Privacy Policy

Last updated: February 22, 2026

1. Introduction

BugZap ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our visual bug reporting platform. We comply with the General Data Protection Regulation (GDPR) and applicable Polish data protection laws.

2. Data Controller

The data controller is:

  • Name: Piotr Gebski (sole proprietorship / jednoosobowa działalność gospodarcza)
  • Address: B. Stolarskiego 10/12, 97-200 Tomaszów Mazowiecki, Poland
  • NIP: 7732424192
  • REGON: 543003417
  • Contact: contact@bugzap.dev

When our customers use the BugZap widget or SDK to collect bug reports from their own end-users, BugZap acts as a data processor on behalf of the customer (data controller). In this case, processing is governed by our Data Processing Agreement.

3. Data We Collect

3.1 Account Data

  • Email address (required for account creation)
  • Full name (optional)
  • OAuth profile data (if you sign in with GitHub)

3.2 Bug Report Data

  • Screenshots and annotations you upload
  • Bug titles, descriptions, and severity levels
  • Page URLs where bugs were captured
  • Browser console logs and network error data
  • Session replay recordings (available on all plans with tiered retention)

3.3 Widget and SDK Data

When your end-users submit bug reports through the BugZap widget or SDK embedded on your website, we collect:

  • Bug report content (title, description, screenshots)
  • Browser information (user agent, viewport size)
  • Page URL where the report was submitted
  • Email address (if voluntarily provided by the end-user)
  • Console logs and network errors (if enabled)
  • Session replay DOM events (if enabled, with input masking applied)

This data is processed on behalf of the website owner (our customer) who is the data controller for their end-users' data. End-users should refer to the website owner's privacy policy for details on how their data is handled.

3.4 Technical Data

  • Browser type and version
  • Operating system
  • Screen resolution
  • IP address (for security and abuse prevention, not stored long-term)

3.5 Billing Data

  • Payment information is processed by Stripe and never stored on our servers
  • We store your Stripe customer ID for subscription management
  • Withdrawal consent records are stored in Stripe session metadata

4. How We Use Your Data

  • Service delivery: To provide bug tracking, collaboration, and reporting features
  • AI features: Bug report data (title, description, severity, console logs) may be sent to Anthropic's Claude API for AI-powered summaries (Small Team and Team plans). Data is not retained by Anthropic for model training. Session replay recordings and screenshots are not sent to AI services.
  • Integrations: Bug data is shared with third-party services you explicitly connect (Linear, GitHub, Jira, Slack, Zapier)
  • Communication: To send transactional emails (magic links, billing notifications)
  • Security: To detect and prevent abuse, fraud, and unauthorized access

5. Legal Basis for Processing (GDPR)

  • Contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for
  • Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
  • Consent (Art. 6(1)(a)): AI-powered features are opt-in (triggered by user action)
  • Legal obligation (Art. 6(1)(c)): Billing records retained under Polish tax law

6. Data Sharing and Sub-Processors

We share data only with the following sub-processors:

  • Supabase — Database, authentication, and file storage (EU region available)
  • Vercel — Application hosting and serverless functions (US-based)
  • Stripe — Payment processing (US-based)
  • Resend — Transactional email delivery (US-based)
  • Anthropic — AI summaries, only when you use the feature (US-based)

When you connect integrations, data is also shared with:

  • Linear — Issue tracking (at your direction)
  • GitHub — Issue tracking (at your direction)
  • Atlassian / Jira — Issue tracking (at your direction)
  • Slack — Notifications (at your direction)
  • Zapier — Automation platform (at your direction). Note: Zapier may forward data to additional third-party applications based on your Zap configuration. You are responsible for reviewing the privacy practices of downstream services.

A complete sub-processor list with data categories and locations is available at bugzap.dev/sub-processors.

We do not sell your data to advertisers or data brokers.

7. Data Retention

  • Active account data: retained for the duration of your subscription
  • Deleted account data: permanently removed within 30 days (with 30-day export window)
  • Free-tier inactive accounts: data may be deleted after 12 months of inactivity with prior email notice
  • Billing records: retained as required by Polish tax law (5 years)
  • Security logs (IP addresses): retained for up to 90 days

8. Your Rights (GDPR)

You have the right to:

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate data
  • Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Portability (Art. 20): Receive your data in a machine-readable format (JSON export)
  • Objection (Art. 21): Object to processing based on legitimate interest
  • Restriction (Art. 18): Request limitation of processing
  • Withdraw consent: Where consent is the legal basis, you may withdraw it at any time without affecting prior processing

To exercise these rights, email contact@bugzap.dev. We will respond within one month (as required by GDPR Art. 12(3)). You also have the right to lodge a complaint with the Polish supervisory authority (UODO — Urząd Ochrony Danych Osobowych) at uodo.gov.pl.

9. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is required since we only use strictly necessary cookies as defined by the ePrivacy Directive.

10. Security

We implement industry-standard security measures including encrypted connections (TLS), secure cookie configuration (httpOnly, SameSite, Secure), Row-Level Security on database access, CSRF protection on OAuth flows, rate limiting on public endpoints, and regular security reviews.

11. International Transfers

Some of our sub-processors (Vercel, Anthropic, Stripe) may process data outside the EU/EEA. These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V. Details are listed in our sub-processor list.

12. Children

BugZap is not intended for use by individuals under 16. We do not knowingly collect data from children. If you learn that a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. The "last updated" date at the top reflects the most recent revision.

14. Contact

For privacy questions or data requests, contact us at contact@bugzap.dev.

Piotr Gebski
B. Stolarskiego 10/12
97-200 Tomaszów Mazowiecki, Poland