Introduction
Captoric ("we," "our," or "us") provides a web application and browser extension for creating interactive product demonstrations by capturing screenshots with annotations. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

Services Covered
This Privacy Policy applies to:

• Captoric Web Application (hosted at app.captoric.com)
• Captoric Chrome Browser Extension

Information We Collect

1. Authentication Information

Google OAuth Authentication:

• Email address
• Profile information (name, profile picture)
• Google Account unique identifier
• OAuth tokens (access tokens, refresh tokens)

Purpose: To authenticate users, manage account access, and associate created content with user accounts.
Storage: Authentication state is stored in Firebase Authentication and persisted locally in browser IndexedDB.

2. User-Generated Content
Screenshots and Recordings:

• Screenshots captured from web pages
• Annotations, tooltips, and hotspot positions
• Demo titles, descriptions, and metadata
• Step sequences and navigation information
• Chapter slides with custom text and call-to-action buttons
• Creation and modification timestamps

Purpose: To provide the core functionality of creating, storing, editing, and sharing interactive demos.
Storage: Stored in Firebase Firestore (database) and Firebase Storage (image files) with user-specific access controls.

3. Browser Extension Data Collection
When Extension is Active:

• Web Page Screenshots: Visual captures of web pages you choose to record
• Click Coordinates: X/Y positions of clicks during capture mode
• Element Information: Text content, aria-labels, or titles from clicked elements
• Page URLs: URLs of pages where screenshots are captured
• Tab Information: Active tab metadata for screenshot context
• Local Storage: Temporary storage of capture session data

Purpose: To enable screenshot capture, click detection, and demo creation workflow.
Note: The extension only captures data when you explicitly activate capture mode. It does not monitor or record your browsing activity when inactive.

4. Analytics and Telemetry Data
Mixpanel Analytics:

• Page views and navigation patterns
• Feature usage (clicks, interactions)
• Scroll depth tracking
• Session duration
• Anonymous device identifier
• Browser type and version
• Operating system
• Screen resolution
• Referring URL (without query parameters)

Google Analytics 4 (GA4):

• Page views and screen names
• User engagement metrics
• Traffic source information
• Geographic location (country/city level)
• Device category and browser information
• Session count and duration

Sentry Error Tracking:

• JavaScript errors and exceptions
• Stack traces and error context
• Browser and OS information
• Page URL (without query parameters or sensitive data)
• User actions leading to errors (breadcrumbs)
• Performance metrics (page load times, response times)

Purpose: To improve product quality, identify bugs, understand usage patterns, and optimize user experience.
Privacy Controls:

• No personally identifiable information (PII) is sent to analytics services
• Query parameters and cookies are stripped from URLs before transmission
• LocalStorage and sessionStorage data is never transmitted

5. Session and Temporary Data
Browser Storage:

• SessionStorage: Current page state, active slide index, toolbar menu state, unsaved edits, etc.
• LocalStorage: User preferences, auth persistence
• In-Memory Cache: Loaded demo data for performance optimization

Purpose: To provide smooth user experience, persist work-in-progress, and optimize performance.
Retention: Session data is cleared when browser tab/window is closed. LocalStorage persists until cleared by user.

Browser Extension Permissions
The Captoric Extension requests the following Chrome permissions:

Content Scripts
The extension injects JavaScript code on web pages to enable:

• Screenshot capture when activated
• Click coordinate detection during capture mode
• Visual marker rendering for clicked elements
• Communication between the companion web app and the extension side panel

Content scripts only actively capture data when you explicitly start a recording session. They do not monitor or transmit your browsing activity otherwise.

How We Use Your Information
Primary Uses

1. Service Delivery: Authenticate users, store demos, enable sharing and collaboration
2. Feature Functionality: Screenshot capture, annotation editing, demo playback
3. Synchronization: Sync demos across devices for authenticated users
4. Public Sharing: Enable demo viewing for public links (when marked as public by user)

Secondary Uses

1. Analytics: Understand feature adoption, user flows, and engagement patterns
2. Error Monitoring: Identify and fix bugs, track performance issues
3. Product Improvement: Analyze usage data to prioritize features and improvements
4. Technical Support: Diagnose issues reported by users

Data Sharing and Third-Party Services
We use the following third-party services that may process your data:
Firebase (Google Cloud Platform)

• Services Used: Authentication, Firestore Database, Storage, Cloud Functions
• Data Shared: Authentication tokens, user IDs, demo content, screenshots
• Purpose: Core infrastructure for app functionality
• Privacy Policy: https://firebase.google.com/support/privacy
• Data Location: Multi-region (US and EU available)

Google OAuth

• Data Shared: Email, profile information (with your consent)
• Purpose: User authentication
• Privacy Policy: https://policies.google.com/privacy

Mixpanel

• Data Shared: Anonymous usage events, device metadata
• Purpose: Product analytics
• Privacy Policy: https://mixpanel.com/legal/privacy-policy

Google Analytics 4

• Data Shared: Page views, engagement metrics, device information
• Purpose: Web analytics
• Privacy Policy: https://policies.google.com/privacy

Sentry

• Data Shared: Error reports, stack traces, browser context
• Purpose: Error monitoring and performance tracking
• Privacy Policy: https://sentry.io/privacy/

Data Not Shared
We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not share your demo content with any parties except:

• Firebase infrastructure (for storage and delivery)
• Users you explicitly share demos with (via public links)

Data Security
Security Measures
Encryption:

• All data transmitted over HTTPS/TLS connections
• Firebase Storage uses encryption at rest
• OAuth tokens encrypted in browser storage

Access Controls:

• Firestore security rules enforce user-based access control
• Public demos accessible only with direct link knowledge
• Private demos accessible only to authenticated owner
• Server-side validation for all write operations

Authentication:

• Google OAuth 2.0 with industry-standard security
• Token refresh mechanism for continuous authentication
• Automatic session expiration after 7 days of inactivity
• Protection against CSRF, XSS, and injection attacks

Extension Security:

• Manifest V3 compliance with enhanced security model
• Content Security Policy (CSP) enforcement
• Isolated execution contexts for scripts
• No remote code execution or eval usage

Data Retention
Active Accounts:

• Demo content retained indefinitely while account is active
• Screenshot images stored in Firebase Storage
• Database records in Firestore

Deletion:

• Users can delete individual demos at any time
• Deletion triggers Cloud Function that removes database records and associated screenshot files
• Analytics data is anonymized and retained for aggregate reporting
• Auth tokens automatically expire after 7 days of inactivity

Account Termination:

• Users can delete all data by deleting associated demos
• Contact support@captoric.com for complete account deletion

Your Privacy Rights
Access and Control
You have the right to:

• Access: View all demos and data associated with your account
• Modify: Edit or update demo content at any time
• Delete: Remove individual demos or all content
• Export: Download demo data (contact support for bulk export)
• Revoke Access: Sign out to revoke authentication tokens

Opt-Out Options for Extension Permissions:

• Uninstall extension to revoke all browser permissions
• Disable extension to prevent screenshot capture

Children's Privacy
Captoric is not directed to children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@captoric.com.

Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify users of material changes by:

• Updating the "Last Updated" date at the top of this policy
• Displaying a notice in the web application
• For significant changes, sending email notifications to registered users

Continued use of Captoric services after changes constitutes acceptance of the updated Privacy Policy.

Cookie Policy
Captoric uses minimal cookies and browser storage:
Essential:

• Firebase Authentication cookies (for session management)
• Session tokens in IndexedDB

Analytics:

• Mixpanel tracking cookies
• Google Analytics cookies (_ga, _gid)

Contact Information
For privacy-related questions, concerns, or requests: support@captoric.com

Summary
What we collect: Authentication info, user-generated demos/screenshots, analytics
Why we collect it: To provide service, improve features, fix bugs
Who we share with: Firebase infrastructure, analytics providers
Your control: Delete demos anytime, export data, delete account
Security: HTTPS encryption, access controls, OAuth security, regular updates

By using Captoric, you acknowledge that you have read and understood this Privacy Policy.