Security & Data Handling
Last updated: June 11, 2026
This page is for security, legal, and engineering teams evaluating BugHarbor. It explains what our embed scripts collect on your website, how we store and protect data, and your responsibilities as a customer.
Quick links
1. Overview
BugHarbor provides a feedback widget and optional JavaScript error tracker that you embed on your website or application. When your end users interact with these scripts, data is transmitted to BugHarbor's API and stored on your behalf.
There are two distinct data flows:
- BugHarbor account data — Information about you and your team (registration, billing, dashboard usage). Covered in our Privacy Policy.
- End-user data collected via embed scripts — Feedback, error reports, attachments, and technical metadata from visitors on your site. You are the data controller; BugHarbor acts as a data processor. Governed by our Data Processing Agreement (DPA).
Embed scripts do not set cookies on your visitors' browsers. The widget and error tracker communicate with BugHarbor via HTTPS API requests when feedback is submitted or errors occur. They do not load third-party advertising or analytics trackers.
2. Data collected by embed scripts
2.1 Feedback widget (widget.js)
Loaded on your site with your project API key. Data is sent to POST /api/v1/feedback when a user submits feedback.
| Data | Source | May contain PII? |
|---|---|---|
| Title, description, type, priority | User input | Yes — user-provided content |
| Email address | Optional user input | Yes — if provided |
| Custom fields | Your widget configuration | Yes — depends on your fields |
| Page URL and path | Automatic metadata | Possible — query strings may contain tokens or IDs |
| User agent, language, platform | Automatic metadata | Low risk |
| Screen and viewport dimensions | Automatic metadata | No |
| Timestamp | Automatic metadata | No |
| Screenshots, screen recordings, audio | User capture / upload | Yes — may capture visible page content including names, emails, account data |
| IP address, user agent (server-side) | Request headers | Yes — IP may be personal data under GDPR |
2.2 Error tracker (error-tracker.js)
Optional script for automatic JavaScript error capture. Data is sent to POST /api/v1/errors when errors occur or are reported manually.
| Data | Source | May contain PII? |
|---|---|---|
| Error message, stack trace, file, line, column | JavaScript runtime | Yes — messages may include user IDs, emails, or tokens |
| Page URL and referrer | Automatic | Possible — query strings and paths may identify users |
| Breadcrumbs (clicks, navigation, console, fetch/XHR URLs) | Automatic session tracking | Yes — click text, API URLs, and navigation history may expose PII |
User context via BugHarbor.setUser() | Your application code | Yes — whatever you pass is stored |
| Device context (screen, viewport, language, platform) | Automatic | Low risk |
| Environment and release version | Script configuration | No |
| IP address, user agent (server-side) | Request headers | Yes |
2.3 What embed scripts do not collect
- No cookies or local storage used for tracking visitors
- No third-party advertising or analytics pixels loaded by our scripts
- No continuous background monitoring — network calls occur on feedback submission or error events only
- No access to form fields or DOM content unless captured in a user-initiated screenshot or recording
2.4 Landing page URL preview scan
Our marketing site offers an optional, unauthenticated URL preview. When you submit a URL, BugHarbor's servers fetch the homepage HTML once from the public internet to run static checks (for example missing lang attributes, viewport meta tags, and same-site link health). This preview does not execute JavaScript in a browser, does not crawl your entire site, and does not install any script on the target site.
- Only scan websites you own or have permission to test. Do not use this feature to probe third-party systems.
- Requests are rate-limited per IP and blocked against private networks, localhost, and non-standard ports.
- Scan summaries are cached temporarily (24 hours) to support the signup funnel and are not used for advertising profiles.
- Runtime JavaScript errors and AI fix prompts require installing
widget.jsanderror-tracker.json your site.
3. Where data is stored
- Primary data region: European Union
- Application and database hosting: Cloud infrastructure provider
- File attachments: Application server storage (local disk or S3-compatible object storage)
- Tenant isolation: Each customer account uses isolated database storage. Your projects, feedback, and attachments are logically separated from other customers.
- Encryption in transit: All data between embed scripts, the dashboard, and our API is transmitted over HTTPS (TLS).
- Encryption at rest: Sensitive credentials for third-party integrations (Slack, GitHub, Jira, etc.) are encrypted in our database. Infrastructure-level encryption at rest depends on your hosting configuration.
See our Sub-processors page for third parties that may process data, including AI analysis providers.
4. PII and sensitive data handling
We are transparent about PII handling because embed scripts operate on pages that may display personal data.
4.1 What BugHarbor does today
- Screenshots and recordings: Stored as submitted. We do not automatically blur or redact content visible on the page at capture time.
- Error messages and breadcrumbs: Stored as captured. We do not automatically scrub emails, tokens, or other PII from error text or URLs.
- AI analysis: When enabled, we send feedback text (title, description, metadata JSON, and audio transcriptions) to OpenAI for summarization and categorization. Screenshot and recording files are not sent to OpenAI. Metadata may include URLs that contain query parameters.
- Audio retention: When feedback is marked resolved, original audio files are deleted from storage. Text transcriptions are retained for your records.
- Integration tokens: Encrypted at rest in our database.
4.2 Recommendations for customers
- Update your website privacy notice to disclose BugHarbor as a sub-processor
- Ensure a lawful basis for collecting end-user feedback (consent, legitimate interest, etc.)
- Avoid embedding scripts on pages with highly sensitive data unless necessary
- Do not pass identifiable user data to
BugHarbor.setUser()unless required — use opaque user IDs - Keep secrets and tokens out of URLs where possible, since URLs are captured in metadata and error context
- Ask users to avoid submitting unnecessary personal information in free-text fields
5. GDPR, CCPA, and legal roles
- You (the customer) are the data controller for personal data collected from your end users via embed scripts.
- BugHarbor is the data processor, processing that data on your instructions to provide the feedback and error tracking service.
- Our DPA covers processor obligations, sub-processors, security measures, breach notification, and data deletion on termination.
- International transfers to sub-processors (e.g. OpenAI in the United States) are covered by Standard Contractual Clauses and our sub-processor agreements.
End-user data subject requests (access, deletion, portability) should generally be directed to you as the controller. We assist you in fulfilling those requests through the dashboard and API. Enterprise customers may contact privacy@bugharbor.space for DPA execution or security questionnaires.
6. Data retention and deletion
| Data type | Retention |
|---|---|
| Feedback and error records | Retained while your account and project are active. Deleted when you delete the project or account, subject to legal hold requirements. |
| Attachments (screenshots, recordings) | Retained with feedback until project/account deletion. Audio files removed from storage when feedback is marked resolved (transcript kept). |
| Archived projects | Data retained for up to 6 months after archiving, then permanently removed. |
| Account termination | Personal data deleted or returned within 30 days per our DPA, unless retention is required by law. |
You can delete individual feedback items and entire projects from the dashboard. API access is available for programmatic retrieval and deletion.
7. Security controls
- HTTPS only for all API and dashboard traffic
- API key authentication for embed script and API access, scoped per project
- Per-tenant database isolation for customer data
- Rate limiting on authentication and feedback submission endpoints
- Two-factor authentication (2FA) available for dashboard users
- Security headers including Content-Security-Policy, HSTS (production), X-Frame-Options, and Referrer-Policy on the BugHarbor application
- Encrypted integration credentials for third-party service tokens
- Role-based team access with project-level permissions
- Webhook signing for outbound integration events
SOC 2: We are building toward SOC 2 Type II certification for enterprise customers. We do not currently hold a SOC 2 report. Contact us if you need a security questionnaire or detailed control documentation in the interim.
8. Sub-processors and AI
When AI features are enabled on your plan, feedback text and metadata may be processed by OpenAI for summarization, categorization, priority suggestions, and duplicate detection. Audio may be transcribed before analysis.
A complete, current list of sub-processors — including hosting, email, payment, and AI providers — is maintained on our Sub-processors page. We notify customers at least 30 days before adding new sub-processors that process personal data.
9. Enterprise and security reviews
We support standard enterprise procurement workflows:
- Signed Data Processing Agreement
- Sub-processor list and objection process
- Security questionnaire completion (on request)
- Custom retention or data handling requirements (contact us)
For security inquiries, DPA requests, or data subject assistance: privacy@bugharbor.space
10. Related documents
- Privacy Policy — BugHarbor account and website visitor data
- Data Processing Agreement — Processor terms for end-user data
- Sub-processors — Third-party service providers
- Terms of Use