Privacy Policy
Last updated: May 17, 2026 · Effective: May 17, 2026
This Privacy Policy explains how dontslowme ("dontslowme", "we", "our" or "us") collects, uses, discloses and protects personal data when you visit www.dontslowme.com (the "Site") or use the dontslowme bug tracking service (together with the Site, the "Service"). It also describes the rights available to you under applicable data protection laws, including the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act as amended ("CCPA/CPRA"). Please read it carefully. If you do not agree with this Policy, do not use the Service.
1. Who we are and how to contact us
dontslowme operates the Service. For the purposes of GDPR, we act as the data controller of personal data we collect about visitors and account holders, and as a data processor for content you upload into projects on behalf of your team or organisation.
Privacy enquiries, rights requests and data protection complaints: contact@dontslowme.com. General support: contact@dontslowme.com.
2. Scope
This Policy covers the Site and the authenticated application (dashboard, projects, bug reports, attachments, comments, invitations and notifications). It does not cover third-party websites or services that we link to but do not operate.
3. Personal data we collect
3.1 Information you provide
- Account data: email address, display name, password hash (we never store plaintext passwords), avatar image, and any profile information you choose to add.
- Authentication data: if you sign in with Google, we receive your email, name, Google account ID and profile picture URL. We do not receive your Google password.
- Content: projects, project descriptions and website URLs, bug titles, descriptions, priorities, statuses, categories, comments, status history and file attachments (screenshots, videos, logs).
- Collaboration data: project memberships, role assignments (owner, editor, status-only, commenter, reporter), invitation tokens and pending email invitations.
- Communications: messages you send to support and feedback you submit through the Service.
3.2 Information collected automatically
- Technical data: IP address, user agent, device type, operating system, browser version, language and time zone.
- Usage data: pages and routes visited, features used, timestamps of actions, error logs and approximate request latency.
- Session data: authentication tokens (access token and refresh token issued by our auth provider), CSRF tokens and security flags stored in local storage or HTTP cookies strictly necessary to keep you signed in.
3.3 Information from third parties
We may receive limited information from identity providers (e.g. Google) when you choose to sign in with them, and from our hosting and infrastructure providers in the form of operational logs.
3.4 Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
4. How and why we use personal data (legal bases)
We process personal data only when we have a lawful basis to do so under GDPR Art. 6. The table below summarises the main purposes.
- Provide and operate the Service (account creation, authentication, rendering your projects, sending transactional emails, generating signed URLs for attachments) — performance of a contract with you (Art. 6(1)(b)).
- Maintain security and prevent abuse (rate limiting, fraud detection, RLS enforcement, audit logging) — legitimate interests (Art. 6(1)(f)) in keeping the Service safe and reliable.
- Improve the Service (debugging, performance monitoring, aggregate usage analysis) — legitimate interests in improving product quality, balanced against your rights.
- Comply with legal obligations (tax, accounting, responding to lawful requests) — legal obligation (Art. 6(1)(c)).
- Marketing communications (product updates, newsletters) — only with your consent (Art. 6(1)(a)), which you can withdraw at any time.
We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not sell or share personal data for cross-context behavioural advertising under CCPA/CPRA.
5. Subprocessors and infrastructure
We rely on a small number of vetted subprocessors to deliver the Service. Each subprocessor is bound by a data processing agreement, processes data only on our documented instructions and is required to apply appropriate technical and organisational measures.
- Lovable Cloud (database, auth, storage): managed Postgres, authentication and object storage. Data is hosted in the EU/US regions configured for our project.
- Cloudflare (edge, CDN, DDoS protection): routes and caches HTTP traffic, terminates TLS and protects against denial-of-service.
- Google OAuth: optional sign-in. Only invoked when you click "Sign in with Google".
- Email delivery provider: sends transactional emails (sign-up confirmation, invitations, password resets).
We will update this list when we add, remove or replace a subprocessor.
6. International data transfers
Personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where required, we rely on Standard Contractual Clauses approved by the European Commission (and the UK Addendum where applicable) and on additional technical safeguards such as encryption in transit and at rest.
7. How long we keep data
- Account data: for as long as your account is active, and up to 30 days after deletion to allow for recovery and to comply with legal obligations.
- Project content: for as long as the owning project exists. When a project is deleted, its bugs, comments and attachments are removed within 30 days from primary storage and within 90 days from backups.
- Operational logs: typically 30–90 days, then deleted or anonymised.
- Invoices and billing records (if applicable): up to 7 years where required by tax law.
8. Security
We apply industry-standard safeguards proportionate to the sensitivity of the data, including: TLS 1.2+ for all traffic, encryption at rest for databases and object storage, row-level security policies that scope each query to authorised members only, signed time-limited URLs for private attachments, hashed passwords (bcrypt/scrypt-class), least-privilege access for engineers, audit logs, and regular dependency scanning. No system is 100% secure; you are responsible for keeping your credentials confidential and for the security of devices you use to access the Service.
9. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten") subject to legal retention obligations.
- Restrict or object to certain processing, including processing based on legitimate interests.
- Port your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local supervisory authority (e.g. in the EU/EEA, your national DPA; in the UK, the ICO).
California residents additionally have the right under CCPA/CPRA to know, delete, correct and limit the use of sensitive personal information, and to be free from discrimination for exercising these rights. We do not sell personal information and do not share it for cross-context behavioural advertising.
To exercise any right, email contact@dontslowme.com from the address associated with your account. We respond within 30 days (extendable by a further 60 days for complex requests).
10. Cookies and similar technologies
We use only strictly necessary cookies and local storage entries to keep you signed in, preserve your CSRF token and remember UI preferences (e.g. selected project). We do not use third-party advertising cookies, cross-site tracking pixels or marketing tracking. Because we rely solely on strictly necessary storage, we do not display a cookie consent banner under ePrivacy.
11. Data shared between project members
Content you upload to a project is visible to other members of that project according to the role granted to them by the project owner. Owners can add and remove members at any time. Removing a member revokes their access immediately for new requests; any content they have already viewed or downloaded cannot be technically recalled.
12. Disclosure for legal reasons
We may disclose personal data when we believe in good faith that disclosure is required to comply with a legal obligation, enforce our Terms of Use, protect the rights, property or safety of dontslowme, our users or the public, or in connection with a merger, acquisition or sale of assets (in which case affected users will be notified before their data becomes subject to a different policy).
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced in the app, by email or via a prominent notice on the Site at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
14. Contact
For any privacy-related question, contact us at contact@dontslowme.com. If you are in the EU/EEA and we cannot resolve your concern, you have the right to contact your local data protection authority.