Legal
userbugs.ai — Privacy Policy
Last updated: 2026-03-15 · Contact: legal@userbugs.ai
Data Controller
Cicure ApS (under formation)
Copenhagen, Denmark
legal@userbugs.ai
This policy applies to the userbugs.ai beta platform.
What We Collect
Account and waitlist data
If you sign up for the waitlist or create a beta account, we collect your email address. That’s it. We don’t ask for your name, company, or any other personal information unless you volunteer it.
Usage analytics
We currently collect no usage analytics.No page view tracking, no session recording, no heatmaps. This may change in future — if it does, we’ll update this policy and notify you.
What we explicitly do NOT collect
- No tracking pixels
- No third-party analytics (no Google Analytics, Mixpanel, Amplitude, etc.)
- No ad network integrations
- No fingerprinting
Bug Report Data
The bug reports on userbugs.ai are aggregated from publicly available sources — public forums, community discussion sites, review pages, and public issue trackers. The specific sources we draw on and how we discover them are proprietary.
We do not store the original source text. Our pipeline processes source content through AI and stores only structured, AI-synthesised bug metadata — title, severity, affected version, category, and similar fields. The audit trail for every processed item records rawTextStored: false. This is a deliberate architectural decision, not an oversight.
This means we hold synthesised facts about software products — not copies of what people wrote. This significantly reduces our exposure under EU copyright and database rights law, and limits the personal data footprint of the pipeline.
User Submissions
If you submit a bug report through the platform:
- Unauthenticated / anonymous: the submission is stored with
user_id: null. We have no way to link it to you. - Authenticated:the submission is linked to your account. You can request anonymisation at any time — we’ll set
user_idto null, removing the attribution. The bug data itself is preserved (it’s a public interest record), but it will no longer be associated with your account.
Cookies
We use a single session cookie:
- Purpose: keeping you logged in
- Type: HttpOnly, SameSite=Lax
- TTL: 30 days
- Third-party cookies: none
No tracking cookies. No consent banner needed for the session cookie under Danish/EU law, but we’re telling you anyway.
Legal Basis (GDPR Art. 6)
| Activity | Legal basis |
|---|---|
| Bug report aggregation from public sources | Legitimate interests (Art. 6(1)(f)) — providing accurate product information to the public |
| Account creation | Consent (Art. 6(1)(a)) — you choose to create an account |
| Waitlist signup | Consent (Art. 6(1)(a)) — you choose to join |
Data Processors (GDPR Art. 28)
We use a limited number of sub-processors. Each is listed below with the legal name, purpose, data processed, and a link to their Data Processing Agreement (DPA) or equivalent.
| Processor | Legal name | Purpose | Data processed | DPA |
|---|---|---|---|---|
| Clerk | Clerk Technology, Inc. | User authentication, session management, and bot protection (Turnstile CAPTCHA) | Email address, IP address, session token | Clerk DPA |
| Google Cloud / Vertex AI | Google LLC | AI inference for bug report synthesis and pipeline processing | Structured bug metadata; no raw personal data is forwarded to Vertex AI | Google Cloud DPA |
| Cloudflare | Cloudflare, Inc. | DDoS protection, CDN, and bot detection (via Turnstile integrated with Clerk) | IP address, request headers | Cloudflare DPA |
| Azure | Microsoft Ireland Operations Limited | Cloud infrastructure hosting our Elasticsearch cluster | All stored user and bug data (see below) | Microsoft DPA |
Note on Google Cloud: Cicure’s Google Cloud DPA was accepted at the time the GCP account was created. The DPA is Google’s standard Data Processing Amendment and covers all GCP services, including Vertex AI.
All processors listed above are contractually bound to Cicure under GDPR Art. 28 Data Processing Agreements. Where a processor transfers data outside the EU/EEA, they rely on Standard Contractual Clauses (SCCs) or an adequacy decision as the legal transfer mechanism.
If you have questions about a specific sub-processor, contact legal@userbugs.ai.
Data Storage and Transfers
All data is stored in our Elasticsearch cluster hosted on Azure Germany West Central (Frankfurt region). This is an EU data centre. We do not transfer personal data outside the EU/EEA.
Data Retention
| Data type | Retention |
|---|---|
| Account data (email, session) | Until you request deletion |
| Waitlist email | Until beta closes or you request deletion |
| Anonymous bug submissions | Indefinitely (no personal data attached) |
| Authenticated bug submissions | Linked to account until anonymisation or deletion request |
Your Rights (GDPR Art. 15–22)
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and personal data
- Portability — receive your data in a machine-readable format
- Restriction — ask us to limit processing while a dispute is resolved
- Object — object to processing based on legitimate interests
To exercise any of these rights, email legal@userbugs.ai. We’ll respond within 30 days (the GDPR maximum).
If you’re not satisfied with our response, you have the right to lodge a complaint with Datatilsynet (the Danish Data Protection Authority): datatilsynet.dk
Changes to This Policy
We’ll notify beta users by email if we make material changes. The “last updated” date at the top will always reflect the current version.
Questions
Email legal@userbugs.ai. We’re a small team and we take this seriously. See also our Beta Terms of Service and Methodology.