Privacy Policy

At BugEater, accessible from https://bugeater.web.app/, one of our main priorities is the privacy of our visitors. This Privacy Policy document contains types of information that is collected and recorded by BugEater and how we use it.

This Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or collect in BugEater. This policy is not applicable to any information collected offline or via channels other than this website.

Data Controller

The data controller responsible for your personal data is:

• Company: jLogic Software Anatolii Merezhanyi
• NIP (Tax ID):PL8952232325
• Address: 50-231 Wrocław, Zakładowa 18/34, Poland
• Email: jschoolpl@gmail.com

If you have any questions about how your personal data is processed or wish to exercise your rights, please contact us at the email address above.

Consent

We distinguish between two types of consent:

1. Terms acceptance — required to create an account and use the Service. By creating an account you agree to our Terms and Conditions and this Privacy Policy.
2. Analytics consent — optional. We ask separately whether you consent to optional Google Analytics 4 (GA4) tracking. You can accept or reject analytics at any time without affecting your access to the Service.

Analytics cookies and tracking are not loaded until you explicitly accept them. You may change your analytics preference at any time via the Cookie Preferences link in the footer of any page or in your Account settings.

Information we collect

When you register for an Account, we collect:

• Email address — used to create and identify your account, and for transactional communications (password reset, subscription notifications, etc.)
• Nickname — a display name chosen by you during registration
• Optional profile data — such as avatar URL and display name, which may be pre-populated if you register via a third-party provider (Google or GitHub)

If you contact us directly (e.g. by email), we may receive the contents of your message and any attachments you choose to send. We do not collect phone numbers or postal addresses.

How we use your information

We use the information we collect for the following purposes, with the legal basis for each:

• Account creation, authentication, and access control — Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
• Personalisation — displaying your nickname, avatar, and learning progress — Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
• Transactional communications — password reset emails, subscription notifications — Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
• Analytics and product improvement — understanding how the Service is used (only with your explicit analytics consent) — Legal basis: consent (Art. 6(1)(a) GDPR)
• Security and fraud prevention — server log analysis, rate limiting, CSRF protection — Legal basis: legal obligation and legitimate interests (Art. 6(1)(c) and Art. 6(1)(f) GDPR)

Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Account data — retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• Unconfirmed registrations — if you register with an email address but do not confirm it within 30 days, your registration record is permanently deleted from the authentication system without prior notification. No personal data beyond your email address is held at this stage. You may register again at any time. Legal basis: data minimisation (GDPR Art. 5(1)(e)).
• Inactive accounts — accounts that have not been signed into for 12 months and do not hold an active paid subscription are automatically deleted. You will receive two email warnings before deletion: a first notice 30 days in advance and a final notice 7 days in advance. Signing in at any time before the deletion date cancels the process. You can export your data at any time via the Privacy & Data section of your account settings. Premium subscribers are exempt from automatic deletion. Legal basis: data minimisation (GDPR Art. 5(1)(e)) and legitimate interest (Art. 6(1)(f)).
• Session data — access tokens expire after 1 hour; refresh tokens expire after 30 days.
• Google Analytics 4 data — retained for up to 14 months on Google's servers (as configured in our GA4 property). Governed by Google's data retention policies.
• Server log files — retained for 90 days, then automatically deleted.
• Billing records — retained for 7 years in accordance with Polish accounting law (Art. 74 of the Accounting Act).

Server Log Files

BugEater's servers automatically record standard HTTP request data for security monitoring and operational purposes. This includes IP addresses, browser type, Internet Service Provider (ISP), date and time stamp, and referring/exit pages. These logs are not linked to your account identity.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — maintaining the security and integrity of the Service.

Retention: server log files are retained for 90 days and then automatically deleted.

Server logs are separate from Google Analytics 4 (GA4) tracking. GA4 is an optional analytics tool that is loaded only with your explicit consent — see the "Cookies and Local Storage" section below.

Cookies and Local Storage

We use the following types of cookies and browser storage:

Strictly Necessary (always active)

These are required for the Service to function and cannot be disabled:

• __session — stores your login session token (HTTP-only cookie; required for authenticated access)
• BE_REFRESH_TOKEN — stores the refresh token used to silently renew your session without re-entering credentials (HTTP-only cookie; expires after 30 days)
• XSRF-TOKEN — protects against cross-site request forgery attacks
• BE_LANG — stores your language preference
• BE_THEME — stores your theme preference (light/dark)

Functional localStorage entries (QA Trainer companion app, if used):

• Language selection, learning progress, tour state, and challenge state stored in localStorage. These are strictly necessary for the app's functionality and cannot be disabled.

Optional Analytics Cookies (loaded only with your consent)

• Google Analytics 4 (GA4) — We use GA4 to understand how the Service is used (page views, navigation patterns, feature engagement). GA4 sets cookies and uses local storage to track anonymous usage data. This data helps us improve BugEater. GA4 is loaded only after you explicitly click "Accept All" in the cookie banner or accept analytics in your Account settings.

  Legal basis: consent (Art. 6(1)(a) GDPR).

  You may withdraw this consent at any time by clicking "Cookie Preferences" in the footer and selecting "Reject All", or by changing the analytics toggle in your Account settings. Withdrawing consent prevents future GA4 data collection; it does not affect data already collected.

International Data Transfers

Google Analytics 4 is operated by Google LLC, based in the United States. When you consent to analytics, your usage data may be transferred to and processed on servers located outside the European Economic Area (EEA), including in the United States. Google relies on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for these transfers. For more information, see Google's privacy policy.

Analytics Consent Key

We store your analytics decision in localStorage under the key analytics_consent with value accepted or rejected. For registered users, this preference is also saved in our database so we can display your current choice in Account settings.

Payment Processing Cookies (loaded only when making a purchase)

We use Stripe to process payments. When you initiate a payment, Stripe may set cookies and use local storage for fraud detection and secure transaction processing. These cookies and storage entries are set and controlled by Stripe, not by BugEater.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — prevention of fraudulent transactions and secure payment processing.

For more information, see Stripe's Privacy Policy.

Your Choices

• Withdraw analytics consent — Click "Cookie Preferences" in the footer at any time and select "Reject All".
• Change consent in account settings — Go to Account → Analytics & Cookies and toggle the setting off.
• Delete cookies via browser — You may delete all cookies through your browser settings. Note that deleting session cookies will log you out.
• Browser opt-out — You can install the Google Analytics Opt-out Browser Add-on to prevent GA4 data collection across all sites.

Third-Party Login Providers

BugEater allows you to register and sign in using your existing Google or GitHub account. When you choose to authenticate via one of these providers, the following applies.

Providers and data received

We request only the minimum scopes required to authenticate you and pre-populate your BugEater profile. We do not request access to your contacts, calendar, repositories, or any other resources beyond basic identity and email.

How we use the data

Provider-sourced data is used solely to create or update your BugEater account (nickname, display name, avatar). Your provider password is never shared with or accessible by BugEater — token exchange is handled by Supabase Auth acting as the OAuth intermediary.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to fulfil the account creation and login service you requested.

International data transfers

OAuth tokens are exchanged via Supabase Auth (Supabase Inc., US). Supabase relies on Standard Contractual Clauses (SCCs) approved by the European Commission as the mechanism for transferring personal data outside the EEA. For details see the Supabase Privacy Policy.

Revoking provider access

You can revoke BugEater's access to your provider account at any time without deleting your BugEater account:

• Google — visit Google Account Permissions
• GitHub — visit GitHub Authorized OAuth Apps

Revoking provider access prevents future sign-in via that provider. Your existing BugEater account data is not automatically deleted; to request account deletion contact us at jschoolpl@gmail.com.

Third Party Privacy Policies

BugEater's Privacy Policy does not apply to other websites. We advise you to consult the respective Privacy Policies of any third-party services you use in connection with BugEater.

Payments and Billing Information

When you purchase a subscription or one-time access through BugEater, your payment is processed by Stripe, Inc. ("Stripe"), our third-party payment processor. We do not store or have access to your full card number, CVV, or bank details — these are processed and encrypted directly by Stripe in accordance with PCI-DSS standards.

We retain the following billing records for accounting and legal compliance:

• Transaction ID (assigned by Stripe)
• Amount charged and currency
• Date and time of the transaction
• Subscription status (active, cancelled, past due)

No full payment card number, CVV, or bank account details are ever retained by BugEater. These records are retained for 7 years in accordance with Polish accounting law (Art. 74 of the Accounting Act).

Your payment information is governed by Stripe's Privacy Policy. By making a payment, you also agree to Stripe's Services Agreement.

GDPR Data Protection Rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

• Right to access — You have the right to request copies of your personal data.
• Right to rectification — You have the right to request that we correct inaccurate information or complete incomplete information.
• Right to erasure — You have the right to request that we erase your personal data, under certain conditions.
• Right to restrict processing — You have the right to request that we restrict the processing of your personal data, under certain conditions.
• Right to object to processing — You have the right to object to our processing of your personal data, under certain conditions.
• Right to data portability — You have the right to request that we transfer your data to another organization or directly to you, under certain conditions.
• Right to withdraw consent — Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at jschoolpl@gmail.com. We will respond within one month.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).

CCPA Privacy Rights (California Residents)

BugEater does not sell personal data to third parties.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know — You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, and the purposes for which we use it.
• Right to delete — You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, contact us at jschoolpl@gmail.com.

Data Processors

We use the following third-party data processors to operate the Service. Each processor acts on our documented instructions and is contractually bound to protect your personal data:

For details on how each processor handles your data, refer to their respective privacy policies: Supabase Privacy Policy · Google Privacy Policy · GitHub Privacy Statement · Stripe Privacy Policy

Disclosure of Your Personal Data

Business Transactions

If jLogic Software Anatolii Merezhanyi is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Security of Your Personal Data

The security of your Personal Data is important to the Company, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Children's Privacy

Our Service is not directed to anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. The minimum age to use BugEater is 16, in accordance with GDPR Art. 8 and applicable Polish law.

If you are a parent or guardian and you become aware that your child under the age of 16 has provided us with personal data, please contact us at jschoolpl@gmail.com. If we become aware that we have collected personal data from anyone under 16 without parental consent, we will take steps to remove that information promptly.

Links to Other Websites

Our service may contain links to other websites that are not operated by us. We strongly advise you to review the Privacy Policy of every site you visit.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date below.

Contact Us

If you have any questions about this Privacy Policy, You can contact us:

• By email: jschoolpl@gmail.com
• Data Controller: jLogic Software Anatolii Merezhanyi, 50-231 Wrocław, Zakładowa 18/34, Poland

Sub-Processors

We use the following sub-processors to operate the platform:

Last updated: May 30, 2026