Privacy Policy

1. Information We Collect

We collect different types of information depending on how you interact with the Service:

Account Information

When you create an account, we collect your name, email address, organization name, job title, and role. We use passwordless authentication (magic links and one-time passcodes), so we do not collect or store passwords.

Bot & Workflow Data

When you use StepwiseGO Edit or the AI Bot Builder, we process bot definitions, step configurations, action properties, variable names, and workflow structures that you create. This is customer-controlled content.

Execution & Log Data

When bots run through StepwiseGO Runner and Agent, we process execution logs, run status, timing data, and result summaries. Variable values resolved during execution may contain data you or your organization define.

Usage Data

We automatically collect information about how you use the Service, including features accessed, session duration, pages viewed, and interaction patterns.

Technical Data

We collect your IP address, browser type and version, operating system, device information, time zone, and referring URLs.

Communication Data

When you contact us for support or provide feedback, we collect the content of your messages, your email address, and any attachments you provide.

Payment Data

If you purchase a paid plan, payment information (such as credit card details) is collected and processed by our third-party payment processor. We do not store full payment card numbers on our servers.

2. How We Collect Information

• Directly from you: When you register, create bots, configure workflows, contact support, or fill out forms.
• Automatically: Through cookies, server logs, and analytics tools when you use the Service.
• From third parties: From authentication providers, payment processors, and analytics services that help us operate the Service.

3. Legal Basis for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following grounds:

• Contract performance: Processing necessary to provide the Service, manage your account, and fulfill our obligations to you.
• Consent: Processing based on your explicit opt-in, such as marketing communications and optional analytics.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, balanced against your rights and freedoms.
• Legal obligation: Processing required to comply with applicable laws, legal processes, or enforceable governmental requests.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, operate, and maintain the Service, including bot execution, workflow management, and real-time monitoring.
• Authenticate users and manage accounts, organizations, and role-based access controls.
• Process bot executions, store run logs, and deliver execution results.
• Improve, develop, and test new features and functionality.
• Send service-related communications, including account notifications, security alerts, and system updates.
• Provide customer support and respond to your requests.
• Send marketing communications where you have opted in (you can unsubscribe at any time).
• Detect, prevent, and address security incidents, fraud, and technical issues.
• Comply with legal obligations and enforce our terms of service.

5. Automation & AI-Specific Provisions

As a robotic process automation platform with AI capabilities, StepwiseGO handles data that may be unique to automation workflows. We are committed to transparency about how this data is treated:

Customer Data Ownership

Bot definitions, workflow configurations, variable values, and execution data that you create or process through the Service belong to you. We do not claim ownership over your automation content.

AI Bot Builder

When you use our AI Bot Builder feature, your natural language descriptions and the resulting bot configurations are processed by third-party AI providers (such as OpenAI, Anthropic, or Google) solely to generate the requested automation. We do not use your AI Bot Builder inputs or outputs to train our own models or any third-party models.

Execution Data

When StepwiseGO Runner and Agent execute your bots, they process data on your behalf. In this context, we act as a data processor and you (or your organization) are the data controller. Token variables (e.g., {var:name}) may resolve to values containing personal or sensitive data — we treat all resolved variable values as confidential.

No Training on Customer Data

We do not use your bot definitions, workflow data, variable values, or execution logs to train machine learning models, unless you provide explicit written consent. Aggregated, anonymized usage statistics (such as which action types are most popular) may be used to improve the Service.

6. Data Sharing & Third Parties

We do not sell your personal information. We may share your information in the following circumstances:

Service Providers

We share data with trusted third-party providers who help us operate the Service, including cloud hosting (Fly.io), email delivery, payment processing, and analytics. These providers are contractually obligated to protect your data and may only use it for the purposes we specify.

AI Providers

When you use AI-powered features, your input data is sent to third-party AI providers (such as OpenAI, Anthropic, or Google) to process your request. These providers operate under their own privacy policies and data processing agreements.

Legal Requirements

We may disclose your information if required to do so by law, in response to valid legal process (such as a court order or subpoena), or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

With Your Consent

We may share your information for other purposes with your explicit consent.

7. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Service:

Essential Cookies

Required for authentication, session management, and security. These cannot be disabled without impacting Service functionality.

Analytics Cookies

Help us understand usage patterns, measure performance, and improve the Service. You may opt out of analytics cookies through your browser settings or our cookie preferences.

Managing Cookies

Most browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies or to indicate when a cookie is being sent. Please note that some features of the Service may not function properly if cookies are disabled.

Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. Because there is no widely accepted standard for how to respond to DNT signals, we do not currently respond to them. We will update this policy if a standard is established.

8. Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this policy:

• Account data: Retained while your account is active and for 30 days following account deletion to allow for recovery.
• Bot & workflow data: Retained according to your subscription plan. You may delete your data at any time through the Service or by contacting us.
• Execution logs: Retained for 90 days by default. Extended retention may be available on higher-tier plans.
• Support data: Retained for 1 year after support ticket closure.
• Server logs: Retained for 90 days.

We may retain certain data for longer periods where required by law, for legitimate business purposes (such as resolving disputes), or to enforce our agreements.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption in transit: All data transmitted between you and the Service is encrypted using TLS (Transport Layer Security).
• Encryption at rest: Sensitive data stored on our servers is encrypted at rest.
• Access controls: We use role-based access controls (RBAC) to restrict access to personal information to authorized personnel only.
• Secure infrastructure: Our Service is hosted on industry-standard cloud infrastructure with physical and network security controls.
• Vault variables: Sensitive automation values (API keys, credentials) can be stored as encrypted vault variables, which are never exposed in logs or UI.
• Incident response: We maintain incident response procedures and will notify affected users of any data breach as required by applicable law.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

10. International Data Transfers

Your personal information may be transferred to and processed in countries other than the one in which you reside, including the United States, where our servers and service providers are located.

If you are located in the European Economic Area (EEA) or the United Kingdom, we ensure that transfers of personal data outside of these regions are subject to appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable. You may request a copy of these safeguards by contacting us at the address below.

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Data portability: Request your data in a structured, machine-readable format.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

EU/EEA & UK Residents (GDPR)

In addition to the rights above, you may also: object to processing based on legitimate interests, request restriction of processing, and lodge a complaint with your local data protection authority.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@stepwisego.com. We will respond to your request within 30 days (or sooner where required by law). We may ask you to verify your identity before processing your request.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes for collection, and the third parties with whom we share it.
• Right to delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions.
• Right to opt out of sale: We do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to limit use of sensitive information: You may request that we limit the use and disclosure of your sensitive personal information.

To exercise these rights, contact us at privacy@stepwisego.com. We will verify your identity using your account email or through other reasonable means. You may also designate an authorized agent to submit requests on your behalf.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@stepwisego.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and/or by posting a prominent notice within the Service prior to the changes taking effect. We encourage you to review this page periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.