data (pages visited and features used within the StepsKit dashboard)
End-Users (Your Customers’ Users)
- Visitor identifier (only if provided by our customer via the embed script’s
data-user-idattribute orsetUserAttributes()API) - Tour interaction events (tour started, completed, dismissed, steps viewed, button clicks)
- Session identifier (a random UUID generated per browser session)
- Referring domain (validated against the customer’s allowed domains list)
Important: User attributes such as email, plan, name, or any custom properties passed to the StepsKit embed script are processed entirely in the end-user’s browser for tour targeting purposes. These attributes are never transmitted to or stored on StepsKit servers.
3. How We Use Your Information
- To provide and maintain the StepsKit service
- To process payments and manage subscriptions
- To provide tour analytics to our customers (aggregated event data)
- To enforce frequency capping (e.g., showing a tour only once per visitor)
- To send transactional emails (account confirmation, password reset)
- To improve our product and fix bugs
- To protect against fraud and abuse
4. Legal Basis for Processing (GDPR)
- Contract: Processing dashboard user data is necessary to provide the service you signed up for
- Legitimate Interest: Analytics, security monitoring, and product improvement
- Consent: We will obtain your consent before sending any marketing communications
5. Data Sharing & Sub-Processors
We do not sell your personal data. We do not share data with advertisers. We use the following service providers to operate StepsKit:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication & database | United States |
| Stripe | Payment processing | United States |
| Vercel | Application hosting | United States |
| Resend | Transactional email | United States |
| Simple Analytics | Privacy-first website analytics | The Netherlands (EU) |
6. Cookies & Local Storage
- Authentication cookies — Set by Supabase for session management. Strictly functional and required for login. No tracking purpose.
- Session storage — The embed script uses the browser’s
sessionStorageto store a random session ID. This is not a cookie, is never shared with third parties, and is automatically cleared when the browser tab is closed. - We do not use third-party tracking cookies, advertising cookies, or analytics cookies.
7. Data Retention
- Account data — Retained while your account is active and for 30 days after deletion
- Billing records — Retained as required by applicable tax law (typically 7 years)
- Tour event data — Retained for the duration of the customer’s active subscription
- Visitor records — Deleted when the associated project is deleted
- You can request deletion of your data at any time by contacting us
8. Your Rights
Under GDPR (EU/EEA residents)
Access, rectify, erase, restrict processing, data portability, object to processing, withdraw consent.
Under CCPA/CPRA (California residents)
Right to know what data we collect, right to delete, right to correct, right to opt-out of sale (we do not sell personal data), right to non-discrimination.
How to exercise your rights
Email contact@stepskit.com or delete your account from the dashboard settings. We will respond within 30 days.
9. International Data Transfers
Your data is processed in the United States. If you are located in the European Economic Area, transfers are covered by Standard Contractual Clauses implemented by our sub-processors.
10. Children’s Privacy
StepsKit is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
11. Security
- All data encrypted in transit (TLS) and at rest
- Zero-trust backend architecture — no direct database access from client applications
- Access restricted to authenticated and authorized users only
- Regular security updates and dependency monitoring
12. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify dashboard users by email. The “Last updated” date at the top of this page will always reflect the most recent revision. Continued use of StepsKit after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this privacy policy or our data practices, contact us at: contact@stepskit.com