Privacy Policy

1. Introduction

Bugzy AI ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Data Controller: Cloud Automation Solutions
Registration Number (EIK): 203094836
Registered Address: Bulgaria, Sofia, 1797, 131-VA str. 1B
Contact Email: privacy@bugzy.ai

This policy complies with the EU General Data Protection Regulation (GDPR), the Bulgarian Personal Data Protection Act (PDPA), and other applicable data protection laws.

2. Information We Collect

As a B2B autonomous QA testing platform, we collect various types of data to provide our service:

2.1 Account Information

• Email Address: Your professional email address for account creation and communication
• Name: Your name for personalization (if provided)
• Authentication Data: Encrypted passwords or OAuth tokens for secure access

2.2 Access to Your Systems (Read-Only)

When you authorize Bugzy AI to connect with your development tools, we gain read-only access to:

• Documentation systems: Product documentation, API docs, README files
• Issue tracking systems: Bug reports, feature requests, user stories
• Communication systems: Team discussions, support tickets, feedback
• Code repositories: Repository structure, commit history (for context)

Important: We read this data to understand your product and generate test plans, but we do not permanently store the raw content from these systems. We only store the generated test plans and test cases we create.

2.3 Test Execution Data

• Test Results: Pass/fail status, execution logs, error messages
• Screenshots: Visual captures during test execution
• Video Recordings: Screen recordings of test runs (when enabled)
• Performance Metrics: Load times, response times, resource usage

2.4 Generated Content

• Test Plans: AI-generated testing strategies based on your product
• Test Cases: Automated test scenarios we create
• Bug Reports: Issues identified during testing

2.5 Usage and Technical Data

• Usage Analytics: Features used, frequency of use (with consent)
• Technical Information: IP address, browser type, device information
• Integration Credentials: Encrypted API keys for third-party integrations

3. Purpose of Data Collection

We process your personal data for the following purposes:

3.1 Service Delivery (Contract Performance)

• Account Management: Creating and managing your account
• Test Generation: Reading your documentation and systems to create intelligent test plans
• Test Execution: Running automated tests on your applications
• Results Delivery: Providing test results, screenshots, videos, and bug reports
• Integration Management: Connecting to your GitHub, Slack, and other development tools

3.2 Communication (Legitimate Interest)

• Service Updates: Informing you about new features and improvements
• Technical Notifications: Alerting you to test failures, bugs found, or system issues
• Support: Responding to your questions and providing assistance

3.3 Service Improvement (Consent)

• Analytics: Understanding how you use our platform to improve it (only with your consent)
• AI Training: Improving our test generation algorithms (using anonymized data only)

3.4 Security and Legal Compliance (Legitimate Interest & Legal Obligation)

• Security: Detecting and preventing fraud, abuse, and security threats
• Legal Compliance: Meeting our obligations under Bulgarian and EU law
• Data Retention: Maintaining records as required by law

We do not: Sell your data to third parties, use your data for unrelated marketing, or share your confidential business information.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

For B2B customers, we act as a data processor when processing data from your systems (documentation, issues, etc.), and you remain the data controller. You are responsible for ensuring you have the right to grant us access to this data.

5. Data Storage and Security

5.1 Data Location

All your data is stored exclusively within the European Union:

• Vercel (EU Region): Web hosting and edge computing
• Supabase (EU Region): Database and authentication
• Google Cloud Storage (EU): File storage for screenshots, videos, and logs
• Google Cloud Run (EU): Compute infrastructure for test execution

We do not transfer your data outside the European Economic Area (EEA).

5.2 Security Measures

We implement industry-standard security practices to protect your data:

• Encryption in Transit: All data transmitted using TLS 1.3+ (HTTPS)
• Encryption at Rest: Database and file storage are encrypted
• Password Security: Passwords are hashed using bcrypt with salt
• Access Control: Role-based access control (RBAC) for team data
• API Security: OAuth 2.0 for integrations, encrypted API keys
• Infrastructure Isolation: Each customer's data is isolated in separate environments
• Regular Updates: Security patches applied promptly
• Monitoring: 24/7 automated security monitoring and alerts

5.3 Data Breach Notification

In the unlikely event of a data breach, we will:

• Notify the Bulgarian CPDP within 72 hours (as required by GDPR Article 33)
• Notify affected customers within 24 hours via email
• Provide details about the breach, impact, and remediation steps
• Take immediate action to contain and resolve the breach

6. Data Retention

We retain your data only as long as necessary to provide our service and meet legal obligations:

Account Deletion Process: When you delete your account, we immediately mark it for deletion and stop all processing. Your data is permanently deleted after 30 days, except for data we are legally required to retain (e.g., financial records for tax purposes).

Right to Deletion: You can request immediate deletion of your data at any time by contacting privacy@bugzy.ai. We will process deletion requests within 30 days.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right to Access: You can request a copy of the personal data we hold about you. Email privacy@bugzy.ai with your request, and we will provide a complete data export within 30 days.
• Right to Rectification: You can request correction of inaccurate personal data by contacting privacy@bugzy.ai.
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data using the account deletion feature in your team settings or by emailing privacy@bugzy.ai.
• Right to Restrict Processing: You can request that we limit the processing of your personal data.
• Right to Data Portability: You can request your data in a structured, commonly used format (JSON/CSV). We will process export requests within 30 days.
• Right to Object: You can object to the processing of your personal data, particularly for analytics (which you can disable via cookie settings).
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time through your account settings or by contacting us.

How to Exercise Your Rights: To exercise any of these rights, please contact us at privacy@bugzy.ai. We will respond within 30 days as required by GDPR. For account deletion and data export requests, you can also use the features available in your team settings.

8. Data Sharing and Sub-Processors

8.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Your data is yours.

8.2 Sub-Processors (Service Providers)

We use carefully selected sub-processors to help us provide our service. All sub-processors are bound by Data Processing Agreements (DPAs) and process data only as instructed:

We maintain a complete list of our sub-processors and will notify you of any changes. You can view the full list at any time by contacting privacy@bugzy.ai.

8.3 Legal Disclosures

We may disclose your information only when required by law:

• Legal Obligations: To comply with court orders, subpoenas, or legal processes
• Protection of Rights: To enforce our Terms of Service or protect our rights and property
• Safety: To protect the personal safety of users or the public
• Fraud Prevention: To detect, prevent, or address fraud and security issues

We will notify you of legal requests unless prohibited by law.

8.4 Business Transfers

If Bugzy AI is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice and ensure the new entity is bound by this Privacy Policy.

9. Cookies and Tracking

We use a minimal cookie approach to respect your privacy while providing essential functionality and improving our service.

Essential Cookies

We use essential cookies that are necessary for the operation of our service. These include authentication cookies (to keep you logged in securely) and a cookie consent preference cookie (to remember your cookie choices). These cookies do not require consent as they are strictly necessary for the service to function.

Analytics Cookies (Optional - Require Consent)

With your consent, we use privacy-friendly analytics to understand how visitors use our website and improve your experience:

• Vercel Analytics: Uses a cookieless approach with privacy-friendly hashing (IP address + user agent) that is automatically discarded after 24 hours. No persistent tracking cookies are set.
• Vercel Speed Insights: Monitors website performance and Core Web Vitals to ensure fast loading times. Session-based only, no persistent cookies.

Even though these services are cookieless, they process your IP address and browser information, which is considered personal data under GDPR. We therefore request your explicit consent before enabling these analytics.

Managing Your Cookie Preferences

You have full control over analytics cookies. When you first visit our website, you'll see a cookie consent banner where you can accept, reject, or customize your preferences. You can change your cookie preferences at any time by:

• Clicking "Cookie Settings" in the website footer
• Visiting our Cookie Policy page

For detailed information about all cookies we use, please see our Cookie Policy.

10. Children's Privacy

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16.

11. International Data Transfers

All your data is processed and stored exclusively within the European Union. We do not transfer your data outside the EEA.

If we ever need to transfer data outside the EEA in the future, we will:

• Notify you in advance
• Ensure appropriate safeguards are in place (Standard Contractual Clauses)
• Obtain your explicit consent if required
• Update this Privacy Policy accordingly

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

13. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

Data Controller: Bugzy AI
Email: privacy@bugzy.ai

14. Supervisory Authority

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the Bulgarian data protection authority:

Commission for Personal Data Protection (CPDP)
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: https://cpdp.bg
Email: kzld@cpdp.bg
Phone: +359 2 91 53 518

As an EU citizen, you may also contact the data protection authority in your country of residence.

However, we encourage you to contact us first at privacy@bugzy.ai so we can address your concerns directly.