Last updated: 2026-07-11
Bug Reporter has two parts: a browser extension that captures a bug report, and a hosted service where your team stores and manages reports. This policy explains what personal data we handle, why, who it is shared with, how long we keep it, and your rights. It is written to meet India's Digital Personal Data Protection Act, 2023 (DPDP) and the EU GDPR.
Plain-language summary
The extension only captures a bug when you tell it to. It records screenshots, your clicks (the button/field name โ never what you type into a website), the page's console and network activity, and โ if you start one โ a screen-and-voice video. When you submit a report it goes to your organization's workspace on our servers. To help write the report up, its contents (including screenshots) are sent to an AI provider. We also connect to the tools you choose (Jira, Slack, Google Drive, etc.). We never sell your data, and you can ask us to show, correct, or delete it.
1. Who is responsible for your data
For bug-report content, your organization is the controller (DPDP: Data Fiduciary) and we act as a processor on their behalf. For account and billing data (the name/email of people who sign in), we are the controller. Operator/contact: Zicuro, [email protected].
2. What we collect
- Account data: name, email, role, a personal extension access code, and a password (stored only as a secure one-way hash).
- Screenshots of the page (including full-page) โ these can contain other people's data on screen.
- Your click steps โ the button/field label. Text you type into a website is never recorded.
- The page's console log and network requests (methods, URLs, status codes โ not request/response bodies).
- Screen video with microphone audio, if you start a video, and a per-site "dashcam" buffer where you enable it.
- The description and comments you type into the report form, and your browser type/version.
Never captured: text typed into websites, passwords, or anything while you aren't actively reporting. We use your IP address only in memory to limit abuse โ it is not stored in our database or logs.
3. Why we use it (lawful basis)
To provide the service (contract); to keep it secure (legitimate interests); for AI drafting (legitimate interests โ an admin can turn it off for a workspace); and, where the law requires, with your consent.
4. Who we share it with (sub-processors)
Only the services needed to run the product or that you choose to connect. We do not sell personal data or use it for advertising.
- AI provider (OpenRouter / the configured model): the bug's text, steps, a console/network summary, and up to 4 screenshots โ to draft a summary.
- Google / Microsoft: your name, email, account ID โ only if you sign in with them.
- Google Drive / OneDrive: your bug video files โ only if your workspace connects its own storage.
- Jira / Linear / GitHub: the bug details โ only when you create a ticket from a bug.
- Slack: bug number, title, severity, reporter name โ only if your workspace connects Slack.
- Resend (email): your name + email address โ to send account, password-reset, notification, and product-update emails.
Account and security emails are part of the service; product-update newsletters are optional and every one has a one-click unsubscribe link (or turn them off under Account → Email preferences).
Cross-border transfer: several of these providers process data outside India / the EU (e.g. in the United States). By using those features you accept that the relevant data is transferred to them under their terms; we sign data-processing agreements with sub-processors where required.
5. AI processing
When a report is submitted, its contents โ including up to four screenshots โ are sent to an AI provider to draft a clear title and summary. If your organization does not want any AI processing, an admin can email us to disable it for your workspace, or configure your own AI key so it runs under your own provider account.
6. Retention & deletion
We keep reports and account data while your workspace is active. You can ask us to delete your personal data and we will do so, subject to any legal retention. Email the contact below to request deletion or workspace closure.
7. Your rights
Under DPDP and GDPR you can ask us to access, correct, delete, or export your data, and to object to or restrict certain processing, or withdraw consent. Contact us to exercise these; if your data came through your employer's workspace we may route the request to that organization. You may also complain to the Data Protection Board of India or your local EU supervisory authority.
8. Security
Encryption in transit (HTTPS), strict separation between organizations' data, hashed passwords and session tokens, encryption at rest for stored credentials, role-based access control, and time-limited download links. We will notify you of any breach as required by law.
9. Grievance / Data Protection Officer (DPDP ยง13)
Grievance Officer: Mohin Shah ยท Email: [email protected]. This contact also serves as our GDPR data-protection point of contact.
10. Cookies and local storage
We use no tracking or advertising cookies. The dashboard stores a login token in your browser's local storage only to keep you signed in; it is removed when you log out.
11. Children
The service is for workplace use and is not directed at children. We do not knowingly process children's data; if you believe a child's data was captured, contact us and we will delete it.
12. Changes & contact
We may update this policy and will change the date above (and notify admins of significant changes). Questions or requests: [email protected].