Privacy Policy

1. Controller and Contact Information

Controller pursuant to Art. 4(7) GDPR:

Arantic Digital - Philip Bellm
Johann-G.-Gutenberg-Str. 7, 82140 Olching, Germany
Email: [email protected]

---

2. Overview of Data Processing

2.1 Scope and Purpose

This Privacy Policy explains how we collect, process, and protect your personal data when using the BugPin platform in accordance with:

• EU General Data Protection Regulation (GDPR)
• German Federal Data Protection Act (BDSG)
• German Telecommunications Digital Services Data Protection Act (TDDDG)

2.2 Categories of Data Subjects

• Registered users and account holders
• Website visitors
• Business contacts and customers

---

3. Legal Bases for Processing (Art. 6 GDPR)

We process your personal data based on the following legal grounds:

---

4. Personal Data We Collect

4.1 Data You Provide Directly

• Account data: Name, email address, password (hashed)
• Company information: Company name, business address, VAT ID
• Payment data: Billing address, payment method details (processed by Paddle)
• Communication data: Support inquiries, feedback

4.2 Data Collected Automatically

Server log files (Art. 6(1)(f) GDPR):

• IP address (anonymized)
• Browser type and version
• Operating system
• Referrer URL
• Date and time of access
• Pages visited

Purpose: Technical operation, security, error analysis

4.3 User-Generated Content

• Bug reports, screenshots, annotations, comments
• Legal basis: Art. 6(1)(b) GDPR (contract performance)

Data submitted by visitors of this website through our bug reporting widget is described separately in Section 6 (Bug Reporting Widget).

---

5. Cookies and Tracking Technologies (§ 25 TDDDG)

5.1 Strictly Necessary Storage

The following technologies are essential for website functionality and do not require consent under § 25(2) TDDDG:

• Session management
• Security tokens
• Load balancing
• Cookie consent state (localStorage): Stores your choice to accept or decline optional cookies so the banner is not shown again.
• Bug reporting widget queue (IndexedDB): The BugPin widget uses IndexedDB to temporarily store reports you have started so they are not lost if your connection drops before submission. Only data you have actively entered into the widget is stored. Entries are removed once the report has been delivered to the server. See Section 6 (Bug Reporting Widget).
• Bug reporting widget consent flag (localStorage, bugpin-widget-consent): Records that you accepted the in-widget confirmation dialog so it is not shown for every subsequent report from the same browser. See Section 6 (Bug Reporting Widget).

5.2 Google Analytics (Consent Required)

We use Google Analytics, a web analytics service provided by:

Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Purpose: Analysis of website usage to improve our services.

Legal basis: Art. 6(1)(a) GDPR (consent) and § 25 TDDDG. Google Analytics is only activated after you provide explicit consent via our cookie banner.

Data processed:

• IP address (anonymized via IP masking)
• Pages visited, time spent, bounce rate
• Browser type, operating system, screen resolution
• Referrer URL
• Approximate geographic location (city level)

Data transfer to the US: Google LLC is certified under the EU-US Data Privacy Framework (Art. 45 GDPR). Additionally, Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place.

Retention period: 14 months.

Opt-out: You can prevent data collection by Google Analytics by:

• Declining or withdrawing cookie consent (use the button below)
• Installing the Google Analytics Opt-out Browser Add-on
• Configuring your browser to block cookies

Google's privacy policy: https://policies.google.com/privacy

5.3 Other Optional Cookies

• Functionality cookies for user preferences

Your Rights: You can withdraw cookie consent at any time. You can also configure your browser to block cookies.

Reset Cookie Preferences Cookie preferences have been reset.

---

6. Bug Reporting Widget

This website embeds our own BugPin feedback widget so visitors can report issues they encounter on bugpin.io (broken pages, visual glitches, content errors, etc.). This section describes the widget separately from the BugPin product offered to our customers.

6.1 What is captured when you submit a report

The widget is dormant until you actively open it and press "Submit". Only at that moment is the following information transmitted to our bug reporting server:

• A screenshot of the page you are currently viewing (rendered in your browser)
• Any text, annotations, or markings you add inside the widget
• Browser console log entries from the current page session
• Browser type and version, operating system, viewport size, and user agent
• The URL of the page you are reporting
• The IP address of your request (as part of standard server logs)

We do not record session activity, keystrokes, mouse movements, or form input from the page itself. Nothing is sent before you choose to submit.

6.2 Recipient

Reports are sent to our bug reporting server at bugpin-web.arantic.cloud, operated by Arantic Digital — the same controller responsible for bugpin.io. The data is not transferred to a separate third-party provider for content processing; the server is part of our own infrastructure.

6.3 Legal basis

• Loading the widget — Art. 6(1)(f) GDPR (legitimate interest). The widget is loaded on every page so visitors have an immediately available way to report problems. This involves a single request to our server to fetch the widget configuration, transmitting your IP address and the URL of the page. Our legitimate interest is providing a working feedback channel; the processing is limited to what is technically necessary to make the launcher available.
• Submitting a report — Art. 6(1)(a) GDPR (consent). Submission requires your prior consent. Consent can be given in either of two ways:
  • By clicking "Accept" on our consent banner, the wording of which explicitly informs you that acceptance also covers submissions through the bug reporting widget.
  • By clicking "Accept & Submit" in the confirmation dialog that appears if you press the widget's Submit button without having previously given consent. The dialog lists exactly what will be sent (see Section 6.1) and the recipient.
  If you cancel the dialog or have declined the consent banner without later accepting via the dialog, no data is transmitted.
• Storage of consent. Acceptance via the in-widget dialog is stored locally in your browser (localStorage key bugpin-widget-consent) so the dialog does not reappear for subsequent reports from the same browser. Acceptance via the consent banner is stored under cookie-consent. Both flags are strictly necessary under § 25(2) TDDDG (they only record the consent you have given).
• Withdrawing consent (Art. 7(3) GDPR). You may withdraw consent at any time by using the "Reset Cookie Preferences" button in Section 5 (which clears both flags) or by clearing your browser's site data. The next submission will then require fresh consent. Reports submitted before withdrawal remain processed lawfully.

6.4 Local browser storage (§ 25(2) TDDDG)

The widget uses your browser's IndexedDB to temporarily queue reports you have started, so that an in-progress report is not lost if your network connection drops before submission. Only data you have actively entered into the widget is stored. Once a report has been delivered to the server, the corresponding entry is removed from IndexedDB. You can clear this data at any time via your browser's site data settings.

This storage is classified as strictly necessary under § 25(2) TDDDG and therefore does not require consent.

6.5 Retention

Submitted bug reports are retained for 12 months after submission for the purpose of reproducing and fixing the reported issue, after which they are deleted. Reports linked to an active security investigation may be retained beyond this period where strictly necessary.

6.6 Right to deletion (Art. 17 GDPR)

You may request deletion of any report you have submitted at any time. Because bug reports are not linked to a user account, please include sufficient detail to identify the report — typically the URL of the page, the approximate date and time of submission, and any distinctive text you entered. Contact us via our contact form or at [email protected].

---

7. Data Recipients and Third-Party Processors

We share your data with the following categories of recipients:

7.1 Payment Processing

• Paddle.com (Merchant of Record)
• Purpose: Payment processing, invoicing, tax compliance
• Data shared: Name, email, billing address, payment details
• Legal basis: Art. 6(1)(b) GDPR
• Privacy Policy: https://www.paddle.com/legal/privacy

7.2 Email Services

• Resend, Inc. (San Francisco, CA, USA)
• Purpose: Transactional and service emails (account verification, notifications, password resets)
• Data shared: Email address, name
• Legal basis: Art. 6(1)(b) GDPR
• Data transfer safeguard: EU-US Data Privacy Framework / Standard Contractual Clauses (Art. 46(2)(c) GDPR)
• Privacy Policy: https://resend.com/legal/privacy-policy

7.3 Hosting and Infrastructure

• Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA)
• Purpose: Website hosting, CDN, DNS, DDoS protection
• Data processed: IP address, HTTP request data, access logs
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable website operation)
• Data transfer safeguard: EU-US Data Privacy Framework / Standard Contractual Clauses (Art. 46(2)(c) GDPR)
• Data Processing Agreement: In place per Art. 28 GDPR
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

7.4 Bug Reporting Server

• bugpin-web.arantic.cloud — operated by Arantic Digital (same controller as bugpin.io)
• Purpose: Receiving and storing bug reports submitted via the BugPin feedback widget on this website
• Data processed: As listed in Section 6.1
• Legal basis: Art. 6(1)(a) GDPR for report submissions; Art. 6(1)(f) GDPR for loading the widget configuration
• This server is operated on our own infrastructure and is not a separate third-party processor.

---

8. International Data Transfers

8.1 Transfers to Third Countries

When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards:

• EU-US Data Privacy Framework: For US-based processors certified under the framework
• Standard Contractual Clauses (SCCs): Art. 46(2)(c) GDPR
• Adequacy Decisions: Art. 45 GDPR

8.2 Your Rights Regarding Transfers

You may request information about the specific safeguards applied to international transfers of your data.

---

9. Data Retention Periods

---

10. Your Rights (Art. 15-22 GDPR)

You have the following rights regarding your personal data:

10.1 Right of Access (Art. 15 GDPR)

You may request confirmation of whether we process your data and obtain a copy of that data.

10.2 Right to Rectification (Art. 16 GDPR)

You may request correction of inaccurate data or completion of incomplete data.

10.3 Right to Erasure (Art. 17 GDPR)

You may request deletion of your data when:

• Data is no longer necessary for the original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• Data was processed unlawfully

Exceptions: We may retain data where required by law (e.g., tax records).

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing under certain circumstances.

10.5 Right to Data Portability (Art. 20 GDPR)

You may request your data in a structured, commonly used, machine-readable format.

10.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

10.8 How to Exercise Your Rights

Contact us at: [email protected] or via our contact form.

We will respond within one month (extendable by two months for complex requests per Art. 12(3) GDPR).

---

11. Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
https://www.lda.bayern.de

You may also contact the supervisory authority in your place of residence or work.

---

12. Automated Decision-Making (Art. 22 GDPR)

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

---

13. Data Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures including:

• Encryption in transit (TLS/SSL) and at rest
• Access controls and authentication
• Regular security assessments
• Employee training on data protection
• Incident response procedures

---

14. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

---

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on our website

The "Last updated" date at the top indicates the most recent revision.

---

16. Contact Us

For questions about this Privacy Policy or to exercise your data protection rights:

Email: [email protected]

Or contact us via our contact form.

---

This Privacy Policy is provided in English. For users in Germany, all statutory rights under GDPR and BDSG remain fully applicable.