Privacy Policy
Effective date: 15 July 2026 · Version 1
This Privacy Policy explains how BugLoop, a product of Pixeled ("we", "us"), collects, uses, and protects personal data when you use the BugLoop app. BugLoop is a shared bug-tracking service: a developer invites you to their workspace, and their clients report problems and ideas through a private share link. We collect as little data as possible: only what is needed to provide the service.
1. Who we are
The controller for the platform data described here is Pixeled, established in the Netherlands, registered with the Dutch Chamber of Commerce (KVK) under number 99063093, VAT number NL003008030B18, at Beeldsnijdersgaarde 30, 2542EM The Hague. For privacy questions or requests, contact info@pixeled.solutions. The developer who invited you or gave you a report link decides what to report and receives your reports; for questions about a specific project, contact that developer.
2. What personal data we collect
BugLoop has two kinds of user: developers, who hold an account, and their clients, who report through a share link without an account. We collect:
- Developer account data: email address, password (stored only as an Argon2id hash), your name and company/agency name (if you provide them), language and theme preference, and authentication data.
- Report content: what a reporter types (the original wording and the structured fields derived from it: title, steps, expected and actual behaviour, and, for ideas, the motivation), the category (a bug or a feature request), and any clarifying questions and answers exchanged about it.
- Screenshots and evidence: the images a reporter uploads, pastes, or captures. These are re-encoded on upload, which strips embedded metadata including EXIF GPS location before storage.
- Lifecycle data: the timeline of a report (who reported, confirmed, asked, answered, fixed, or closed it, and when) and any comments added.
- Technical context: basic information captured with a report to help reproduce it: browser, operating system, screen size, timezone, and timestamp.
- Technical and security data: information derived from the IP address, used temporarily for rate limiting and abuse prevention.
3. How we use your data and our legal bases
We process your data to:
- provide the service (authenticate developers, structure and store reports, run the report-to-fix loop, and make reports available to the relevant developer) — legal basis: performance of our contract with the developer, and our legitimate interest in operating the reporting channel that developer offers to their clients.
- keep the service safe and prevent abuse (rate limiting, input validation, audit trail) — legal basis: our legitimate interest in a safe, reliable service.
- comply with the law — legal basis: legal obligation.
BugLoop does not sell your personal data, does not use your reports or screenshots for advertising, and does not use them to train AI models. Payments for BugLoop are arranged off-platform between Pixeled and the developer; we do not collect card or bank details in the app.
4. AI processing
To turn a plain-language report into a structured, reproducible one, the report text and any attached screenshots are sent server-side to Mistral AI, an EU-hosted provider, under a data-processing agreement. This happens only when a reporter submits or refines a report, and solely to produce that structured result and the clarifying questions. API keys are never exposed to your browser. The assistant is constrained not to invent reproduction steps, but AI-generated output can still be inaccurate or incomplete; what that means for your use is set out in our Terms and Conditions. A developer can turn AI intake off for their workspace, in which case reports are captured manually and no report content is sent to Mistral.
5. Sub-processors
We use a limited number of vetted processors:
- Mistral AI (EU) — structuring reports and generating clarifying questions.
- Scaleway (EU) — hosting, database, private object storage of screenshots, and transactional email (for example password-reset messages).
6. Screenshots and evidence
Screenshots are stored in a private object-storage bucket that has no public access. They are never served from a public URL: the developer and any authorised AI agent only ever see them through short-lived signed links (minutes for the interface, up to an hour inside an AI brief), after which the link expires. On upload every image is re-encoded, which validates that it really is an image and removes embedded metadata, including EXIF GPS coordinates. Please avoid capturing information you do not need in a screenshot, such as other people’s personal data on screen.
7. Storage and security
Reports and screenshots are stored on Scaleway’s database and object storage within the European Union. Connections are encrypted in transit, and data is encrypted at rest by the provider. Please note: this is not end-to-end encryption: to show a report to the developer and to structure it, our systems and the AI provider need access to its text and images. Passwords are hashed with Argon2id; session tokens, password-reset tokens, invite codes, and client share keys are stored only in hashed form, and each is shown once when created. Access to production systems is restricted.
8. Retention periods
We keep a developer’s account data for as long as the account is active. Reports and their screenshots are kept for as long as the project they belong to exists. When a project is deleted it enters a 30-day undo window, after which the project, its reports, and its screenshots are removed. When a developer account is closed, its projects and their data are removed on the same basis. Content-free operational and security records may be retained without an identifying link to you. Backups are rotated on a limited schedule.
9. International transfers
BugLoop is hosted in the European Union (Scaleway), and our core processors operate within the EU/EEA, so your data is processed in the EU. Where a processor’s supporting infrastructure involves a transfer outside the EEA, it is covered by appropriate safeguards such as Standard Contractual Clauses.
10. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. Where processing is based on consent, you may withdraw it at any time. Because a developer decides what is reported in their workspace, the fastest route for a client is often to contact the developer who gave you the report link. You can also contact us at info@pixeled.solutions, and we will help or route your request appropriately. You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
11. Cookies
We use only the necessary cookies and local storage needed to keep developers signed in and to remember your language and light/dark preference. We do not use third-party tracking or advertising cookies and do not follow you across other websites.
12. Children
BugLoop is a professional tool and is not intended for children. You must be at least 16 years old to create an account.
13. Changes to this policy
We may update this Privacy Policy. When we publish a material change, developers will be asked to review it at their next sign-in, and the version accepted is recorded.
14. Contact
For privacy questions or to exercise your rights, contact info@pixeled.solutions.