Privacy Policy
Draft — review before publishing
This is a template describing how the hosted Dungbeetle service handles data, written to match what the software actually stores. It is not legal advice. Have qualified counsel review it, and replace every [bracketed placeholder], before publishing it as your binding policy.
Operator: [Operator legal entity] ("we", "us") Effective date: [DATE]Contact: [privacy@your-domain]
This policy explains what personal data the hosted Dungbeetle Cloud service ("the Service") collects, why, how long we keep it, and the choices you have.
Scope: hosted service only
This policy covers the managed service we operate at [your-domain]. It does not apply when you self-host Dungbeetle: there, the data never reaches us — you are the operator and the data controller, and your own privacy practices apply. Self-hosting is the intended path for teams that need to keep all snapshot data inside their own infrastructure.
What we collect
We collect only what's needed to run the Service.
Account and authentication data
- Account profile — your name and email address.
- Teams and membership — the teams you belong to (each has a name), your role in them, and any pending email invitations you send or receive.
- Credentials — for email/password sign-in we store only a scrypt hash of your password, never the password itself. For Sign in with Google/GitHub we store the provider name and your provider account identifier, not your provider password.
- Email verification status and the tokens used for email verification and password reset (short-lived).
- API tokens and repository credentials — API tokens are stored as a SHA-256 hash (we keep an optional label, last-used time, and optional expiry, never the plaintext token). Each repository (owned by a team) has a
client_idand a hashedclient_secret. - Sessions — an opaque, expiring session identifier set as a cookie when you sign in. Your API token itself never enters the browser.
Content you upload
When you push to the Service, you send:
- Run reports — the structured snapshots your tests produce (e.g. captured DOM, terminal output, semantic diffs) plus metadata such as branch and commit.
- Baseline snapshots — versioned reference snapshots per target.
- Screenshots — image artifacts attached to runs/baselines.
Important: this content is whatever your application renders. It can contain personal data or secrets from your own systems. You control what you capture and upload — see Your responsibilities. We treat all uploaded content as confidential to your account and never use it to train models or for any purpose other than providing the Service to you.
Billing data
If you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer identifier, plan, and subscription status. We do not store your full card details — those are handled by Stripe under their own terms.
Usage and operational data
- Usage metering — snapshot counts and storage totals used to enforce plan limits and show your usage.
- Audit and security logs — security-relevant events (sign-in success/failure, API auth failures and rate-limiting, repository and token lifecycle, secret rotation, review decisions) recorded with the acting account, an IP address, a timestamp, and the outcome. These never contain secrets.
- Server logs — standard operational logs needed to run and debug the Service.
- Roadmap rankings — your personal ordering of roadmap items (which feeds the community ranking), and any items you suggest.
We do not use advertising trackers or sell personal data.
Why we use it (purposes)
- Provide, secure, and maintain the Service (authentication, tenant isolation, storing and serving your runs/baselines/screenshots).
- Enforce plan limits and bill paid plans.
- Detect, investigate, and prevent abuse and security incidents.
- Communicate with you about your account (verification, password reset, and essential service notices).
How long we keep it
Run history and its blobs (reports and screenshots) are automatically pruned after your plan's retention window:
Plan Run retention Free 14 days Starter 60 days Team 180 days Business 365 days Enterprise Custom Baseline history is append-only and kept while the repository exists, so your reference snapshots remain available.
Account, credential, and billing records are kept while your account is active and for as long as needed afterward to meet legal, tax, and security obligations.
Logs are retained for a limited operational/security window and then rotated.
Deleting your data
You are in control:
- Delete a repository to remove it and cascade-delete its runs, baselines, and screenshots.
- Revoke API tokens from Settings → API tokens, and rotate or remove a repository's push tokens from the repository's Settings → Tokens, at any time.
- Delete your account from Settings → Account (or by contacting
[privacy@your-domain]); we will delete or anonymize your personal data except where we must retain limited records (e.g. billing) by law.
Who we share it with (sub-processors)
We use a small set of providers to run the Service. Each processes data only to provide their function to us:
- Hosting / object storage —
[hosting + object-storage provider]stores the database and blobs. - Payments — Stripe, for subscriptions and billing.
- Email delivery —
[email provider, if configured], for verification and password-reset messages. - Sign-in providers — Google and/or GitHub, only if you choose OAuth sign-in.
We disclose data otherwise only when required by law or to protect the Service's security and rights. Maintain the current list at [link to sub-processor list].
Where data is processed
The Service is hosted in [region(s)]. If we transfer personal data across borders, we rely on appropriate safeguards [e.g. Standard Contractual Clauses].
How we protect it
- In transit: TLS for all client credentials, sessions, and uploads.
- At rest: passwords are scrypt-hashed; API tokens and client secrets are hashed; blobs can be sealed with AES-256-GCM and the underlying storage is encrypted.
- Isolation: every request is scoped to one repository/account; the Service is built and tested so one tenant cannot read another's runs, baselines, or screenshots.
- Defenses: a strict Content-Security-Policy, CSRF origin checks on state-changing actions, authentication rate-limiting, request-size limits, and audit logging.
No system is perfectly secure, but these are the controls we operate.
Your rights
Depending on where you live, you may have rights to access, correct, export, delete, or restrict the processing of your personal data, and to object or withdraw consent. Exercise them by emailing [privacy@your-domain]; we respond within the period required by applicable law. You may also have the right to complain to your local data-protection authority.
Your responsibilities
You decide what to capture and upload. Do not upload content you are not entitled to process, and avoid capturing unnecessary personal data or secrets in your snapshots (mask or normalize them in your test configuration). If you need to keep all data on your own infrastructure, self-host.
Children
The Service is not directed to children under [16], and we do not knowingly collect their personal data.
Changes to this policy
We may update this policy; material changes will be announced at [your-domain] and reflected in the effective date above. Continued use after a change means you accept the updated policy.
Contact
Questions or requests: [privacy@your-domain], [Operator legal entity and postal address].