Privacy Policy

Account Information: When you sign up, we collect your email address, name, and profile photo (if signing in via GitHub or Google OAuth).

Scan Data: We store the URLs you scan, the bugs detected, scan results, and debate verdicts. This data is tied to your user account.

Usage Data: We collect information about how you use the Service — such as scan frequency and features used — to improve the product.

Payment Information: Payment details are processed by Paddle (paddle.com), who acts as Merchant of Record. We do not store your credit card number. We only receive confirmation of successful payment, your subscription tier, and the email associated with the transaction.

Scan Authentication: If you provide login credentials to scan pages behind authentication, these are stored in your account preferences and used only during scans. You can remove them at any time by clearing the authentication fields.

Password History: When you reset your password, a one-way hash of the new password is stored to prevent reuse of recent passwords. The original password cannot be recovered from this hash.

Cookies: We use cookies for authentication sessions. See our Cookie Policy for full details.

To provide the Service: Your scan data is used to display results, history, and debate verdicts in your dashboard.

To improve the Service: Aggregated, anonymized usage data helps us understand what features work and what needs improvement.

To communicate with you: We may send transactional emails (welcome email, password reset, scan notifications) and occasional product updates or promotional emails. You can unsubscribe from marketing emails at any time using the link in the email.

To enforce our Terms: We use account data to detect abuse, enforce scan limits, and protect the integrity of the platform.

Anthropic: Bug data is sent to Anthropic's Claude API to generate debate arguments and verdicts. Anthropic's data policies apply to this processing.

Supabase: Your account and scan data is stored in Supabase (database and authentication). Data is encrypted at rest and in transit.

Paddle: Payment processing is handled by Paddle (paddle.com) as Merchant of Record. Paddle receives your payment details directly. We do not store credit card information.

Google: If you sign in with Google, we receive your email, name, and profile photo via Google OAuth. We do not access any other Google services or data.

GitHub: If you sign in or connect GitHub, we use OAuth tokens to authenticate you and to create issues on your behalf. We do not read your private repositories.

Jira: If you connect Jira, we store your Jira domain, email, project key, and API token to create issues on your behalf. The API token is encrypted at rest. This data is used only for issue creation.

No selling: We do not sell, rent, or trade your personal information to any third party for marketing purposes.

Scan history: Scan results are retained while your account is active. You may request deletion of specific scans or all scan data at any time.

Account data: Your account data is retained while your account is active. You may request deletion at any time.

Backups: Backup copies may be retained for up to 90 days after deletion for disaster recovery purposes.

Access: You can request a copy of all personal data we hold about you.

Correction: You can update your account information at any time.

Deletion: You can request deletion of your account and all associated data by emailing us.

Portability: You can export your scan reports in PDF format from the scan details page.

Encryption: All data is transmitted over HTTPS. Database data is encrypted at rest.

Access control: Access to production data is restricted to authorized personnel only.

Breach notification: In the event of a data breach affecting your personal information, we will make reasonable efforts to notify affected users promptly.

Data processing: Your data may be processed and stored in countries outside your own, including the United States, through our infrastructure and service providers (such as Supabase and Vercel). By using the Service, you consent to this transfer. We ensure all providers maintain appropriate security standards.

Age restriction: The Service is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If we become aware we have collected such data, we will delete it immediately.

Updates: We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice. Continued use of the Service after changes constitutes acceptance.

Privacy questions: For any privacy-related questions, data requests, or to exercise your rights, contact us at hello@redblueqa.com.