bugpot

Security & privacy

How we handle the data your users send us

Bugpot receives screenshots of pages your reporters were looking at. That data deserves straight talk about how we store it, who can see it, and what happens when you want it deleted.

What we do

The controls we ship by default

These are on for every workspace, on every plan — not upsold and not toggled off on lower tiers.

TLS in transit

Every request between the widget, the dashboard and our API is served over TLS 1.2 or later. Modern ciphers only; HSTS enabled on the app origin.

Encrypted at rest

The Bugpot database and the object store that holds screenshots and attachments are encrypted at rest by the provider.

Screenshots served via authed routes

Screenshot URLs are not public. Each request is signed and scoped to the workspace, and the object store never lists publicly.

Self-hostable

The whole stack (Node dashboard, Postgres, object storage, embed loader) runs on your own infrastructure. Same code as the hosted product.

No third-party trackers

The marketing site and the dashboard do not ship third-party analytics or ad pixels. Widget telemetry is scoped to the workspace and never sold.

Signed webhooks

Outbound webhook deliveries are signed with an HMAC so your endpoint can verify the request came from Bugpot before it acts on it.

Sensitive-data masking

You can mark selectors on the host page as "do not capture" — the widget skips them when it renders the screenshot.

Deletion on request

Reporters and workspace owners can delete reports and attachments. Deletions propagate to the object store within 24 hours.

Data handling

What Bugpot stores, and why

When a reporter submits a bug, Bugpot stores the annotated screenshot, the environment block (browser, operating system, viewport, URL, device pixel ratio), any console errors captured in the moment, and the message the reporter wrote. If the reporter is signed in on the host site and you have passed us their identity, we store that; if they are a guest, we store whatever they typed into the guest form.

We store this because it is the whole point of the tool: the developer opening the report needs the screenshot, environment and console log to do their job. We do not share this data with third parties, we do not train models on it, and we do not use it to profile reporters across sites.

Screenshots are stored in an object store that never lists publicly. Each screenshot is served via a signed URL that is checked against the workspace on every request, so a leaked URL alone does not expose an image.

GDPR posture

Where we sit on GDPR

Bugpot is a data processor for the reports your reporters submit. You are the data controller for the workspace. On request, we will sign a Data Processing Agreement built around this arrangement.

Reporters and workspace owners can request deletion at any time. Deletion removes the report from the dashboard immediately and purges the attachment from the object store within 24 hours. Backups are rotated on a rolling window; deletions propagate through backup rotation.

If your compliance policy requires data to stay in-region, the self-hosted stack is the same code as the hosted product — not a feature-reduced fork — and runs in your infrastructure.

What we do not claim

Certifications and where we are on them

We do not claim SOC 2, ISO 27001 or other formal certifications on this page. If we achieve one, it will land on this page with the audit report and the date. Until then, the controls above are what we ship — not a summary of what an auditor has signed off on.

If you are evaluating Bugpot for a procurement process and need to complete a security questionnaire, we’re happy to answer it directly. Point your compliance team at the contact page or email hello@bugpot.io.

Try Bugpot on a project you control

Free for five websites. Cancel any time, export your data at any time.