Privacy Policy

Tome Robot is a business tool that records screen walkthroughs from a Chrome extension and turns them into help articles and internal documentation. This policy describes what we collect, why, and what you can do about it. It applies to tomerobot.com, the Tome Robot Chrome extension, and our web app.

In most customer deployments, your employer (the organization that provisions your account) is the controller of the recordings you produce; Tome Robot acts as a processor under their instructions. For individual sign-ups on our free plan, we are the controller.

Account and organization data. Name, email address, hashed password (if you sign up with a password), Google account identifier (if you sign in with Google), workspace name, role, and membership in an organization or tenant. We need this to give you access to the right workspace and to enforce permissions.

Recording content. When you or a teammate starts a recording in the Chrome extension, we capture: screen and tab video frames, click and keyboard event metadata (not password-field contents), page URLs and titles of recorded tabs, limited DOM snippets around the elements you interact with, microphone audio if you enable narration, OCR text extracted from screenshots, and timestamps. We use this content to generate the help articles, step-by-step guides, and AI narration you asked us to produce, and to detect when your software has drifted from the recorded flow.

AI-generated content. Narration text, article drafts, and embeddings derived from your recordings. This is stored as part of the underlying recording and inherits the same access controls.

Operational data. Request logs, error traces, audit events (publish actions, role grants, redaction changes), billing metadata, and product usage events. We need this to keep the service running, debug issues, bill accurately, and satisfy security audits.

• Password-field keystrokes or the characters shown in password inputs.
• Browsing activity on tabs that are not part of an active recording.
• Third-party advertising identifiers or cross-site tracking data.
• Biometric data or precise location.

Deterministic redaction (for emails, phone numbers, credit-card numbers, and similar patterns) runs on every ingest, and a vision model blurs regions that look sensitive. You can add custom redaction rules scoped to URLs or DOM selectors.

• Contract. We process account data and recording content to deliver the service you or your employer asked us to deliver.
• Legitimate interests. We process operational logs and security telemetry to keep the service available, debug issues, and prevent abuse.
• Consent. Where required (for example, enabling microphone narration), we rely on your explicit action in the extension.
• Legal obligation. Where we have to retain records for tax or to respond to lawful requests.

All customer data is hosted on Cloudflare's global infrastructure. Account and recording metadata live in Cloudflare D1 (SQLite); media files (video, screenshots, audio) live in Cloudflare R2; vector embeddings live in Cloudflare Vectorize; all application logic runs on Cloudflare Workers. Storage is encrypted at rest, traffic is TLS 1.2 or newer, and tenant data is isolated at the query layer so every database statement is scoped to a single tenant.

Recordings, articles, and derived artifacts are kept for as long as the owning workspace remains active. When you delete a recording or article, it is removed from active storage immediately and purged from backups within 30 days. When a workspace is deleted, all of its content is removed within 30 days. Operational logs are retained for up to 90 days; audit logs are retained for 1 year; billing records are kept for as long as tax law requires (typically 7 years).

We rely on a small number of third parties to run the service. We only share the minimum data each one needs.

• Cloudflare, Inc. — hosting, Workers compute, D1 database, R2 object storage, Vectorize, Analytics Engine, and Workers AI (which runs the open-weights models we use for article synthesis and embeddings, currently Meta Llama 3.1 / 3.3 and BAAI bge-base-en-v1.5, routed through a private AI Gateway). Your recordings are processed by Workers AI inside the Cloudflare network and are not sent to Anthropic, OpenAI, or any other external model provider.
• Microsoft Azure Cognitive Services (Speech). — text-to-speech synthesis for article narration. We send the narration text (not the raw recording) to Azure Speech to produce an MP3.
• Google LLC. — only if you choose to sign in with Google. We receive your name, email, Google user id, and profile picture URL via OAuth.
• Pushmail. — transactional email delivery (verification, password reset, invites, notifications). We send the recipient address and message body.

An up-to-date sub-processor list is available on request at sean@inventivehq.com. We will give reasonable advance notice of new sub-processors to Business and Enterprise customers who have signed a DPA.

Tome Robot is operated from the United States. Our sub-processors may process data in the US, EU, and other regions depending on Cloudflare's routing and Azure's regional endpoints. Where data is transferred out of the EEA or UK, we rely on the European Commission's Standard Contractual Clauses and equivalent UK addenda.

• To generate the articles, guides, and narration you asked us to generate.
• To detect drift between recorded flows and the live software.
• To provide search and question-answering over your own workspace.
• To keep the service running, secure, and billable.

We do not train machine-learning models on your content, and we do not sell your data. We do not use your recordings for advertising.

You can access, export, correct, or delete your data at any time. Most of this is available directly in the web app; anything else you can request by emailing sean@inventivehq.com. If you are in the EU, UK, California, or another jurisdiction with specific data-subject rights (GDPR, UK GDPR, CCPA / CPRA), you have the right to access, rectify, erase, restrict or object to processing, receive a portable copy, and lodge a complaint with your supervisory authority. If you are an end user of a Tome Robot customer, please direct requests to that customer first — we will route them appropriately.

Tome Robot uses a small number of first-party cookies required to keep you signed in. We do not use advertising or cross-site tracking cookies. See our cookie policy for the full list.

Tome Robot is a business product. It is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy as the product evolves. If we make a material change, we will notify customers by email before it takes effect and update the "Last updated" date above.

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act grant you additional rights regarding your personal information. This section supplements the rest of this policy.

Categories of personal information we collect

Sensitive personal information

Microphone audio and webcam video may be considered sensitive personal information under CPRA. Both are opt-in: they are only captured when you explicitly enable them in the extension before starting a recording. You may limit our use of this data by leaving these options disabled. Password fields and other sensitive input types are automatically excluded from element text capture.

Sale and sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising as those terms are defined under the CPRA. We have not sold or shared personal information in the preceding 12 months.

Retention by category

• Identifiers and account data: retained while your account is active; deleted within 30 days of account deletion.
• Recording content (video, audio, screenshots, click metadata): retained while the recording exists in your workspace; purged within 30 days of deletion.
• Operational and audit logs: 90 days (operational), 1 year (audit).
• Billing records: up to 7 years per tax law.

Your California rights

You have the right to:

• Know what personal information we collect, use, disclose, and sell or share.
• Delete personal information we hold about you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information (we do not sell or share, so there is nothing to opt out of).
• Limit use of sensitive personal information to what is necessary for the service (mic and webcam are already opt-in).
• Non-discrimination. We will not deny you services, charge you different prices, or provide a different level of quality because you exercise any of these rights.

How to submit a request

You can submit a verifiable consumer request through our privacy request form or by emailing sean@inventivehq.com. We will verify your identity by confirming your email address on file before processing your request. We will respond within 45 days. You may also designate an authorized agent to make a request on your behalf.

Service providers

All sub-processors listed above are contractually bound as service providers under the CCPA. They may only use personal information we share with them for the specific business purposes described in our agreements and may not sell, share, or retain it for their own purposes.

Questions, requests, or complaints about this policy? Email sean@inventivehq.com.