Privacy Policy for Captio

1. Controller (“Verantwortlicher”)

Louis-Deniel Rost
c/o flexdienst - #10303
Kurt-Schumacher-Straße 76
67663 Kaiserslautern
Deutschland
Email: info@captio.work

The appointment of a data protection officer is not required pursuant to Sec. 38 BDSG (fewer than 20 persons engaged in automated data processing).

2. Introduction

Captio is a browser extension that lets you capture webpage elements and compose them into visual designs with backgrounds, text, 3D transforms, and templates. Captio also operates the website captio.work (the “Website”), which provides product information and a contact form.

This privacy policy explains what data Captio processes in connection with both the browser extension and the Website, the legal basis for each processing activity, and your rights under the General Data Protection Regulation (GDPR/DSGVO).

3. Overview of Data Processing

The following table summarizes all processing activities, their purposes, legal bases, and retention periods. Details for each category follow below.

Part A — Browser Extension

4. Local Data Processing

a) Webpage Content (DOM Elements)

When you capture an element, Captio reads the visual representation of the selected page element (HTML, CSS, images) directly in your browser. This data is processed entirely on your device to render the design canvas. It is never sent to any external server.

Legal basis: Art. 6(1)(b) GDPR — processing is necessary to provide the service you explicitly requested (capturing and composing visual designs).

Retention: Captured content exists in memory during your editing session and is embedded in your project data only if you save the project. It is deleted when you remove the project or uninstall the extension.

b) Project Data

Your projects (canvas settings, layer configurations, captured images) are saved locally in your browser using the Chrome Storage API (browser.storage.local). This data never leaves your device unless you manually export it as an image or PDF file.

Legal basis: Art. 6(1)(b) GDPR — storing your work is necessary to provide the design service you requested.

Retention: Project data is stored until you delete the project within the extension or uninstall the extension. Uninstalling removes all locally stored data.

c) Local Storage Under Sec. 25 TDDDG

Captio uses browser.storage.local to store project data and extension settings on your device. This storage is strictly necessary for providing the service you explicitly requested (Sec. 25(2) no. 2 TDDDG) and therefore does not require separate consent.

d) No Analytics or Tracking in the Extension

The Captio browser extension does not include any analytics, telemetry, tracking code, or cookies. No usage data, crash reports, or browsing history is collected or transmitted by the extension.

5. Payment Processing via ExtensionPay and Stripe

a) What is processed

Captio uses ExtensionPay (extensionpay.com) as a third-party service for payment and license management. ExtensionPay uses Stripe (stripe.com) as its payment processor. When you purchase a license, start a free trial, or log in to manage your subscription, the following personal data may be processed by these services:

• Email address (by ExtensionPay — for account and license management)
• Payment details such as credit card number and billing address (by Stripe — for transaction processing)

Captio itself does not collect, see, or store these details.

b) Legal basis

Art. 6(1)(b) GDPR — processing is necessary for the performance of the purchase or trial agreement you initiate. Without processing your email and payment data, the transaction cannot be completed.

c) Recipients

• ExtensionPay (Glen Chiacchieri, United States) — license management and payment coordination
• Stripe, Inc. (United States) — payment processing

Captio does not share your data with any other third parties.

d) Data shared by Captio with ExtensionPay

Captio sends only your extension-specific user identifier to ExtensionPay to verify payment status. Captio does not send any browsing data, project data, or captured content to ExtensionPay or Stripe.

e) International data transfers

Both ExtensionPay and Stripe are located in the United States. When you initiate a payment or trial, your personal data is transferred to the US.

Stripe: Stripe, Inc. is a certified participant in the EU-US Data Privacy Framework (DPF, participant #6436). The transfer to Stripe is based on the European Commission's adequacy decision pursuant to Art. 45 GDPR. Additionally, Stripe maintains Standard Contractual Clauses (Art. 46(2)(c) GDPR) via its Data Processing Agreement. Details: https://stripe.com/legal/dpa

ExtensionPay: ExtensionPay is not known to be certified under the EU-US Data Privacy Framework. The transfer of data to ExtensionPay is based on Art. 49(1)(b) GDPR — the transfer is necessary for the performance of the contract between you and the controller (your purchase or trial activation). This derogation applies only to the specific transaction you initiate and is not used for systematic or bulk transfers. We are aware that this is a derogation under Art. 49 GDPR, not a primary transfer mechanism. We recommend reviewing ExtensionPay's privacy policy for further details: https://extensionpay.com/privacy

f) Retention

Captio does not retain your payment data. ExtensionPay and Stripe retain data according to their own privacy policies and applicable legal obligations (e.g., tax and accounting requirements). For deletion requests, please contact ExtensionPay or Stripe directly.

6. Permissions Explained

Captio requests the following browser permissions:

• “activeTab” and “tabs”: Required to capture visual elements from the currently active webpage. Captio only accesses tab content when you actively initiate a capture. No browsing history or tab data is collected or stored.
• “<all_urls>” (host permissions): The content script must be able to run on any webpage so you can capture elements from any site you visit. Captio does NOT read or monitor your browsing activity — it only activates when you explicitly trigger a capture. This broad permission is technically necessary because the capture target is determined by the user at runtime and cannot be limited to specific domains.
• “storage” and “unlimitedStorage”: Used to save your projects locally in the browser. No data is synced to external servers.
• “https://extensionpay.com/*”: Required for the payment flow. A small content script runs on extensionpay.com to detect when a payment or trial activation completes. No other data from extensionpay.com is accessed.

Part B — Website (captio.work)

7. Website Hosting (Vercel)

The Website is hosted on Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). When you visit the Website, Vercel automatically processes the following data in server logs:

• Your IP address
• Date and time of access
• Requested URL and HTTP method
• HTTP status code and response size
• Referrer URL
• Browser user-agent string

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring the security and proper operation of the Website.

Retention: Server logs are retained by Vercel for up to 30 days and then automatically deleted.

International data transfers: Vercel, Inc. is a certified participant in the EU-US Data Privacy Framework (DPF). The transfer is based on the European Commission's adequacy decision pursuant to Art. 45 GDPR. Details: Vercel Privacy Policy

8. Contact Form

The Website provides a contact form where you can submit inquiries. When you use the contact form, the following data is processed:

• Your name
• Your email address
• Inquiry type (e.g., general, support, business)
• Your message

The form data is transmitted via Gmail SMTP (Nodemailer) directly to our email inbox. We do not store your form submission in a database.

Legal basis: Art. 6(1)(b) GDPR — processing is necessary for pre-contractual measures you requested; alternatively Art. 6(1)(f) GDPR — our legitimate interest in responding to customer inquiries.

Retention: Your inquiry is retained in our email system until the inquiry is fully resolved, and no longer than 6 months after the last correspondence.

Recipients: Google LLC (Gmail SMTP) processes the email in transit. Google is a certified participant in the EU-US Data Privacy Framework.

9. Google Analytics

The Website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies (small text files placed on your device) to analyze how visitors use the Website.

Legal basis: Art. 6(1)(a) GDPR — your consent. Google Analytics cookies are only set after you click “Accept” in our cookie consent banner. Sec. 25(1) TDDDG also requires consent for non-essential cookies.

IP anonymization: We have enabled IP anonymization (anonymize_ip: true), so Google truncates your IP address within the EU/EEA before transmission to the US.

Data processed: Pages visited, time spent, device and browser information, approximate location (country/city from truncated IP), referral source.

Retention: Google Analytics data is retained for up to 14 months (default setting), after which it is automatically deleted.

International data transfers: Google LLC is a certified participant in the EU-US Data Privacy Framework (DPF). The transfer is based on the European Commission's adequacy decision pursuant to Art. 45 GDPR.

Opt-out: You can withdraw your consent at any time by clearing your browser cookies or by using the Google Analytics Opt-out Browser Add-on. You can also decline cookies via our cookie consent banner. If you decline or withdraw consent, no analytics cookies will be set and no data will be sent to Google Analytics.

10. Cookies

The Website uses cookies only for Google Analytics, and only after you have given your consent via the cookie consent banner. No cookies are set before consent is granted.

Your consent choice is stored in your browser's localStorage (not as a cookie). This storage is strictly necessary for remembering your preference (Sec. 25(2) no. 2 TDDDG) and does not require separate consent.

Part C — General

11. Whether Providing Data Is Required

• Using Captio's core features (capture, compose, export): No personal data is required. All processing happens locally on your device.
• Purchasing a license or starting a trial: Providing your email address and payment details to ExtensionPay/Stripe is required to complete the transaction. Without this data, the purchase cannot be processed.
• Visiting the Website: Server log data (IP address) is automatically processed by the hosting provider. You cannot prevent this while using the Website.
• Using the contact form: Providing your name, email address, and message is required to submit an inquiry. Without this data, we cannot respond.
• Analytics cookies: Entirely optional. You can decline consent without any impact on the functionality of the Website or the extension.

12. Automated Decision-Making

Captio does not use automated decision-making or profiling as defined in Art. 22 GDPR.

13. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You may request confirmation of whether personal data concerning you is being processed, and if so, access to that data.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your personal data. Since Captio stores all project data locally on your device, you can delete it at any time by removing your projects within the extension or by uninstalling it. For data held by ExtensionPay or Stripe (email, payment records), please contact those services directly.
• Right to restriction of processing (Art. 18 GDPR): You may request that processing of your data be restricted under certain conditions.
• Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, machine-readable format. Since Captio stores all data locally, you already have full access to it on your device.
• Right to object (Art. 21 GDPR): You may object to the processing of your personal data at any time.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent (e.g., analytics cookies), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights with respect to Captio, please contact the controller listed in section 1. For data held by ExtensionPay or Stripe, please refer to their respective privacy policies.

14. Children's Privacy

Captio does not knowingly collect any personal information from children under the age of 16 (Art. 8 GDPR). If you believe a child has provided personal data through ExtensionPay or the contact form, please contact us so we can take appropriate action.

15. Changes to This Policy

If this privacy policy is updated, the changes will be reflected in the “Last updated” date at the top of this document. For material changes, we will update the extension listing on the Chrome Web Store and/or publish a notice on the Website.

16. Contact

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact:

Louis-Deniel Rost
c/o flexdienst - #10303
Kurt-Schumacher-Straße 76
67663 Kaiserslautern
Deutschland
Email: info@captio.work