Legal
Privacy policy
Last updated 2 July 2026
This policy explains what personal data Bugpot collects, why we hold it, where it lives, and the rights you have over it. Bugpot is a visual feedback and bug reporting tool used by two very different groups — account holders who run workspaces, and end-users who submit feedback through the widget on someone else’s website. We’ve broken the policy along the same lines so you can find the part that applies to you.
Who we are
The data controller for Bugpot is Bugpot, a company based in the United Kingdom. Questions about this policy, requests to exercise your rights, or reports of a suspected breach should go to hello@bugpot.io.
If you have a Bugpot account
When you register a workspace or a team member account, we collect and store:
- Your name and email address
- A hash of your password (never the password itself)
- Your workspace name and any billing details you provide
- The projects, feedback items, comments and settings you create in the app
- An audit log of significant actions on your workspace
We use this data to run the service you’ve asked us to run: authenticating you, separating your workspace from anyone else’s, letting you invite team members, and giving you an audit trail. The legal basis is the contract you enter into when you sign up.
If you submit feedback through a widget
When you use the Bugpot widget on a website you don’t control — to report a bug, send a suggestion, or answer a question — the widget collects and submits the following on your behalf:
- The name and email address you type into the form
- The written feedback itself and any answers to custom form fields
- An annotated screenshot of the page as it looked when you opened the widget
- The page URL you were on
- Your browser and operating system name and version
- The viewport size and device pixel ratio
- Any JavaScript console errors captured on the page
The organisation that installed the widget on the site (their workspace owner) is the data controller for that feedback. Bugpot is a processor, storing and displaying the data on their behalf. If you want a copy of your feedback, or you’d like it deleted, contact whoever runs the site you sent it from — they can act on it inside their Bugpot workspace.
The website operator you’re reporting to is responsible for telling you the widget is there and what will be collected. If you’re unsure, ask the site owner.
Cookies and local storage
Bugpot uses the smallest set of cookies and browser storage we can get away with. Everything below is either strictly necessary for the app to work or a preference the user has set themselves.
On the Bugpot dashboard (this site)
mio_access— short-lived authentication cookie,HttpOnly, essentialmio_refresh— refresh-token cookie,HttpOnly, essentialmio-theme— localStorage entry remembering whether you chose light or dark mode
On sites where the widget is installed
The widget stores a small localStorage entry on the host site so that, if you report feedback again, it can pre-fill your name and email. That entry stays on your device only; nothing about it is shared back to us before you submit a report.
We do not use any third-party analytics or advertising cookies, anywhere — not on this site and not in the widget. There is no Google Analytics, no ad retargeting, no session replay.
Where your data lives
Bugpot is hosted in the United Kingdom. Application data (accounts, feedback text, comments, settings) lives on our own servers.
Screenshots are stored on the same UK infrastructure by default. Workspace owners who have configured their own Amazon S3 bucket for a project can have screenshots stored on that bucket instead — in which case the choice of region is theirs. In both cases screenshots are never publicly listed; they’re served only through authenticated routes inside the Bugpot dashboard.
Payments
If you subscribe to a paid plan, your payment is processed by Stripe. Card numbers are entered directly into Stripe’s hosted form and never touch our servers — we only ever see the last four digits, card brand, and the subscription state Stripe reports back to us. Stripe processes billing personal data under its own privacy policy.
Rate limiting and abuse prevention
To protect the service from abuse, we temporarily record IP addresses of requests hitting our authentication and submission endpoints. These records are used only to apply rate limits and to block obvious attacks. They are automatically discarded once they’re no longer useful for that purpose.
Contact-form submissions
When you send us a message through the public contact form on this site, we store the name, email, company and message you provide, along with the IP address the request came from. We use that information solely to reply to you and to keep a record of the enquiry.
Sub-processors
Bugpot uses a small number of external services to run parts of the platform. Each one only receives the data it needs to do its job.
- Stripe— payment processing, when you subscribe to a paid plan.
- Amazon Web Services (S3)— screenshot storage, only when a workspace has configured an S3 bucket for a project.
- Anthropic— optional AI assistance features (title suggestion, rewrite, translation). Only activated when a workspace owner turns AI assistance on. Feedback text is sent for processing at the moment a request is made; per Anthropic’s API terms it is not used to train their models.
How long we keep data
Account data is retained for as long as your account is open. When you delete your account, associated workspace, project, feedback and audit data is deleted with it.
Feedback items live for as long as the project that owns them exists. The workspace owner can delete feedback at any time; when they do, the item and its screenshot are removed.
Contact-form messages are kept for as long as reasonably useful to answer the enquiry, and then cleared.
What we don’t do
- We do not sell personal data. Ever. To anyone.
- We do not share personal data with advertisers or data brokers.
- We do not use third-party analytics or session-replay tools.
- We do not use widget-collected feedback to train machine-learning models of our own.
Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you
- Ask us to correct data that is inaccurate
- Ask us to erase your personal data
- Export your personal data in a portable format
- Object to specific processing activities
- Lodge a complaint with the Information Commissioner’s Office if you believe we’ve mishandled your data
To exercise any of these rights, email hello@bugpot.io. We’ll reply within 30 days, and usually much sooner.
Changes to this policy
When we change this policy we’ll update the “last updated” date at the top and, if the change is material, tell active workspace owners by email. Older versions of the policy are available on request.