bichito
Log inStart free

Privacy policy

Last updated:

This page explains what bichito collects when you (or your end users) use the service, why we collect it, where it lives, how long we keep it, and the rights you have over your data. We've written it in plain language; if anything is still unclear, email us at hello@bichito.dev.

bichito is operated by [YOUR LEGAL NAME], registered in [YOUR JURISDICTION](the “Operator”, “we”, “us”). Contact: hello@bichito.dev.

Two kinds of users

This policy distinguishes between:

  • Customers — people who sign up at bichito.dev and embed the widget on their own site. We treat them as data controllers for whatever their end users post.
  • End users — people who report a bug through the widget on a customer's site. We process their data on the customer's behalf as a processor.

What we collect from customers

When you sign up and use bichito as a customer, we store:

  • Your email address (mandatory — used to log in, send notifications, recover the account).
  • Your password hash if you signed up with a password (we never store the plaintext; we use a salted bcrypt hash).
  • If you signed up with Google or GitHub, your OAuth provider id and verified email (no password is stored).
  • The hives, honeycombs, labels, saved views, blocklist rules, webhooks and API keys you create.
  • Your notification preferences.
  • Operational metadata: account creation date, last sign-in, last activity, the IP that created an MCP token.
  • Billing information — handled entirely by Lemon Squeezy. We never see your card; we only store an opaque customer / subscription id and the plan you're on.

What the widget collects from end users

When an end user clicks the bichito button on a customer's site and submits a report, the widget sends us:

  • The title and description they wrote.
  • The URL of the page where they clicked the button.
  • Their browser user-agent.
  • Their IP address, captured server-side from the request.
  • Optionally, a reporter email and a free-form identifier the customer chose to set programmatically.
  • Optionally, a screenshot or image attachment the end user attaches manually.
  • Any extra context (severity, environment, app version, stack trace) the customer's integration chose to send.

The customer decides what context to ship. We don't add fingerprints, third-party tracking, or analytics inside the widget.

Why we process this data (legal bases under GDPR)

  • Contract performance (Art. 6(1)(b) GDPR) — running the dashboard, ingesting bug reports, sending you the notifications you asked for.
  • Legitimate interest (Art. 6(1)(f)) — abuse prevention (rate limits, blocklist), error monitoring, and operational logs needed to keep the service up.
  • Consent (Art. 6(1)(a)) — opt-in features like marketing emails, if and when we add them. Today we don't send marketing email.
  • Legal obligation (Art. 6(1)(c)) — invoicing, tax records.

Where the data lives

  • Postgres database hosted on fly.io, region: [YOUR REGION, e.g. cdg / Paris].
  • Image attachments on Cloudflare R2.
  • Outgoing email through Resend (transactional only — verification codes, password resets, bug-arrival notifications).
  • Billing through Lemon Squeezy.
  • Web hosting for the dashboard and marketing site on Vercel.
  • Web analytics through Vercel Analytics — first-party, no cross-site tracking, no cookies.
  • Error monitoring through Sentry (planned). We scrub email addresses, JWTs and bichito payload bodies before sending events.

Each of these processors has their own privacy policy and Data Processing Addendum. Some (Cloudflare, Vercel) operate globally; we've chosen the EU region everywhere it's an option.

How long we keep things

  • Free plan bichitos: 30 days. After that the row is purged by a daily cron, including comments, activity rows and attachments.
  • Pro plan bichitos: forever, until the customer deletes them.
  • Account data (email, password hash, settings): until the customer deletes the account.
  • Billing records: 7 years (legal requirement).
  • Operational logs: 30 days, then rotated.
  • Email-delivery logs: 30 days at Resend.
  • Webhook delivery logs: 90 days, then rotated.

Your rights under GDPR

You can exercise any of these at any time:

  • Access — download everything we have about you. From your account: Settings → Account → Export my data.
  • Erasure — delete your account and all related data. Same page: Delete my account. Cascades to every hive, honeycomb, bichito, comment and attachment you own.
  • Rectification — fix wrong data. Most fields are editable in the dashboard; for anything you can't change there, email us.
  • Portability — the export is structured JSON, machine-readable.
  • Object / Restrict — email us; we'll stop processing under the chosen legal basis if your request is valid.
  • Lodge a complaint — with your national data-protection authority (in Spain, the AEPD: aepd.es).

Self-service: account deletion and data export work without contacting us — both surface in Settings → Account.

End users: how to remove a report you submitted

If you reported a bug through a bichito widget on someone else's site and want it removed, contact the operator of that site directly — they're the data controller. We can't unilaterally delete a customer's bug report. If the customer is unresponsive and you believe your rights are not being respected, contact us at hello@bichito.dev and we'll mediate.

Cookies

bichito sets a JWT token in localStorage after sign-in — that's not a cookie, but it serves the same role and we mention it for completeness. We also drop a short-lived active-hive cookie on the dashboard so you land in the right hive after navigating from billing. We don't set any third-party cookies and we don't use cookie-based analytics. Vercel Analytics is cookie-free and aggregates traffic without identifying visitors.

International transfers

Most of our processing happens in the EU. Some processors (Cloudflare, Vercel, Sentry, Resend) operate globally — they've signed Standard Contractual Clauses and where applicable rely on the EU-US Data Privacy Framework. Their public DPAs cover the details.

Security

  • All traffic is HTTPS-only.
  • Passwords are stored as bcrypt hashes; we never see plaintext.
  • API keys and MCP tokens are stored as SHA-256 hashes; we never display the plaintext after creation.
  • We rate-limit ingest, login and password-reset endpoints to deter brute force.
  • Image uploads are size-capped and content-type-validated.
  • We don't promise unbreachable security — nobody can. We promise to be honest if anything ever goes wrong: we'll tell you within 72 hours, as the GDPR requires.

Children

bichito is not directed at children under 16 and we don't knowingly collect data from them. If you believe a minor has signed up, let us know and we'll remove the account.

Changes to this policy

When we materially change this policy, the date at the top changes and we email registered customers a summary of what's new at least 7 days before the new version takes effect. For minor edits (typos, clarifications) we just bump the date.

Contact

Email: hello@bichito.dev. Postal: [YOUR ADDRESS].

Designated EU representative (if applicable): [NAME / ADDRESS or N/A if you operate from the EU].