Rundown

Privacy Policy

Last updated: February 9, 2026

1. Controller

The controller responsible for data processing on this website is Strana UG (haftungsbeschränkt), Schackstr. 1, c/o Kleinhempel & Partner, 80539 München, Germany. Contact: hello@strana.ai

For privacy-related inquiries, please contact our Data Protection Officer at privacy@strana.ai.

Our lead supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

2. Data We Collect

We collect the following types of data:

  • Account information (email address, name)
  • Usage data (screencast recordings, URLs submitted, recording instructions)
  • Technical data (IP address, browser type, device information)
  • Payment information (processed by our payment provider, Stripe)
  • Browser session data submitted via our browser extension or manual input (cookies, localStorage, sessionStorage)

3. Purpose of Processing

We process your data for the following purposes:

  • Providing and improving our screencast recording service
  • Replicating authenticated browser sessions for screencast recordings
  • Account management and authentication
  • Processing payments
  • Communicating with you about your account or service updates
  • Compliance with legal obligations

4. Legal Basis

We process your personal data based on: (a) the performance of our contract with you (Art. 6(1)(b) GDPR), (b) your consent where applicable (Art. 6(1)(a) GDPR), (c) our legitimate interests (Art. 6(1)(f) GDPR), and (d) compliance with legal obligations (Art. 6(1)(c) GDPR).

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

  • Account Data: Retained for the duration of your account plus 30 days after deletion for data export.
  • Screencast Recordings: Retained while your account is active. Deleted within 30 days of account termination or upon your request.
  • Browser Session Data: Retained only for the duration necessary to complete the recording, then deleted.
  • Payment Records: Retained for 10 years as required by German tax law (AO §147).
  • Usage Logs: Anonymized or deleted after 90 days.

6. Data Sharing & Sub-processors

We do not sell your personal data. We share data only as necessary with the following service providers:

  • Amazon Web Services (AWS): Cloud hosting and data storage within the European Union (EU-West-1, Frankfurt).
  • Stripe: Payment processing with data stored in EU and US data centers. Stripe is certified under the EU-US Data Privacy Framework.

All sub-processors are bound by Data Processing Agreements that ensure GDPR-compliant handling of your data. For a complete list, see our Data Processing Agreement.

7. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@strana.ai. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

We do not engage in automated decision-making or profiling that produces legal effects concerning you.

8. Cookies

We use essential cookies necessary for the operation of our service. These include authentication cookies and session management cookies. We do not use advertising or analytics cookies.

9. Browser Extension

Our optional browser extension ("Session Capture for Rundown") captures session data from the website you are currently visiting and transmits it to our service. This includes:

  • Cookies associated with the current site (including httpOnly cookies)
  • localStorage data for the current origin
  • sessionStorage data for the current origin

This data is captured only when you explicitly click the "Send to Rundown" button in the extension popup. No data is collected passively or in the background. The captured session data is copied to your system clipboard and our website is opened in a new tab, where the data is read from the clipboard client-side in your browser. The session data is not transmitted to any server as part of the page navigation.

Session data you submit is used solely to replicate your authenticated browser session during screencast recording. It may contain authentication tokens or credentials for third-party websites. We process this data as described in Sections 3 and 4 above and retain it only for the duration necessary to complete the recording. You may also provide this data manually without the extension.

The extension uses the activeTab permission to access the current tab only when you click the extension icon. No broad host permissions are required. The extension cannot access any site unless you explicitly initiate a capture.

10. International Data Transfers

Your data is primarily processed within the European Union. Where transfers to third countries are necessary:

  • EU-Only Primary Processing: All core data processing, including screencast recording and storage, occurs on servers within the EU (AWS Frankfurt).
  • Standard Contractual Clauses (SCCs): Where data is transferred outside the EU/EEA, we rely on European Commission-approved Standard Contractual Clauses (Art. 46(2)(c) GDPR).
  • EU-US Data Privacy Framework: For transfers to US-based sub-processors (e.g., Stripe), we additionally rely on the EU-US Data Privacy Framework adequacy decision where applicable.

11. Security Measures

We implement appropriate technical and organizational measures to protect your data (Art. 32 GDPR):

  • Encryption: AES-256 encryption at rest and TLS 1.3 for data in transit.
  • Access Controls: Role-based access control, multi-factor authentication for administrative access, and principle of least privilege.
  • Infrastructure Security: EU-hosted infrastructure with network isolation, firewalls, and intrusion detection.
  • Regular Testing: Periodic penetration testing and security assessments.
  • Employee Training: All team members receive data protection training.

12. Breach Notification

In the event of a personal data breach:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms (Art. 33 GDPR).
  • If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (Art. 34 GDPR).
  • Notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

13. Children's Privacy

Rundown is a B2B platform designed for businesses and professionals. Our services are not directed at individuals under the age of 16 (Art. 8 GDPR). We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

14. Contact

For any questions regarding this privacy policy or our data practices, please contact us at privacy@strana.ai

Related documents: Terms and Conditions | Data Processing Agreement