BugScreen
Last updated · 12 May 2026

Privacy Policy

This Privacy Policy explains how Little Bird Solutions ("we", "us") collects, uses, and shares personal data in connection with BugScreen, the bug-reporting platform available at bugscreen.app and through our client SDKs (the "Service"). It applies to people who hold a BugScreen account ("Customers") and to the end users whose reports are submitted via a Customer's integration ("End Users").

1. Our role

For Customer account data (name, email, organisation), we act as a controller. For bug reports submitted through a Customer's SDK, the Customer is the controller of the personal data it contains and we act as a processor on its behalf. End Users with questions about a specific bug report should contact the Customer (the app or website operator) that collected it.

Our processor activities — including the subject matter, duration, nature, and purpose of processing, the categories of data and data subjects, our security commitments, sub-processor terms, and assistance with data-subject requests — are governed by our Data Processing Addendum (DPA), which forms part of the agreement between us and the Customer. A copy of the current DPA is available on request from contact@littlebirdsolutions.com and will be made available for signature where the Customer requires one.

2. Data we collect

Customer account data

  • name, work email, organisation name;
  • password (stored only as a salted hash);
  • console activity logs (IP, user agent, timestamps) for security and audit.

SDK-collected bug reports

When an End User submits a report through one of our SDKs, the SDK transmits to our backend:

  • the screenshot the End User chose to share;
  • the free-text description the End User wrote;
  • device metadata: operating system and version, device model, app version, SDK version, locale, and screen size;
  • an optional email address, if the End User chose to provide one;
  • the Customer's SDK key and a request timestamp.

The SDKs do not collect contact lists, precise location, microphone, or camera data beyond the single screenshot the End User has explicitly chosen to attach. The screenshot may incidentally contain personal data that is on-screen at the moment of capture; Customers are responsible for warning End Users about this.

Integration tokens

When a Customer connects a GitHub or Jira/Atlassian integration, we store the OAuth access and refresh tokens needed to create issues on the Customer's behalf. Tokens are stored encrypted at rest and used only to perform actions the Customer has authorised.

Cookies and analytics

The console uses a small number of strictly necessary cookies and local-storage items to keep you signed in and to remember UI preferences. We do not use third-party advertising or cross-site tracking cookies.

The console loads Vercel Web Analytics, a privacy-focused, cookieless analytics script provided by our hosting provider, to measure aggregate traffic (page views, country-level location, referrers, device class). It does not set tracking cookies and does not build cross-site profiles. See "Sub-processors" below.

3. How we use the data

  • to provide the Service: ingesting bug reports, storing screenshots, and forwarding issues to the Integrations a Customer has configured;
  • to operate Customer accounts: authentication and support;
  • to keep the Service secure: rate limiting, abuse detection, audit logging;
  • to improve the Service: aggregated and de-identified usage analysis;
  • to comply with legal obligations.

4. Legal bases (GDPR/UK GDPR)

For Customer account data we rely on:

  • Contract — to provide the Service you signed up for;
  • Legitimate interests — to secure the Service, prevent abuse, and improve it, balanced against your rights;
  • Legal obligation — to meet tax, accounting, and other regulatory requirements;
  • Consent — where we ask for it, e.g. for optional marketing.

For SDK-collected bug reports, the Customer chooses the legal basis applicable to its End Users; we process on the Customer's documented instructions as set out in our terms.

5. Where data is stored

The Service runs on Amazon Web Services. Customer Data is held in AWS DynamoDB tables (account records, organisation configuration, integration metadata, issue records) and AWS S3 (screenshot uploads). Data is processed in the AWS eu-west-2 (London) region. If we add additional regions, we will update this policy and the sub-processor list before doing so.

6. Sub-processors

We use the following categories of sub-processor to deliver the Service:

  • Amazon Web Services — backend hosting, database, screenshot storage;
  • Vercel Inc. — console hosting (CDN, edge runtime) and cookieless web analytics;
  • GitHub, Inc. and Atlassian Pty Ltd — only when a Customer connects them as Integrations and only for issues that Customer forwards.

The current list of named sub-processors — including the service each performs and the location of processing — is published at bugscreen.app/subprocessors and is kept up to date as our supplier mix changes.

7. Sharing

We share personal data only:

  • with the sub-processors above, under written contracts;
  • with the Integrations a Customer has connected (issues, attachments);
  • with our professional advisers (legal, accounting), under a duty of confidence;
  • where required by law, court order, or to protect rights and safety;
  • in connection with a corporate transaction (merger, acquisition, asset sale), in which case we will require the recipient to honour this policy.

We do not sell personal data.

8. International transfers

Some of the providers listed in the sub-processor section above may process data outside the UK and EEA, including in the United States. Where that happens, we rely on appropriate safeguards — typically the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, together with any supplementary measures required — to keep the level of protection consistent with UK/EU law.

9. Retention

Deletion does not propagate to Integrations. When a bug report is forwarded to a third-party Integration (such as GitHub or Jira), a copy of the relevant data lives in that third party's system under the Customer's control. Deleting a bug report in BugScreen does not automatically remove copies already forwarded to those Integrations — the Customer must delete the corresponding issue in each Integration directly. End Users who wish to have an integration copy removed should contact the Customer.

  • Bug reports and screenshots are retained for as long as the Customer's organisation is active, or until the Customer deletes them, after which they are removed from primary storage within 30 days.
  • Customer account data is retained while the account is active and for up to 30 days after deletion, except where a longer period is required by law.
  • Encrypted backups are retained for up to 35 days on a rolling basis and then overwritten.
  • Security and audit logs are retained for up to 12 months.

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal data, and to object to processing based on legitimate interests. You can also withdraw consent at any time without affecting prior processing.

End Users: if you submitted a bug report through an app or website that uses BugScreen, please contact the operator of that app or website first; they are the controller of your report and can action your request through their BugScreen console.

Customers: you can exercise your rights by signing into the console or by emailing contact@littlebirdsolutions.com. You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office.

11. Security

We protect personal data with technical and organisational measures appropriate to the risk, including TLS in transit, encryption at rest, hashed credentials, hashed SDK keys, least-privilege access to production systems, and access logging. No system is perfectly secure; if we become aware of a breach affecting your personal data we will notify you and the relevant authorities as required by law.

12. Children

The Service is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Changes to this policy

We may update this policy as our practices change. If we make a material change, we will give reasonable notice via the console or by email. The "Last updated" date at the top of this page indicates when it was most recently revised.

14. Contact

Little Bird Solutions is the controller for Customer account data and is the point of contact for all questions about this policy: contact@littlebirdsolutions.com. See also our Terms of Service.