Legal

Privacy Policy

Last updated: April 28, 2026

1. Introduction

Sherpa ("we," "our," or "us") is operated as a sole proprietorship by Jack Polivka. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, browser extension, embeddable script, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, and password when you create an account
  • Profile and Team Information: Team or company name, role, and team member details
  • Payment Information: Billing address and payment details (credit card information is processed and stored by our payment processor, Stripe, and is never stored on our servers)
  • Communications: Information you provide when you contact our support team, respond to surveys, or communicate with us
  • User-Generated Content: Walkthroughs, tours, captions, and other content you create using the Service

2.2 Information Collected During Recordings

Recording data is collected only during user-initiated recording sessions started from the browser extension. The extension does not collect, transmit, or process any data outside of an active recording session. When you start a recording, we collect:

  • Screenshots: Images of the web page at each step of your walkthrough, captured at the moment of interaction
  • Click and Interaction Data: Information about which elements were clicked, including element type, position, text content, and associated labels
  • Audio Recordings: Voice narration captured during the recording session. Audio is sent to OpenAI's Whisper API for transcription and is not written to Sherpa's storage. Only the resulting transcript is retained.
  • DOM Snapshots: Sanitized HTML structure of the page surrounding clicked elements, along with semantic context such as ARIA labels and data attributes, used to make walkthroughs resilient to UI changes. Input field values are not captured — we record only whether a field contains a value, not the value itself.
  • Page Metadata: URL and page title at the time of each recorded interaction

This recording data is processed solely to generate your walkthrough content and is stored securely within your team's account. We do not use recording data for any purpose other than providing the Service to you.

2.3 Information Collected Automatically

  • Usage Data: Features used, pages visited within the dashboard, walkthrough creation and editing activity, and interaction patterns
  • Device Information: Browser type and version, operating system, screen resolution, and device type
  • Log Data: IP address, access timestamps, referring URLs, and error logs
  • Cookies and Similar Technologies: See Section 8 for details

2.4 Information Collected by the Embeddable Script

The embeddable script is designed to minimize data collection from your end users. Walkthrough progress is stored locally in the end user's browser (via localStorage) and is never transmitted to our servers.

The script transmits data to our servers only when a walkthrough fails to render correctly for an end user. In that case, it sends an error report containing:

  • The failure reason (e.g. element not found, page not configured for walkthroughs)
  • The identifier of the affected walkthrough and step
  • The page URL and hostname where the failure occurred
  • The browser user agent string

The embeddable script does not set cookies on your domain, does not assign persistent identifiers to your end users, and does not collect personally identifiable information. You are responsible for providing appropriate privacy notices to your end users regarding the presence of the script on your site.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To create, host, and deliver your walkthroughs; to process recordings and generate AI-powered captions and instructions; and to provide analytics on walkthrough performance
  • Account Management: To create and manage your account, authenticate your identity, and process billing and payments
  • Communication: To send you service-related notices, updates, security alerts, and support messages
  • Improvement: To analyze usage patterns, diagnose technical issues, and improve the functionality and user experience of the Service
  • Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests

We do not use your recording data (screenshots, audio, click data) for any purpose other than generating and delivering your walkthrough content. We do not use Your Content to train AI models.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

  • Service Providers: We share information with third-party service providers who assist us in operating the Service, including:
    • Cloud hosting and storage providers
    • Payment processing (Stripe)
    • AI/language model providers for caption generation
    • Analytics services
    • Email delivery services
    These providers are contractually obligated to use your information only as necessary to provide their services to us and to maintain appropriate security measures.
  • Team Members: Content and account information may be shared with other members of your team as determined by your team's access settings
  • Legal Requirements: We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy
  • With Your Consent: We may share your information with third parties when you have given us explicit consent to do so

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS/SSL) and at rest via infrastructure-level disk encryption provided by our hosting provider
  • Regular security assessments and monitoring
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Secure cloud infrastructure with industry-standard certifications
  • Regular backups and disaster recovery procedures

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and protect your account credentials.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account Data: Retained for the duration of your account, plus 30 days following account deletion to allow for data export
  • Walkthrough Content: Retained for the duration of your account. Published walkthroughs remain accessible to your end users until you unpublish or delete them
  • Recording Data: Audio is streamed to OpenAI's Whisper API for transcription and is not written to Sherpa's storage — only the resulting transcript is stored alongside your walkthrough. Screenshots and processed walkthrough data are retained as part of your walkthrough content for the duration of your account, so you can re-process, edit, or review your walkthroughs at any time. When you delete a walkthrough from the dashboard, its associated screenshots and metadata are permanently removed. When a team account is deleted, all remaining walkthrough data is permanently removed within 30 days.
  • Usage and Log Data: Retained for up to 12 months for analytics and security purposes, then aggregated or deleted
  • Payment Records: Retained as required by applicable tax and financial regulations

You may request deletion of your account and associated data at any time by contacting support@usesherpa.app. Account deletion is processed within 30 days, subject to any legal obligations to retain certain information.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your personal information, subject to certain exceptions
  • Portability: Request a copy of your data in a structured, commonly used, machine-readable format
  • Objection: Object to our processing of your personal information in certain circumstances
  • Restriction: Request restriction of processing of your personal information
  • Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time

To exercise any of these rights, please contact us at support@usesherpa.app. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

7.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information (we do not sell personal information)
  • The right to non-discrimination for exercising your privacy rights

7.2 European Economic Area Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal information include:

  • Performance of Contract: Processing necessary to provide you with the Service
  • Legitimate Interests: Processing for our legitimate business interests, such as improving the Service and ensuring security, where these interests are not overridden by your rights
  • Consent: Where you have given us specific consent for processing
  • Legal Obligation: Processing necessary to comply with applicable laws

You also have the right to lodge a complaint with your local data protection authority.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. The types of cookies we use include:

  • Essential Cookies: Required for the Service to function properly, including authentication, security, and session management. These cannot be disabled.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies. The Service uses browser localStorage and sessionStorage for session tokens, pending navigation state, and walkthrough progress — these are not cookies and are not sent to third-party servers. You can control cookies through your browser settings. Note that disabling essential cookies may prevent the Service from functioning properly.

9. Subprocessors

Sherpa relies on the following third parties to operate the Service. Each is contractually obligated to process data only as needed to provide their service to us, and to maintain appropriate security measures.

  • Railway: Application hosting, database, and storage. All Service data is hosted on Railway in US regions, with disk encryption at rest.
  • Stripe: Payment processing. Card numbers are processed and stored by Stripe and are never stored on Sherpa's servers. Stripe's privacy policy is available at stripe.com/privacy.
  • OpenAI (Whisper API): Audio transcription. Audio is sent for transcription and is not retained by OpenAI after the response.
  • Anthropic (Claude API): AI-generated captions and the in-product assistant. Only step metadata, transcript text, and end-user questions are sent. Screenshots and audio are not shared with Anthropic.
  • Google (Sign-In / OAuth): Optional authentication for the dashboard and extension. We request only the openid, email, and profile scopes. We do not request access to Gmail, Drive, Calendar, or any other Google service.
  • Resend: Transactional email (signup confirmation, team invites, password reset, account notices).

The Service may also link to third-party websites or applications. This Privacy Policy does not apply to those services. We encourage you to review their privacy policies before using them.

10. Children's Privacy

The Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@usesherpa.app.

11. International Data Transfers

Sherpa hosts and processes all Service data in US regions on Railway infrastructure. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from those in your jurisdiction.

When we transfer personal information internationally, we implement appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with our service providers
  • Compliance with applicable data transfer frameworks

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and the relevant supervisory authorities as required by applicable law. Notification will be provided without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect
  • Obtain your consent for material changes where required by law

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all privacy-related inquiries within 30 days.