Privacy Policy
Last updated: February 18, 2026
Overview
This Privacy Policy describes the collection, use, and disclosure of personal data by APEX IT LABS S.R.L., a company incorporated under Romanian law, registered with the Romanian Trade Register under no. J23/1670/2023 (EUID: ROONRC.J23/1670/2023), with sole registration code (CUI) 47794692, VAT no. RO47794692, Registered office: Șoseaua Banatului 14, Bl. 15, Et. P, Ap. 171, 077045, Chitila, Ilfov, Romania (the “Company”). The Company operates the service under the brand name PokeDemo (“PokeDemo”, “we”, “us”, or “our”).
This Privacy Policy applies when you:
- visit our website (including joining our waitlist),
- create an account or use the PokeDemo Service (website/web application, browser extension, APIs, SDK), or
- contact us.
Controller vs Processor
Where we process personal data for our own purposes (for example: account administration, billing/tax, security, and fraud/abuse prevention), we act as an independent Controller and this Privacy Policy applies.
Where a business Customer uploads or captures recordings and related content in the Service, the Customer typically controls that content and determines the purposes and means of processing. In that context, PokeDemo generally acts as a Processor and our Data Processing Addendum (DPA) applies.
You can contact us at [email protected]
1. What Data We Collect
a) Data you provide (website & waitlist)
When you fill out our “Join Waitlist” form or otherwise contact us, we may collect:
- Email address
- any information you include in your message
b) Account and workspace data (Service)
If you create an account or use the Service, we may collect:
- name and email address
- authentication-related data (e.g., login/session information)
- workspace identifiers, roles/permissions, and workspace settings
c) Customer Content (recordings, assets, and exports)
When you use the Service (including the browser extension), we may process content you upload or capture, such as:
- Recordings (screen capture/video/audio if enabled), screenshots, annotations, and demo assets
- On-screen text or UI interactions that appear in a recording
- Metadata related to recordings/exports (timestamps, events, recording IDs, export status)
Important: You control what you record or upload. You must comply with Section 11 (Restricted Data and Prohibited Capture) of our Terms and must not capture or upload Restricted Data (including special categories of personal data) unless you have a lawful basis and implement appropriate safeguards.
d) Service usage and technical data
We may collect:
- IP address, device/browser type, operating system, and diagnostic data
- Logs related to performance, reliability, and security (including audit/security logs where applicable)
- Event data about how the Service is used (feature usage, errors, and performance metrics)
We use tools such as PostHog to collect and analyze this operational and usage data in order to secure the Service, prevent abuse, and troubleshoot reliability/performance issues.
e) Billing and transactional data
If you purchase paid features:
- Purchase history, billing address (if provided), invoices/receipts, tax/VAT information, and payment status.
- Payment card details are handled by our payment processor and are not stored by us.
f) Automatically collected data (cookies & tools)
We use cookies and similar technologies for essential functionality, security, and (where you consent) analytics. These may collect:
- IP address
- Browser settings
- Device type/OS
- Pages visited and time spent on site
Tools may include:
- Website analytics (e.g., Google Analytics)
- Product analytics and operational telemetry (e.g., PostHog)
- Bot protection (e.g., Cloudflare Turnstile)
- CDN/DNS and security services (e.g., Cloudflare)
g) Third-party sign-in data (Google Sign-In)
If you choose to create an account or log in using Google, we receive basic account information from Google, such as your email address, name, profile photo (if available), and a unique identifier associated with your Google account. We use this information to create and authenticate your account and help keep it secure. We do not receive your Google password, and we do not access other Google services (such as Gmail or Google Drive).
2. Why We Collect Your Data
We use personal data to:
- Provide and operate the website and Service (account creation, authentication, workspace features)
- Process recordings and generate export bundles, and make them available for download within the Service
- Communicate with you (support, legal notices, product updates if you opted in)
- Process payments, invoices, and tax obligations
- Maintain security, prevent fraud/abuse, and troubleshoot issues
- Monitor and improve website and Service performance and reliability
We do not sell your personal data and we do not use Customer Content for public marketing examples without permission.
3. Legal Bases for Processing (EEA/UK)
Where GDPR/UK GDPR applies, we process personal data based on the following legal bases, depending on the context:
- Contract (performance of a contract): to provide the Service under our Terms, including account operation and paid features.
- Legitimate interests: to secure and protect the website and Service, prevent abuse, maintain reliability, and improve performance (balanced against your rights).
- Consent: for non-essential cookies/analytics (where required), and for marketing/waitlist emails where you opt in (you can unsubscribe anytime).
- Legal obligation: to comply with accounting/tax rules, lawful requests, and other legal obligations.
4. Cookies and Tracking
We use cookies for essential functionality and security. Where required, you will be shown a cookie consent banner where you can accept or reject non-essential cookies.
Essential cookies and security tools (e.g., bot protection and PostHog security/reliability telemetry) are always active because they are necessary for the site to function and prevent abuse.
Analytics cookies (e.g., Google Analytics) are used only if you consent via the cookie banner (where required).
You can update your cookie preferences at any time via the cookie settings link in our footer. For more details, see our Cookie Policy.
5. How We Share Personal Data
We may share personal data with:
Service providers that help us deliver the website and Service (hosting, storage, email delivery, monitoring/analytics such as PostHog, CDN/DNS, security). They are permitted to process data only to provide services to us.
Payment processors to process transactions.
Authorities, advisors, and others where required by law, or to establish, exercise, or defend legal claims.
We do not sell Google Sign-In data. We share it only with service providers as necessary to operate the Service (for example, hosting and account authentication), consistent with this Privacy Policy.
6. Data Storage, Security, and Retention Security
We use technical and organizational measures designed to protect personal data, including access controls, encryption in transit (TLS), and security monitoring. No method of transmission or storage is 100% secure, but we work to protect your data appropriately.
Where data is stored
We primarily use EU/EEA-based regions for hosting and storage where available, but some service providers may process data globally (see International Transfers below).
Retention
Retention depends on the context:
- Waitlist emails: retained until launch and for up to 6 months after launch, or until you unsubscribe (whichever comes first), unless a longer retention is required by law.
- Technical logs: generally retained for a limited period for security/diagnostics (commonly up to 30 days), unless needed longer for security incidents or dispute handling.
- Service Customer Content: retained while your account/workspace is active and then deleted or scheduled for deletion upon verified deletion/closure requests, subject to backups and legal/security exceptions.
- Billing/tax records: retained as required by applicable law (e.g., accounting/tax obligations).
- Backups may persist for a limited period until rotated/overwritten.
- Google Sign-In data (email, name, profile photo, Google account identifier): retained for as long as your account is active and then deleted or scheduled for deletion upon verified deletion/closure requests, subject to backups and legal/security exceptions.
7. International Data Transfers
To provide the website and Service, we use third-party partners that may be based outside the EU/EEA or that may involve processing or access from outside the EU/EEA/UK (for example, due to global network routing or remote access for security and reliability).
Where personal data is transferred to a country that does not provide an adequate level of protection, we use appropriate safeguards as required by law, such as:
- the EU Standard Contractual Clauses (SCCs), and
- for UK transfers, the UK Addendum/IDTA (as applicable),
- and/or other legally recognized transfer mechanisms.
You also have the right to lodge a complaint with your local data protection authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
8. Your Rights (EU/UK and US)
a) EU/UK rights
If you are in the EU/EEA or the UK, you may have the right to:
- access your personal data
- correct inaccurate data
- delete your personal data
- restrict processing
- object to processing based on legitimate interests
- data portability
- withdraw consent at any time (where processing is based on consent)
b) US state privacy rights and notice at collection
If you are a resident of California or another US state with privacy laws (including CA, CO, CT, VA, or UT), you may have rights to access, correct, delete, and obtain a copy of your personal information, and to opt out of certain processing as defined by applicable law.
Notice at collection: We collect identifiers (such as email address), technical data (such as IP address/device/browser information), and internet/network activity data (such as pages visited and usage events) for the purposes described in Section 2. We retain this data as described in Section 6.
We do not sell personal information or share it for cross-context behavioral advertising as defined by the CPRA. If you use a browser signal such as Global Privacy Control (GPC), we will treat it as a request to opt out of sale/sharing or targeted advertising where applicable.
c) How to exercise your rights
To exercise your rights, contact us at [email protected]. We may need to verify your identity before responding.
Important note for Customer Content: if you are an end user whose data appears in a Customer’s recordings/content, the relevant Customer may be the controller for that data. We may direct you to the Customer to fulfill your request, unless we are legally required to respond directly.
You may also revoke Google Sign-In access at any time from your Google Account security settings (Third-party access).
9. Children’s Privacy
Our website and Service are not directed to children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate action.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or services. When we do, we will update the “Last updated” date at the top of this page.
11. Contact Us
If you have any questions or requests regarding your data, please contact:
APEX IT LABS S.R.L.
Email: [email protected]
Support: [email protected]