← Back to home

Privacy Policy

Last updated: April 27, 2026

BugBox is a Chrome extension and web dashboard operated by Bytamins ("we", "us") that lets you record voice and bounding-box annotations on web pages and pass them to AI coding agents. This page explains what we collect, how we use it, who we share it with, and the rights you have over your data. If anything here is unclear, email us at hello@bytamins.com.

What we collect

  • Account data— email address and name supplied by Google when you sign in with Google OAuth. We do not store passwords (we don't support email/password sign-in).
  • Team data — team name, members, and their roles.
  • Project data — project names, repository URLs, and URL patterns you provide.
  • Session content — for each recording session you create: the page URL, audio captured by your microphone, screenshots of the page (with the bounding box visible), the bounding-box coordinates, the React component name and visible text inside the box, and the transcript of the audio.
  • Usage data — minutes recorded per billing period, used to enforce plan quotas.
  • Activity events — a log of meaningful actions you take (signing in, starting a session, capturing a box, etc.), used for product analytics and the in-product activity feed.

We do notcapture passive screen recording, your keystrokes outside a session, or any pages you visit when BugBox isn't actively recording.

How we use it

  • To run the product (store sessions, render the dashboard, drive the MCP server your AI agent reads from).
  • To enforce plan quotas and bill paid plans.
  • To send transactional email (invitations, billing receipts, account-security notifications).
  • To debug and improve the service.

We do not sell your data, train AI models on your session content, or use your sessions for advertising.

Third-party services

Running BugBox requires sharing some data with these processors:

  • Google — for OAuth sign-in. Receives your email + name only when you first authenticate.
  • Supabase — primary data store (Postgres) + file storage (audio, screenshots, transcripts) + auth provider. Hosted in the United States.
  • Vercel — hosts the BugBox dashboard and APIs.
  • OpenAI — transcribes the audio of each session via the Whisper API. Audio is sent to OpenAI on session finalize and the transcript is stored back in Supabase. OpenAI does not retain Whisper API inputs for training.
  • Resend — sends transactional email (invitations, receipts, notifications).
  • Stripe — processes payments for paid plans (when enabled). We never see or store your full card number.

Your AI coding agent (Claude Code, etc.) reads sessions through the BugBox MCP server using a token you generate. That data transfer happens between your machine and BugBox; we do not forward your sessions to any AI model on your behalf.

Retention

  • Sessions, audio, screenshots, transcripts — retained until you (or another team member) delete them, or until your team is deleted.
  • Account data — retained while your account is active. When you delete your account, your account row and any teams you solely own are removed within 30 days; storage cleanup may take additional time.
  • Activity events and usage records — retained indefinitely for analytics and billing audit, scoped to your team. References to deleted sessions become null but the event row itself persists.
  • Email logs — Resend retains delivery metadata per their own policy.

Your rights

You can:

  • Access and download your data at any time via the dashboard, or by emailing us.
  • Delete individual sessions, boxes, projects, and your entire account from the dashboard.
  • Opt out of non-essential email from the Notifications settings page.
  • Request correction or deletion of any personal data we hold by emailing hello@bytamins.com. If you're in the EEA, UK, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively; we honour those requests via the same channel.

Security

All data in transit uses TLS. Data at rest in Supabase is encrypted using their managed-key infrastructure. API tokens issued for the MCP server are stored as SHA-256 hashes — the plaintext value is shown to you exactly once on creation and is never recoverable from our database.

Children

BugBox is not intended for use by children under 16. We do not knowingly collect data from children.

Changes

We'll update this page when we change our practices and bump the "Last updated" date at the top. Material changes will also be communicated by email.

Contact

Bytamins · founded by Sebastian Stant · hello@bytamins.com