Privacy Policy
Last updated: July 6, 2026
This policy covers two things: the stepped.ai website and the Stepped Chrome extension. The short version: this website sets no cookies and runs no analytics, and the extension sends your data exclusively to the Stepped instance you operate and paired it with — never to us.
1. The stepped.ai website
stepped.ai is a static website. It sets no cookies, embeds no third-party content, loads no external fonts or scripts, and runs no analytics or tracking of any kind. Every asset is served from stepped.ai itself.
Server logs
The site is hosted by Hetzner Online GmbH in Germany. Like virtually every web server, the hosting infrastructure writes standard access logs (IP address, requested URL, timestamp, user-agent) for operational security and abuse prevention. These logs are kept for a short period and then deleted; they are not used to identify visitors and are not combined with any other data. Legal basis: legitimate interest in securely operating the site (Art. 6(1)(f) GDPR).
Local storage
If you use the light/dark theme toggle, your choice is stored as a single value in your
browser's localStorage. It never leaves your browser and contains no personal
data.
2. The Stepped Chrome extension
The extension records and replays browser workflows. It is designed around one rule: all recording data goes only to the Stepped instance you paired the extension with — typically one you self-host on your own machine or server. The extension sends nothing to the developers of Stepped: no telemetry, no crash reports, no usage statistics, no content.
What the extension processes
- While you are recording: the steps you perform (clicks, typing, navigation), the page structure needed to identify the elements you interacted with, and screenshots of the recorded steps. This data is streamed to your paired instance and stored there.
- While a workflow replays: the same kind of data, used to execute steps and verify they worked.
- Text typed into password fields is treated as a secret at capture time: it is never stored in plaintext and is excluded from anything you later share or publish.
When the extension is not recording or replaying, it captures nothing. Community sharing is
opt-in and uses .stepped.json bundles that are structurally secret-free — the
format has no field in which sessions, cookies, or credentials could be exported.
Chrome permissions and why each is needed
-
debugger— Replays workflows in your browser with trusted input (real clicks and keystrokes) and captures screenshots during recording and replay. Chrome displays a visible banner whenever this permission is in use, and Stepped only attaches during a recording or replay you started. -
tabs— Tracks which tab a recording belongs to and follows workflows that legitimately open or switch tabs. -
storage— Stores the pairing with your own Stepped instance (its URL and pairing credential) and local extension settings. -
scripting— Injects the recorder into pages while you are recording, so clicks and typing can be captured as steps. -
sidePanel— Shows the recording side panel where captured steps appear live and can be renamed or deleted. -
activeTab— Lets the extension act on the tab you are looking at when you explicitly start a recording there. -
downloads— Captures downloads triggered by a workflow (for example an exported PDF) as workflow outputs. -
webNavigation— Records page navigations as steps and verification effects, so replays can confirm a step actually worked. -
Host access (all sites)— Recording and replay must work on whatever website you choose to automate, which cannot be known in advance. The extension is inert on every page until you start a recording or replay.
Data controller for extension data
Because extension data flows only to the instance you (or your organization) operate, the operator of that instance is the data controller for it. The developers of Stepped have no access to it.
3. Your rights
Under the GDPR you have the right to access, rectify, and erase personal data concerning you, the right to restrict or object to processing, and the right to data portability. Since this website stores no personal data beyond short-lived server logs at the hosting provider, there is usually nothing to request — but you can always contact us (see the imprint) and you have the right to lodge a complaint with a supervisory authority.
4. Changes
If this policy changes, the new version will be published here with an updated date. Since neither the website nor the extension phones home, no change can retroactively affect data — there is none to affect.