How we collect, use, and protect your data.

Gotcha (“we”, “us”, “our”) operates the gotcha.cx website and the gotcha-feedback SDK. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

Account information

When you create an account, we collect your email address, name, and profile information from your authentication provider (e.g., GitHub).

Profile & segmentation data

During onboarding or profile updates, we may collect additional information such as company size, job role, industry, and use case. This data is used to improve the product experience and may be attached to feedback responses for segmentation purposes.

Feedback data

When end users submit feedback through the Gotcha SDK embedded on your website, we collect: the feedback content (text, ratings, votes, poll responses, NPS scores), bug reports, the element identifier, page URL, user agent, and any user metadata you choose to pass.

Screenshots

When the customer enables screenshot capture on a bug-report widget and the end user toggles the bug flag on submission, the SDK captures a screenshot of the current viewport and sends it to us. Screenshots are stored in a private Supabase Storage bucket scoped to the submitting project and are only viewable through short-lived signed URLs generated for authenticated members of the owning organization. The SDK captures only the visible viewport (not the full page) and does not capture any pixels outside the browser window.

Submitter email & notify-back

When the SDK is configured with the optional userEmail prop, we store the submitter’s email address alongside their response so that, when the customer marks the feedback as “Shipped” in the dashboard, we can send a one-off notification to the submitter. Notifications are HMAC-signed and include a one-click unsubscribe link that suppresses future notifications for that project/submitter pair.

Team & invitation data

When you invite team members to your organization, we collect and store the invitee’s email address, the role assigned, and the invitation status.

Usage data

We track response counts per organization for plan-limit enforcement.

• To provide, maintain, and improve our services.
• To process payments and manage subscriptions.
• To send transactional emails (welcome, usage warnings, notify-back).
• To enforce plan limits and prevent abuse.

We use the following third-party services to operate Gotcha:

Supabase

Authentication, database, and storage hosting.

Stripe

Payment processing.

Resend

Transactional email delivery.

Netlify

Website hosting.

Upstash

Rate limiting (Redis).

Each of these services has its own privacy policy. We do not sell your data to any third party.

When the customer promotes a response to a public-facing lifecycle state (“Planned”, “In progress”, “Shipped”), the curated title of that response becomes publicly visible on the customer’s roadmap page (e.g. gotcha.cx/roadmap/<slug>). Only the title is surfaced — the full response content, submitter email, metadata, user agent, URL, and any screenshots remain private to the customer’s dashboard. Anonymous visitors can cast upvotes on roadmap items; upvotes are deduplicated using a hashed visitor fingerprint that is not linkable to any personal data.

You may configure webhooks to send feedback data to external URLs (e.g., Slack, Discord, or custom endpoints). When webhooks are enabled, feedback data is delivered to the URLs you specify. You are responsible for the security and privacy practices of those endpoints. We validate webhook URLs to prevent delivery to private networks.

We use essential cookies for authentication session management. We also use short-lived httpOnly cookies to securely process team invitation links. We do not use tracking or advertising cookies. The Gotcha SDK does not set any cookies on your end users’ browsers.

We retain your account data and feedback responses for as long as your account is active. You can request deletion of your account and all associated data at any time by contacting us.

We protect your data using industry-standard measures including encrypted connections (TLS), hashed API keys, and access controls. However, no method of transmission over the Internet is 100% secure.

If you are in the European Economic Area, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict processing of your data.
• Data portability.

Gotcha provides API endpoints for programmatic data export and deletion of end-user data scoped to individual projects. Account holders can use these APIs to fulfill data subject requests from their own users.

To exercise your own rights, or for requests not covered by the API, contact us at info@braintwopoint0.com.

Our services are not directed to children under 13. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new “Last updated” date.

If you have questions about this Privacy Policy, contact us at info@braintwopoint0.com.