Privacy Policy | MakeDemoFast
Last updated: February 2026
1. Data Controller
Perastro UG (haftungsbeschränkt) Martin-Luther Straße 47, 10779 Berlin, Email: [email protected]
2. Overview
MakeDemoFast (“we”, “us”, “our”) is a screen recording and video rendering service provided as a Chrome browser extension and a web application at app.makedemofast.com and makedemofast.com.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
3. What Data We Collect and Why
3.1 Account Data
When you create an account or sign in, we collect:
- Email address — required to create and identify your account.
- Password — never stored in plain text; hashed and managed by Supabase Auth.
- OAuth tokens — if you sign in via Google, we receive OAuth access and refresh tokens from Google via Supabase Auth. We do not receive or store your Google password.
Legal basis: Contract (Art. 6(1)(b) GDPR) — necessary to provide the service.
3.2 Payment Data
Payments are processed by Stripe. We do not store full card numbers or CVV codes. We do store:
- Customer email address — received from Stripe after a successful payment and stored in our database.
- Billing name — optionally provided during checkout.
- Stripe Session ID — to link the payment to your account.
- Plan type, purchased duration — to grant access to the service.
- Subscription status and usage — minutes used, minutes remaining, subscription period start/end dates.
Legal basis: Contract (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR) for invoice/tax records.
3.3 Recording Data (Media Files)
When you use the extension to record your screen:
- Screen recording (video/webm) — captured on your device and stored temporarily in your browser’s IndexedDB. It is uploaded to our secure cloud storage (Supabase Storage, bucket
raw-videos) when you choose to render your video. - Camera recording (video/webm) — captured only if you enable the camera option; stored and uploaded in the same way.
- Microphone audio (audio/webm) — captured only if you enable microphone recording; stored and uploaded in the same way.
- Rendered video (MP4) — the processed output of your recording, stored in our cloud storage (bucket
rendered-videos) and made available to you for download. - Saved projects — if you save a project, the project data is stored in our cloud storage (bucket
saved-projects).
Important: Recording data is uploaded to servers operated by Supabase, Inc. (see section 6). Raw recording files may contain content visible or audible on your screen at the time of recording. You control when and whether to upload a recording.
Legal basis: Contract (Art. 6(1)(b) GDPR).
3.4 Interaction Event Data
During a screen recording session, the Chrome extension captures the following user interaction events on the recorded browser tab to enable cursor animations and click highlights in the rendered video:
- Mouse movements — pointer position (as fractions of screen dimensions), timestamp.
- Mouse clicks — position, timestamp.
- Scroll events — scroll offset, timestamp.
- Keydown events — key name (e.g. “Enter”, “ArrowDown”), timestamp. Note: this includes all key presses during recording, which may include sensitive input such as passwords typed on the recorded page.
- Drag gestures — start/end position, path, timestamp.
These events are stored in your browser’s IndexedDB alongside the recording. They are uploaded to our cloud storage as part of the recording package (events.json) when you render your video.
Legal basis: Contract (Art. 6(1)(b) GDPR) — these events are required to produce the animated cursor overlay in the rendered video.
3.5 Usage and Subscription Data
We store the following data in our database to manage your account and enforce plan limits:
- User ID (internal identifier).
- Minutes used / minutes remaining per subscription period.
- Render history — video ID, render status (queued, rendering, complete, failed), render progress, output URL.
- Project metadata — project name, associated video ID, creation and update timestamps.
Legal basis: Contract (Art. 6(1)(b) GDPR).
3.6 Feedback Data
If you submit feedback via the in-app feedback form, we collect:
- Feedback type — bug report, feature request, or general feedback.
- Feedback text — your free-text message.
- User ID and email — linked to your account if you are logged in.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — to improve our product.
3.7 Analytics and Attribution Data
Website Visitors (makedemofast.com)
When you visit our website, we collect:
- Anonymous visitor ID (
vid) — a randomly generated UUID stored in a cookie for 1 year. This does not identify you personally but allows us to distinguish unique visits. - Ad click IDs — if you arrive via an advertising campaign, URL parameters such as
gclid(Google),fbclid(Facebook/Meta),ttclid(TikTok),gbraid(Google), andli_fat_id(LinkedIn) are captured and stored in aclick_idscookie for 30 days. This allows us to measure advertising effectiveness. - UTM parameters —
utm_source,utm_medium,utm_campaign,utm_term,utm_content— stored alongside click IDs. - Page views and behavior — collected via Google Analytics (loaded through Google Tag Manager). Google Analytics uses the
_ga(2 years) and_gid(24 hours) cookies. - Ad conversion data — collected via Meta (Facebook) Pixel, which uses the
_fbpcookie (3 months).
Chrome Extension Install
When you install the extension, a randomly generated anonymous ID (ext_vid) is generated and stored in chrome.storage.local. This ID is used to:
- Link your extension install to a prior website visit (via the
vidcookie), for attribution purposes only. - Record an
extension_installedevent in our database (Supabaseanalytics_eventstable), including theext_vid, the websitevid(if present), and any ad click IDs captured during the landing page visit.
In-App Events
When you initiate a checkout or complete a purchase in the web app, we push analytics events (initiate_checkout, purchase) to Google Tag Manager (window.dataLayer). These events include the plan type and currency but not your name or email.
Legal basis: Consent (Art. 6(1)(a) GDPR) for analytics and marketing cookies; Legitimate interest (Art. 6(1)(f) GDPR) for anonymous event tracking.
4. How We Collect Data
- Directly from you — when you register, purchase, upload a recording, or submit feedback.
- Automatically — via cookies, the Chrome extension, and tracking technologies when you use our website or application.
- From third-party services — from Stripe (payment confirmation), Google (OAuth authentication), and advertising platforms (click IDs).
5. Legal Bases for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Delivering screen recording and rendering service | Contract (Art. 6(1)(b)) |
| Payment processing and billing records | Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) |
| Storing interaction event data for video rendering | Contract (Art. 6(1)(b)) |
| Subscription usage tracking | Contract (Art. 6(1)(b)) |
| Feedback collection | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies and ad conversion tracking | Consent (Art. 6(1)(a)) |
| Anonymous extension install attribution | Legitimate interest (Art. 6(1)(f)) |
| Product improvement and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
6. Data Processors and Third-Party Services
We share personal data with the following processors under data processing agreements (DPAs):
| Processor | Role | Data Shared | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, serverless functions | Account data, payment metadata, recording files, render data, analytics events, feedback | USA (EU data transfer via SCCs) |
| Stripe, Inc. | Payment processing | Email, plan type, billing details | USA (EU data transfer via SCCs) |
| Google LLC | Google Analytics (via GTM), Google OAuth, Google Ads | Visitor analytics, OAuth identity tokens, ad conversion events | USA (EU data transfer via SCCs or adequacy decision) |
| Meta Platforms Ireland Ltd. | Facebook Pixel (via GTM) | Ad conversion events, _fbp cookie | Ireland / USA (SCCs) |
| Usercentrics A/S (Cookiebot) | Cookie consent management | Consent state | EU |
| ConfigCat | Feature flag delivery | Anonymous config fetch requests | EU |
We do not sell your personal data to any third party.
7. International Data Transfers
Several processors (Supabase, Stripe, Google) are based in the United States. Data transfers to these processors are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR) or, where applicable, an adequacy decision.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (email, auth tokens) | Until account deletion + 30 days |
| Raw recording files (uploaded ZIPs) | Until deleted by you or after your account is closed |
| Rendered video files | Until deleted by you or after your account is closed |
| Payment records (invoices, Stripe session IDs) | 10 years (legal/tax obligation) |
| Subscription and usage history | Duration of account + 3 years |
| Feedback submissions | 3 years |
Analytics events (analytics_events table) | 2 years |
Cookies (vid, click_ids) | See section 9 |
| Server logs (Supabase edge function logs) | 24 hours (Supabase default) |
You may request deletion of your personal data at any time (see section 11). Some data may be retained longer where required by law (e.g. tax records).
9. Cookies and Local Storage
Cookies (set on makedemofast.com)
| Cookie | Purpose | Expiry |
|---|---|---|
CookieConsent | Stores your cookie consent choices | 12 months |
vid | Anonymous visitor identifier | 1 year |
click_ids | Stores ad click IDs and UTM parameters | 30 days |
_ga | Google Analytics — distinguishes users | 2 years |
_gid | Google Analytics — distinguishes users | 24 hours |
_fbp | Meta Pixel — ad conversion tracking | 3 months |
Browser Storage (web app and Chrome extension)
| Storage | Key | Content |
|---|---|---|
localStorage (web app) | sb-...-auth-token | Your Supabase session JWT |
chrome.storage.local (extension) | sb-...-auth-token | Your Supabase session JWT |
chrome.storage.local (extension) | ext_vid | Anonymous extension visitor ID |
chrome.storage.local (extension) | preferred_camera_id, preferred_mic_id | Your selected camera/microphone device IDs |
IndexedDB (extension) | ScreenRecorderDB / recordings | Raw recording blobs and interaction event data (local only, until upload) |
Non-essential cookies (analytics, marketing) are loaded only after you have given your consent via the Cookiebot banner. You can withdraw or change your consent at any time by clicking “Cookie Settings” in the footer of our website. See our full Cookie Policy for details.
10. Security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS/HTTPS.
- Passwords are hashed by Supabase Auth — we never store or transmit plain-text passwords.
- Recording files are stored in private Supabase Storage buckets with signed URLs for access.
- Edge functions use server-side secret keys (not exposed to the client) for payment and database operations.
- Authentication tokens are stored in browser-local storage (not in cookies accessible to third-party scripts).
Despite our efforts, no system is 100% secure. If you believe your data has been compromised, please contact us immediately at [YOUR EMAIL].
11. Your Rights (GDPR)
As a data subject in the EU/EEA, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — request correction of inaccurate data.
- Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
- Right to restriction (Art. 18) — request that we limit the processing of your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest (including profiling).
- Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, please email: [YOUR EMAIL]
We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
You also have the right to lodge a complaint with your national data protection supervisory authority. In Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the supervisory authority of your federal state.
12. Children’s Privacy
Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us so we can delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address on your account) and/or by posting a prominent notice on our website before the changes take effect. The “Last Updated” date at the top of this document reflects the most recent revision.
Continued use of our service after the effective date constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions, requests, or concerns:
[YOUR COMPANY NAME] [ADDRESS] Email: [YOUR EMAIL]