Data Processing Agreement

Last updated: February 22, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Piotr Gebski, sole proprietorship (NIP: 7732424192, REGON: 543003417), B. Stolarskiego 10/12, 97-200 Tomaszów Mazowiecki, Poland ("Processor" / "BugZap") and the customer ("Controller" / "you") who has agreed to the BugZap Terms of Use.

This DPA applies when BugZap processes personal data on your behalf as a data processor under GDPR Article 28 — specifically when your end-users submit bug reports through the BugZap widget, SDK, or extension embedded on your websites or applications.

1. Definitions

  • "Personal Data" means any data relating to an identified or identifiable natural person processed under this DPA.
  • "Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
  • "Sub-Processor" means a third party engaged by BugZap to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

2. Scope and Purpose of Processing

BugZap processes Personal Data solely for the following purposes:

  • Receiving, storing, and displaying bug reports submitted by your end-users
  • Storing screenshots, session replays, and metadata associated with bug reports
  • Generating AI-powered bug summaries (when triggered by your team members)
  • Forwarding bug data to third-party integrations you have configured (Linear, GitHub, Jira, Slack, Zapier)
  • Sending webhook notifications to endpoints you have configured
  • Sending transactional emails (magic links, billing notifications) via our email provider

2.1 Categories of Data Subjects

  • Your team members (BugZap account holders)
  • Your end-users who submit bug reports via the widget, SDK, or extension

2.2 Types of Personal Data

  • Email addresses (account holders and optionally end-users)
  • Names (account holders)
  • IP addresses (for rate limiting and security, not stored long-term)
  • Browser and device information (user agent, viewport)
  • Page URLs visited
  • Screenshots and screen recordings that may contain visible personal data
  • Console logs and network request data that may contain personal data
  • Session replay DOM recordings that may contain visible page content

3. Obligations of the Processor

BugZap shall:

  • Process Personal Data only on your documented instructions (which include the configuration choices you make in the BugZap dashboard)
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational security measures as described in our Privacy Policy Section 10
  • Not engage additional sub-processors without prior notice (see Section 5)
  • Assist you in fulfilling your obligations to respond to Data Subject rights requests
  • Assist you, taking into account the nature of processing, with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required under GDPR Articles 35 and 36
  • At your choice, delete or return all Personal Data upon termination of the agreement (you may request return of data in JSON format during the 30-day export window described in the Terms of Use; after this period, all data will be deleted unless retention is required by law)
  • Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by you or an auditor mandated by you (with reasonable advance notice and during business hours)

4. Obligations of the Controller

You shall:

  • Ensure you have a lawful basis for collecting end-user data through the BugZap widget, SDK, or extension
  • Provide appropriate privacy notices to your end-users disclosing the use of BugZap
  • Configure appropriate input masking for session replay to prevent capture of sensitive data
  • Not use BugZap to collect special category data (health, biometric, racial, political, etc.) without explicit consent and prior agreement with BugZap
  • Promptly notify BugZap of any Data Subject requests that require BugZap's assistance

5. Sub-Processors

You authorize BugZap to engage the sub-processors listed at bugzap.dev/sub-processors. BugZap will notify you of any intended changes to sub-processors by updating the sub-processor list page. You may object to a new sub-processor within 14 days of the update by contacting us. If we cannot address your objection, you may terminate your subscription.

6. Data Security

BugZap implements the following technical and organizational measures:

  • Encryption in transit (TLS 1.2+) for all data transmission
  • Encryption at rest for database and file storage (managed by Supabase)
  • Row-Level Security (RLS) ensuring project-level data isolation
  • Secure authentication with httpOnly cookies and CSRF protection
  • Rate limiting on all public API endpoints
  • HMAC-SHA256 webhook signature verification
  • Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
  • Regular security reviews and vulnerability assessments

7. Data Breach Notification

In the event of a personal data breach, BugZap shall notify you without undue delay and in any case within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate the breach.

8. Data Subject Rights

BugZap shall assist you in responding to Data Subject rights requests (access, rectification, erasure, portability, objection, restriction). If BugZap receives a request directly from a Data Subject, we will promptly forward it to you unless we are legally required to respond directly.

9. International Transfers

Some sub-processors are located outside the EU/EEA (see sub-processor list for details). These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent mechanisms as maintained by each sub-processor.

10. Duration and Termination

This DPA remains in effect for the duration of your BugZap subscription. Upon termination, BugZap will delete all Personal Data within 30 days, unless retention is required by applicable law (e.g., billing records under Polish tax law).

11. Governing Law

This DPA is governed by the laws of Poland and is subject to the jurisdiction of Polish courts, without prejudice to EU consumers' right to bring proceedings in their country of residence.

12. Contact

For questions about this DPA, contact us at contact@bugzap.dev.