Privacy Policy

Recording starts only when you press "Start Recording" in the Sevenda DevTools panel and stops when you press Stop. Outside of an active recording, the Extension does not monitor, intercept, or store any browsing activity: the network-monitoring component is injected into the page only at the moment you start a recording, and only into the tab you are recording.

During an active recording, the Extension captures, in the recorded tab only:

• Navigation events — the URLs of pages you visit during the recording.
• Interaction events — clicks and form submissions: the element's tag, id, visible text (truncated to 100 characters), and position in the page. Form field values (what you type) are never captured.
• Network events — URL, HTTP method, status code and duration of fetch/XHR calls made by the page, plus a preview of request and response bodies truncated to 500 characters. Before capture, fields commonly containing credentials (passwords, tokens, API keys, card numbers, CVV, OTP codes and similar) are replaced with "[REDACTED]".
• JavaScript errors — error message, file, line and stack trace.
• Page structure events — opening/closing of modals and dialogs (element selector only, no content).
• Analytics events (Insights Mode) — Google Tag Manager dataLayer pushes and decoded GA4 hits emitted by the page, including consent-state signals. Where the Extension's PII-leak detector identifies personal data inside the page's own analytics traffic (a feature that helps you audit tracking compliance), the detected value is stored masked (e.g. ma***@example.com), never in clear text.

All recorded sessions, events, and generated diagrams are stored locally on your device in the browser's IndexedDB. They are not transmitted to Sevenda Lab — we operate no data-collection servers.

Local data is automatically deleted by a built-in retention policy: sessions older than 30 days, or beyond the 100 most recent sessions, are removed daily. You can delete any session manually at any time, and removing the Extension deletes all locally stored data.

Your settings (interface language, capture filters, and your Anthropic API key if you provide one) are stored in Chrome's extension storage. If you have Chrome sync enabled, Chrome synchronizes this storage — including the API key — across your own signed-in browsers via your Google account, under Google's encryption and Google's own privacy policy. If you prefer not to sync it, you can disable extension sync in Chrome settings.

Data leaves your device only through actions you explicitly take:

• AI generation (Anthropic). When you press "Generate", the recorded event sequence of the selected session (as described in section 1, with redactions applied) is sent to the Anthropic Claude API to produce your diagram or report. This uses your own Anthropic API key — the Extension ships without one, and Sevenda Lab never sees your key or your prompts. Anthropic processes this data as your API provider under the Anthropic Commercial Terms; per Anthropic's API data policy, API inputs are not used to train models.
• Team workspaces (Supabase, optional). If you sign in to a Team workspace with your email, sessions you explicitly choose to share are uploaded to our Supabase-hosted backend (EU-hosted PostgreSQL with row-level security), where they are visible only to members of your workspace. We store: your email address, workspace membership, the shared session data, and comments. You can delete shared sessions and your account at any time; deletion is permanent.
• Jira export (optional). If you configure your Jira credentials in Settings, exports go directly from your browser to your own Jira instance. Credentials are stored locally and never pass through Sevenda Lab.

The Extension makes no other network requests. It loads no remote code, no remote fonts, no analytics scripts, and displays no ads.

• We do not collect telemetry, usage analytics, or crash reports.
• We do not sell, rent, or transfer your data to third parties.
• We do not use your data for advertising, profiling, or creditworthiness.
• We do not capture keystrokes or form input values.
• We do not record anything while a recording is not active.

Sevenda Lab, as the developer, processes personal data only in the limited Team-workspace scenario above (legal basis: performance of contract, Art. 6(1)(b) GDPR). For locally stored recordings, you are the sole controller of the data on your device.

You have the right to access, rectify, export, and erase the data associated with your Team account, and to lodge a complaint with your supervisory authority (in Italy: Garante per la Protezione dei Dati Personali). To exercise these rights, contact hello@sevenda.dev — we respond within 30 days.

A note on recording third-party data: if you record sessions on systems containing other people's personal data (e.g. a CRM), you are responsible for ensuring you are authorized to do so under your organization's policies and applicable law.

Sevenda is a professional tool and is not directed at children under 16. We do not knowingly process children's data.

We will update this policy as the product evolves (e.g. if the optional Google Tag Manager integration is enabled in a future version, which would involve Google OAuth and the Tag Manager API). Material changes will be announced on sevenda.dev and reflected in the effective date above.

Sevenda Lab — hello@sevenda.dev — https://sevenda.dev