The short version: We collect information you give us and information about how you use our service. We use this to provide and improve Guidez. We do not sell your personal data. You have control over your data, including the right to access, correct, and delete it.
This Privacy Policy ("Policy") applies to the Guidez website at guidez.io, the Guidez application at app.guidez.io, our browser extensions, our APIs, and all other services offered by Guidez, LLC (collectively, the "Service").
This Policy does not apply to third-party websites, applications, or services that may be linked from our Service. We encourage you to read the privacy policies of those third parties before using their services.
By using Guidez, you acknowledge you have read this Policy and consent to the collection and use of your information as described herein.
Guidez, LLC is the data controller for information collected through our website and application. We are incorporated in Delaware, USA.
For the purposes of the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR), Guidez, LLC is the data controller of personal data we process directly. When you use our product within your own application, you are the data controller for your end users' data, and Guidez acts as a data processor on your behalf under the terms of our Data Processing Agreement (DPA).
Contact information:
Guidez, LLC
Email: privacy@guidez.io
For EU/UK data subjects, our EU representative can be reached at: eu-privacy@guidez.io
When you install the Guidez snippet in your product, our SDK collects certain anonymized signals from your end users to power the Guidez Service. This includes:
Important: You are the data controller for your end users' data. Guidez processes this data as your data processor, under the terms of our Data Processing Agreement (DPA). You are responsible for obtaining appropriate consent from your end users and ensuring your use of Guidez complies with applicable privacy laws in your jurisdiction. We strongly recommend reviewing our DPA before enabling user-level data collection. Request our DPA here.
Guidez offers a browser extension for Google Chrome ("the Extension") that allows workspace members to build, preview, and publish Tours directly within your product without needing a separate dashboard tab. Because browser extensions operate with elevated permissions, we want to be fully transparent about what the Extension can access and why.
| Permission | Why We Need It |
|---|---|
| activeTab / scripting | Injects the Guidez builder UI into the current tab so you can select elements, preview Tours, and make edits in-context without leaving your product. |
| storage | Stores your authentication session, extension preferences, and draft Tour states locally in your browser. This data never leaves your device unless you explicitly publish a Tour. |
| cookies (guidez.io only) | Reads the Guidez authentication cookie to authenticate API calls made from the Extension on your behalf. We only access cookies for the guidez.io and app.guidez.io domains. |
| contextMenus | Adds a right-click menu option to help you quickly anchor a Tour step to a page element. |
| tabs | Reads the URL of the current tab to pre-fill the page target when you create a new Tour step. |
Data stored by the Extension (authentication tokens, preferences, draft states) is stored in your browser's local extension storage using Chrome's chrome.storage.local API. This data is device-specific and is not synced to Chrome's sync service unless you have configured Chrome to sync extension data.
You can remove the Extension at any time through Chrome's extension management page (chrome://extensions). Removing the Extension clears all locally stored Extension data from your device. Your Guidez account data stored on our servers is unaffected by removing the Extension.
When you install the Guidez JavaScript SDK (snippet) into your product, it enables passive behavioral data collection that powers targeting, segmentation, and analytics features. This section explains exactly what is collected and how it is used.
The SDK passively collects the following signals from your End Users to power Tour targeting and analytics. This collection happens automatically once the snippet is installed and is the core mechanism that enables features like "show this tour only to users who have not completed Step X":
You have full control over what data the SDK collects. Guidez provides configuration options to:
You are responsible for configuring the SDK in compliance with your applicable privacy obligations and for obtaining any required End User consent before enabling behavioral data collection.
End User behavioral data collected by the SDK is logically isolated per workspace and is never commingled with data from other Guidez customers. Guidez employees access this data only when providing support services explicitly requested by you.
Guidez includes the ability to deploy in-product surveys, Net Promoter Score (NPS) surveys, and feedback widgets to your End Users. When these features are used, additional data is collected and handled as follows:
As the data controller deploying surveys to your End Users, you are responsible for:
If you use Guidez's AI-powered survey analysis features, free-text survey responses may be processed by our AI provider (Anthropic) to generate summaries and sentiment analysis. Before enabling this feature, free-text responses are pseudonymized where possible. You may disable AI analysis of survey responses in your workspace settings.
Guidez integrates with a wide range of third-party analytics, CRM, and data platforms to enrich user segmentation, synchronize data, and reduce manual setup. This section describes how data flows when you connect third-party integrations.
When you connect tools such as Segment, Mixpanel, Amplitude, HubSpot, Salesforce, or Intercom to Guidez, you authorize Guidez to receive certain user attribute and event data from those tools. This data is used to:
Guidez can also push Tour interaction data to third-party tools you connect. For example, you can configure Guidez to send a "Tour Completed" event to Segment or HubSpot when a user finishes an onboarding flow. The data sent is limited to:
You are the data controller for all data flowing through integrations you configure. You are responsible for ensuring that data shared between Guidez and third-party tools complies with applicable privacy laws, including having appropriate data processing agreements in place with those third parties. Guidez does not share integration data with third parties beyond those you explicitly authorize through your integration configuration.
If you connect a CRM (such as HubSpot or Salesforce) and choose to sync contact-level data including real names and email addresses to Guidez, this data is treated as Customer Data under these Terms and is subject to the same security and retention controls described in this Policy.
We use the information we collect for the following purposes:
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under one or more of the following legal bases as required by the GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service you've signed up for | Performance of contract (Art. 6(1)(b)) |
| Billing and payment processing | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of contract (Art. 6(1)(b)) |
| Fraud detection and security | Legitimate interests (Art. 6(1)(f)) |
| Service improvement and analytics | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) or Legitimate interests |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Responding to legal requests | Vital interests / Legal obligation |
Where we rely on legitimate interests, we have conducted a balancing test and concluded our interests do not override your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 10).
The following third-party sub-processors may receive your personal data as part of our service delivery. All sub-processors are bound by contractual data protection obligations.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, compute infrastructure | USA / EU (eu-west-1) |
| Stripe | Payment processing and billing | USA |
| Postmark | Transactional email delivery | USA |
| Intercom | Customer support chat and ticket management | USA |
| Sentry | Error monitoring and crash reporting | USA |
| Cloudflare | CDN, DDoS protection, DNS | USA / Global |
| Datadog | Infrastructure monitoring and logging | USA |
| Anthropic | AI-powered content generation (opt-in features) | USA |
We review sub-processors regularly and will update this list when we add or remove providers. For customers with Data Processing Agreements (DPAs), we will provide advance notice of material sub-processor changes.
We implement administrative, technical, and physical security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:
Despite our best efforts, no method of transmission over the Internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at security@guidez.io.
Healthcare Customers: The Guidez standard Service is not HIPAA compliant by default. If you are a covered entity or business associate under HIPAA and intend to use Guidez in a context that may involve Protected Health Information (PHI), you must not do so without first executing a Business Associate Agreement (BAA) with Guidez.
Guidez does not knowingly collect Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). If you operate in the healthcare industry, it is your responsibility to configure the Guidez SDK to exclude any pages or UI elements that display or collect PHI.
Enterprise customers in the healthcare sector who require a HIPAA BAA and additional safeguards including audit logging of PHI access, dedicated infrastructure, and encryption key management may contact security@guidez.io to discuss a healthcare compliance arrangement.
What "not HIPAA compliant by default" means in practice:
We retain personal data for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law. Our specific retention periods are:
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of account + 90 days after closure |
| Billing and payment records | 7 years (legal/tax obligation) |
| Tour and flow configurations | Duration of account + 90 days after closure |
| Tour analytics and interaction data | 24 months on active accounts; 30 days after account closure |
| Support communication records | 3 years after last interaction |
| Security and access logs | 12 months |
| Marketing consent records | 3 years from consent or last interaction |
| End-user anonymized event data | 24 months on active accounts |
When you close your account, we will delete or anonymize your personal data within 90 days, subject to any applicable legal retention obligations and our 7-year billing record retention. You can request an export of your data before account closure.
Depending on your location and applicable law, you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at privacy@guidez.io. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. We will not discriminate against you for exercising your rights.
Guidez is headquartered in the United States. If you are located outside the US, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country.
For transfers from the EEA, UK, or Switzerland to the US, we rely on the following transfer mechanisms:
Upon request, we will provide you with a copy of the applicable SCCs. Copies of our transfer impact assessments are available to enterprise customers upon request.
We also offer EU-based data residency for enterprise customers who require their data to remain within the European Economic Area. Please contact privacy@guidez.io for details.
In addition to GDPR and CCPA (covered in Sections 9 and 19), Guidez acknowledges and complies with privacy regulations in the following jurisdictions where we have customers or where applicable law requires compliance. If you are subject to any of these laws as a data controller, please review how they interact with your use of Guidez as a data processor.
For customers and end users in Brazil, we process personal data in compliance with Brazil's Lei Geral de Protecao de Dados Pessoais (LGPD), Law No. 13,709/2018. We rely on the following legal bases under the LGPD: contract performance, legitimate interest, and consent as applicable. Brazil-based individuals have rights to access, correct, anonymize, block, delete, and port their personal data. Requests may be submitted to privacy@guidez.io.
For customers and individuals in Canada, Guidez complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec-based individuals, with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). We maintain a designated privacy officer and publish this Policy as our accountability mechanism. Quebec Law 25 requires us to conduct Privacy Impact Assessments (PIAs) for technology products that process personal information; our PIA is available to Quebec enterprise customers upon request.
Guidez complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) for Australian residents. We do not disclose personal data to overseas recipients without ensuring comparable protections are in place. Australian residents may submit access and correction requests to privacy@guidez.io. Complaints that are not resolved to your satisfaction may be referred to the Office of the Australian Information Commissioner (OAIC).
For data relating to individuals in Japan, we comply with the Act on the Protection of Personal Information (APPI) as amended. Cross-border transfers of Japanese personal data are governed by our data transfer agreements, which provide protections equivalent to those required under APPI. Japanese individuals may submit requests to access, correct, or delete their personal data at privacy@guidez.io.
We are committed to honoring privacy rights globally. If you are located in a jurisdiction not listed above and have questions about your data rights, please contact privacy@guidez.io and we will do our best to accommodate your request in accordance with applicable law.
The Guidez Service is not directed to, and we do not knowingly collect personal data from, children under the age of 16 (or under 13 in the United States). If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at privacy@guidez.io. We will delete such information from our systems within 30 days of being notified.
If you are a Guidez customer whose product is used by or directed at children, you are responsible for complying with applicable laws including the Children's Online Privacy Protection Act (COPPA) and must ensure that you do not configure Guidez to collect personal data from children in violation of those laws.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights.
| Category | Collected? | Disclosed to Third Parties? |
|---|---|---|
| Identifiers (name, email, IP address) | Yes | Yes (service providers only) |
| Commercial information (billing records) | Yes | Yes (payment processor) |
| Internet activity (usage data) | Yes | Yes (analytics providers) |
| Inferences (product usage patterns) | Yes | No |
| Sensitive personal information | No | No |
| Biometric data | No | No |
| Geolocation data | No (IP only) | No |
To exercise your California rights, submit a verifiable consumer request at privacy@guidez.io or via our in-app settings. We will respond within 45 calendar days.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
When we make changes, we will:
For non-material changes (such as corrections, clarifications, or updates to sub-processor lists), we will update the Policy without separate notification. We encourage you to review this Policy periodically.
Your continued use of the Service after any changes become effective constitutes your acceptance of the revised Policy.
If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
You also have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.