Security & privacy
How we handle the data your users send us
Bugpot receives screenshots of pages your reporters were looking at. That data deserves straight talk about how we store it, who can see it, and what happens when you want it deleted.
What we do
The controls we ship by default
These are on for every workspace, on every plan — not upsold and not toggled off on lower tiers.
TLS in transit
Every request between the widget, the dashboard and our API is served over TLS 1.2 or later. Modern ciphers only; HSTS enabled on the app origin.
Encrypted at rest
The Bugpot database and the object store that holds screenshots and attachments are encrypted at rest by the provider.
Screenshots served via authed routes
Screenshot URLs are not public. Each request is signed and scoped to the workspace, and the object store never lists publicly.
Self-hostable
The whole stack (Node dashboard, Postgres, object storage, embed loader) runs on your own infrastructure. Same code as the hosted product.
No third-party trackers
The marketing site and the dashboard do not ship third-party analytics or ad pixels. Widget telemetry is scoped to the workspace and never sold.
Signed webhooks
Outbound webhook deliveries are signed with an HMAC so your endpoint can verify the request came from Bugpot before it acts on it.
Sensitive-data masking
You can mark selectors on the host page as "do not capture" — the widget skips them when it renders the screenshot.
Deletion on request
Reporters and workspace owners can delete reports and attachments. Deletions propagate to the object store within 24 hours.
Data handling
What Bugpot stores, and why
When a reporter submits a bug, Bugpot stores the annotated screenshot, the environment block (browser, operating system, viewport, URL, device pixel ratio), any console errors captured in the moment, and the message the reporter wrote. If the reporter is signed in on the host site and you have passed us their identity, we store that; if they are a guest, we store whatever they typed into the guest form.
We store this because it is the whole point of the tool: the developer opening the report needs the screenshot, environment and console log to do their job. We do not share this data with third parties, we do not train models on it, and we do not use it to profile reporters across sites.
Screenshots are stored in an object store that never lists publicly. Each screenshot is served via a signed URL that is checked against the workspace on every request, so a leaked URL alone does not expose an image.
GDPR posture
Where we sit on GDPR
Bugpot is a data processor for the reports your reporters submit. You are the data controller for the workspace. On request, we will sign a Data Processing Agreement built around this arrangement.
Reporters and workspace owners can request deletion at any time. Deletion removes the report from the dashboard immediately and purges the attachment from the object store within 24 hours. Backups are rotated on a rolling window; deletions propagate through backup rotation.
If your compliance policy requires data to stay in-region, the self-hosted stack is the same code as the hosted product — not a feature-reduced fork — and runs in your infrastructure.
What we do not claim
Certifications and where we are on them
We do not claim SOC 2, ISO 27001 or other formal certifications on this page. If we achieve one, it will land on this page with the audit report and the date. Until then, the controls above are what we ship — not a summary of what an auditor has signed off on.
If you are evaluating Bugpot for a procurement process and need to complete a security questionnaire, we’re happy to answer it directly. Point your compliance team at the contact page or email hello@bugpot.io.
Try Bugpot on a project you control
Free for five websites. Cancel any time, export your data at any time.