// Security · Policies
Data Handling
Last updated May 31, 2026
Data Types#
Userplay processes and stores three categories of data:
- Studio data — workspace configuration, project settings, user management, billing details.
- Tester data — email addresses (when used for invites), demographic data collected during playtest setup, consent records.
- Session data — screen recordings, audio (when the tester consents to microphone capture), optional webcam video, transcripts, AI analysis outputs, and basic device metadata required for playback.
A full breakdown of every data category — including source, purpose, and retention — is in Data Processed.
Storage and Encryption#
All production data is hosted in the United States. Userplay does not currently offer regional data residency.
| Layer | Encryption |
|---|---|
| Data in transit | TLS 1.2 or higher, on all client and internal traffic |
| Data at rest | AES-256 at the storage layer (Render, Mux, Cloudflare R2 where used) |
| Backups | Encrypted with the same standards as the primary store |
Video and audio files are stored at Mux. Recording metadata, transcripts, and AI analysis are stored on Render. Neither is accessible from the public internet without authenticated, authorized requests routed through Userplay’s application layer.
Retention#
Default retention windows:
| Data type | Default | Configurable |
|---|---|---|
| Session recordings | 12 months from session completion | Yes — workspace owners can set shorter retention per workspace or per playtest |
| Transcripts and AI analysis | Tied to the parent recording | Deleted with the recording |
| Account and workspace data | Lifetime of the workspace | Deleted within 30 days of confirmed workspace closure |
| Support communications | Up to 24 months from last contact | No |
Deletion#
When a recording is deleted:
- It is soft-deleted immediately — it disappears from the UI and can no longer be played back.
- The underlying video and audio asset is removed from Mux storage within 30 days of soft-deletion (hard delete).
- Transcripts, AI analysis, and any associated telemetry are hard-deleted in lockstep with the asset.
- Database backups containing the recording’s metadata age out within Userplay’s 7-day backup retention window.
Deletion is not reversible. Once a recording is soft-deleted, it is considered gone.
When a workspace is closed:
- All members lose access immediately.
- The workspace remains in a partially recoverable state for 30 days — contact support@userplay.io within that window to restore.
- After 30 days, all recordings, transcripts, AI outputs, and account data are removed within the following 60 days.
Data Minimization#
Userplay defaults to capturing as little as needed:
- Microphone capture is off by default and requires explicit per-playtest enablement.
- Webcam capture is off by default and requires explicit per-playtest enablement.
- Studios can limit recording to a specific application window or browser tab rather than the full screen.
- AI processing (transcription and video analysis) can be disabled per workspace or per playtest.
- Testers see exactly what will be captured before any recording starts and can decline or stop at any time.