Privacy Policy

NoCorny Tracer is a free, open-source screen recorder for macOS and a small companion web service that turns each recording into a shareable page. The service is operated by Maksym, trading as NoCorny Agency, based in Ukraine.

Source code: github.com/Maksym-nocorny/NoCorny-Tracer.

The web service stores the following in our Postgres database:

• Account: your email address, display name, and avatar URL — provided by Google OAuth.
• Dropbox connection: your Dropbox account ID, email and display name, encrypted access and refresh tokens, the token expiration timestamp, and the Dropbox folder layout version.
• Video metadata (not the video files themselves): UUID, slug, title, description, duration, file size, thumbnail URL, recording timestamp, and processing status.
• Transcripts: SRT text, JSON segments with timestamps, and the detected spoken language. These are generated server-side by Google Gemini from the video that already lives in your Dropbox.
• API tokens for the macOS app: hashed before storage. The cleartext token exists only on your Mac, in the system Keychain, after issuance.

We keep a small amount of operational data to run the service responsibly. We’re explicit about it here so it’s impossible to miss.

View counts

For each playback of a public video page (/v/{slug}) we store the video ID, a SHA-256 fingerprint of the viewer’s IP address and user-agent, and a timestamp. The fingerprint is used only to de-duplicate views so a single viewer doesn’t inflate the counter. We don’t store raw IP addresses or user-agent strings, and viewers are anonymous to us.

AI usage events

Every Google Gemini call we make on your behalf (transcription, title generation, description generation) is recorded with: the model used, prompt and output token counts (with a per-modality breakdown), latency, attempt count, success or error code, and the computed USD cost. We use these records to monitor spend and quality.

Why some analytics survive deletion

AI-event rows include a denormalized snapshot of the account email and the video title at the moment of the call (user_email_at_event, video_title_at_event). This is intentional: when you delete a video or close your account, the foreign keys are nulled but the analytics row remains so historical cost reporting stays readable. If you would like these snapshot rows hard-deleted alongside your account, email maksym@nocorny.agency and we will purge them.

Admin audit log

Each visit to an internal admin page is logged with the admin user’s ID, email, and the path visited. This is an internal accountability log; regular users never appear in it.

What we don’t use

No third-party analytics (Google Analytics, Mixpanel, Hotjar, etc.), no advertising pixels, no behavioral tracking, no data sales.

Your video and audio files. They live in your Dropbox account; we serve them to viewers via dl.dropboxusercontent.com shared links. Webcam and screen capture happen locally on your Mac. We never receive a copy of the file outside the temporary access needed for AI processing.

• Dropbox access and refresh tokens are encrypted at rest with AES-256-GCM using a server-side key.
• macOS API tokens are stored only as their SHA-256 hash. The cleartext token is held exclusively in your Mac’s system Keychain after issuance.
• All traffic is HTTPS.
• The database is hosted on Neon and accessed only over an encrypted connection.

Each of these has its own privacy policy that governs what they do with the data they receive from us:

• Dropbox — stores your video files and serves shared links.
• Google — OAuth sign-in and Gemini AI for transcripts, titles, and descriptions.
• Vercel — hosting and edge delivery for the web app.
• Neon — managed Postgres database.

We set one cookie: __Secure-next-auth.session-token, issued by NextAuth to keep you signed in. No tracking pixels, no advertising, no third-party analytics cookies.

• Delete a video: use the Delete button on the video page or your dashboard. This removes the metadata, transcript, thumbnail, and the foreign-key links from AI-event rows. The denormalized analytics snapshot remains (see §3); the file in your Dropbox is yours to delete.
• Disconnect Dropbox:on the dashboard. We revoke and discard your Dropbox tokens; future recordings won’t upload until you reconnect.
• Delete your account: email maksym@nocorny.agency. We delete your account row, all your videos and transcripts, your API tokens, and your Dropbox connection. On request, we’ll also hard-delete the AI-event snapshots.

If you’re in the EU/UK or another jurisdiction with similar laws (e.g. GDPR), you have the right to access, correct, export, and delete your personal data, to withdraw consent, and to lodge a complaint with your local supervisory authority. To exercise any of these, email maksym@nocorny.agency.

NoCorny Tracer is not directed at children under 13 (or 16 in the EU). We don’t knowingly collect data from children. If you believe a child has signed up, contact us and we’ll delete the account.

We’ll bump the “last updated” date when we change anything. For material changes that affect how we collect or use data, we’ll notify signed-in users by email before the change takes effect.

Questions, deletion requests, or concerns: email maksym@nocorny.agency.