← Back

Privacy Policy

Last updated: 18 February 2026

1. Introduction and Scope

BugBoard ("we", "us", "our") is a visual feedback and bug reporting tool operated by TechTeamUp, a company based in the United Kingdom. This Privacy Policy explains how we handle personal information at bugs.techteamup.com.

This policy applies globally to:

  • Project Owners — users who create projects and install the embeddable widget on their websites
  • Team Members — users who review and manage bug reports within projects
  • Feedback Submitters — end users of third-party websites who submit visual feedback via the embedded widget

We comply with the UK GDPR, EU GDPR, Data Protection Act 2018, CCPA/CPRA, and other applicable laws.

2. Data Controller and Data Processor

  • Data Controller: TechTeamUp is the controller for BugBoard account data.
  • Data Processor: For feedback data collected via the widget on third-party sites, the site operator (Project Owner) is the controller and TechTeamUp is the processor. See our Data Processing Agreement.

Data Protection Contact: Tom Watts, Director · TechTeamUp · [email protected]

3. Personal Data We Collect

3.1 Information Provided by Users

CategoryExamplesLawful Basis
Account dataName, email, hashed passwordContract (Art. 6(1)(b))
Bug report contentDescription text, annotationsContract / Consent (Art. 6(1)(b)/(a))
Feedback submitter infoName/email if provided via widget form fieldsConsent (Art. 6(1)(a))

3.2 Information Collected via Technology

CategoryExamplesLawful Basis
ScreenshotsVisual capture of the page visible area at time of feedbackConsent / Legitimate interest (Art. 6(1)(a)/(f))
Page metadataURL, browser, OS, screen resolution, viewport sizeLegitimate interest (Art. 6(1)(f))
Console logsJavaScript errors/warnings (when enabled by Project Owner)Legitimate interest (Art. 6(1)(f))
Device dataIP address (server logs), user agentLegitimate interest (Art. 6(1)(f))

3.3 Important: Screenshot Data

Screenshots captured by the widget may contain personal information visible on the page at the time of capture (e.g., names, email addresses displayed in UI). The widget does not:

  • Capture password fields or hidden form inputs
  • Record user input in real-time or keystrokes
  • Access data outside the visible viewport unless scrolled by the user
  • Set any cookies on the third-party site
  • Track users across sessions or pages

Project Owners are responsible for ensuring appropriate privacy notices on their sites about the widget.

4. How We Use Your Data

  • To provide the bug reporting and feedback Service
  • To store and display screenshots, annotations, and bug reports
  • To authenticate users and manage accounts and projects
  • To send notifications about new feedback
  • To maintain security and prevent abuse

5. Data Retention Schedule

Data TypeRetention
Account dataDuration of account + 30 days
Bug reports and screenshotsWhile project exists, or until deleted by Project Owner
Activity logs90 days
Auth sessions30 days (auto-expiry)

6. Data Storage, Security, and Transfers

Infrastructure: Railway (EU region).

  • TLS 1.2+ in transit; encryption at rest
  • bcrypt password hashing
  • Project-level access control
  • Rate limiting and brute-force protection

Transfers outside UK/EEA use SCCs, UK IDTA, and/or DPF adequacy decisions.

7. Sub-Processors

Sub-ProcessorPurposeLocationTransfer
RailwayHosting, databaseEUEEA
CloudflareDNS, CDN, DDoS protectionGlobal (US entity)SCCs / DPF
EmailitEmail deliveryEUSCCs

14 days' notice before changes. We do not sell personal data.

8. Your Rights

8.1 UK/EU (GDPR)

  • Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restrict (Art. 18), Portability (Art. 20), Object (Art. 21)
  • Withdraw consent at any time
  • Complain to the ICO (ico.org.uk) or your EU supervisory authority

8.2 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights. We also comply with the California Online Privacy Protection Act (CalOPPA).

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Categories of Personal Information Collected (Past 12 Months)

CCPA CategoryExamplesCollected
IdentifiersName, email address, IP addressYes
Internet/Network ActivityBrowser type, OS, device info, page URLs, console logsYes
Electronic/Visual InformationScreenshots, annotationsYes
Sensitive Personal InformationNo

How to Exercise Your CCPA Rights

To make a verifiable consumer request, email [email protected] with the subject line "CCPA Request". We will verify your identity by matching information you provide against our records before fulfilling the request. You may also designate an authorised agent to make a request on your behalf, provided you supply written authorisation.

"Do Not Track" Signals

Our Service does not currently respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for how to respond to such signals. We do not track users across third-party websites and do not use advertising cookies.

8.3 Exercising Rights

Widget-submitted feedback: Contact the site operator (Project Owner).
Account data: [email protected]. Response: 1 month (GDPR) / 45 days (CCPA).

9. Automated Decision-Making

None.

10. Children's Data

Not directed at children under 16. Project Owners are responsible for ensuring appropriate protections on their sites.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR
  • Notify affected Project Owners (data controllers) without undue delay to enable them to fulfil their own notification obligations
  • Where the breach is likely to result in a high risk to individuals, notify the affected data subjects directly without undue delay, as required by Article 34 of the UK GDPR
  • Document all breaches, including those that do not require notification, in our internal breach register

Our breach notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.

12. Cookies

See our Cookie Policy.

13. Contact

Tom Watts, Director · TechTeamUp · [email protected] · techteamup.com