Privacy Policy
This Privacy Policy explains how Bug Circuit collects, uses, shares, and protects personal data when you use bugcircuit.com and our authorized security-testing services. It also describes your rights under laws such as the EU/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA), and how to exercise them.
Last updated: 6 July 2026
1.Who We Are and Scope
Bug Circuit is an authorized cybersecurity service that performs manual security audits on domains our customers own and have proven they control. This Policy applies to personal data we process through our website, customer account area, checkout, live chat, and the delivery of our PULSE, CIRCUIT, and SIGNAL plans.
For the purposes of the GDPR and equivalent laws, the data controller is WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka (Company Registration No. PV 00318975). Where we process data on behalf of a customer as part of delivering a security audit, we act as a processor and the customer is the controller for that data.
2.Data We Collect
We collect the following categories of personal data, most of it provided directly by you or generated as you use the service:
- Account and business email: the business email address you use for passwordless one-time-code login, and the organization name associated with your account.
- Verified domains: the domain(s) you enter, and the ownership-proof details you provide (for example a one-time code sent to a role address such as security@ or admin@, a DNS TXT record, a /.well-known file, or a homepage meta tag).
- Authorization records: your recorded click-through 'Authorization to Test' and the associated timestamp and account context.
- Scan data and findings: your scan requests, the passive reconnaissance data we gather (subdomains, technology fingerprint, and DNS/email posture such as SPF and DMARC), and the vulnerability findings and reports produced by our security engineers.
- Order and payment data: your plan selection, any discount voucher used, order status, and confirmation of payment. Payment card and account details are handled by our third-party payment processor; Bug Circuit does not receive or store full card numbers.
- Live-chat transcripts: the name and email address you provide in live chat and the content of your chat messages, including questions handled by our AI assistant.
- Audit log: an append-only record of security-relevant actions in your account (for example logins, domain verifications, authorizations, and order events).
- Usage and technical logs: server and application logs including IP address, browser and device information, request metadata, and timestamps.
- Cookies and similar technologies: identifiers and settings stored on your device as described in Section 10.
Admin staff authenticate using passkeys (WebAuthn); we do not collect or store passwords for staff or customers.
3.How and Why We Use Data (Legal Bases)
We use personal data only for the purposes below. Where the GDPR applies, we rely on the legal basis identified for each purpose:
- Provide the service (legal basis: performance of a contract): to create and secure your account, verify domain ownership, record your Authorization to Test, run passive reconnaissance, perform the manual audit, deliver findings and reports, and — for SIGNAL — remediate high and critical issues and provide ongoing cover.
- Process orders and payments (contract): to take payment through our processor, apply discount vouchers, activate fully-covered ($0) orders, and confirm other orders by staff.
- Support and communication (contract and legitimate interest): to provide premium support and a named contact for paid plans, answer product questions through live chat and our AI assistant, and send service and transactional messages.
- Security, integrity, and abuse prevention (legitimate interest and legal obligation): to maintain the append-only audit log, keep usage and technical logs, protect our systems and customers, and enforce our terms.
- Improve the service (legitimate interest): to understand how the service is used and to maintain and improve its reliability and quality.
- Legal and compliance (legal obligation): to keep records, respond to lawful requests, and establish, exercise, or defend legal claims.
- Optional cookies and marketing (consent): where we use non-essential cookies or send optional communications, we rely on your consent, which you may withdraw at any time.
Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You can ask us for more information about that balancing at [email protected].
4.The AI Chat Assistant
Our AI chat assistant is powered by Google Gemini and runs server-side to answer general product questions. The assistant does not have access to your account, verified domains, scan findings, audit log, or other customer data.
Please do not enter sensitive personal information into the chat. Messages you send may be processed by our AI provider to generate a response, subject to the safeguards described in Section 5.
6.International Data Transfers
We and our sub-processors may process personal data in countries other than the one in which you are located. Where we transfer data out of the UK, European Economic Area, or another region with data-transfer restrictions, we rely on an appropriate safeguard — such as an adequacy decision or Standard Contractual Clauses (with the UK International Data Transfer Addendum where relevant) — together with supplementary measures where needed.
You can request more detail about the safeguards we use, including a copy where legally required, by contacting [email protected].
7.Data Retention
We keep personal data only for as long as necessary for the purposes described in this Policy, and then delete or anonymize it. In practice:
- Account data (business email, organization name, verified domains) is retained for the life of your account and for a reasonable period afterward.
- Scan requests, findings, and reports are retained so you can access your results and, for SIGNAL, for the duration of your active cover; they are then retained for a limited period before deletion.
- Order and payment records are kept as long as required to meet accounting, tax, and legal obligations.
- Live-chat transcripts are retained for a limited period to support you and improve service quality.
- The append-only audit log and technical logs are retained for security, integrity, and compliance purposes for a defined retention period.
Where we are required to keep certain records to comply with legal obligations or to defend legal claims, we retain them for the period required by applicable law.
8.How We Protect Data
We use technical and organizational measures appropriate to the nature of the data we handle, including:
- Tenant isolation using database row-level security (RLS), so each customer's data is logically separated.
- Passkey (WebAuthn) authentication for admin staff, and passwordless one-time-code login for customers — we store no passwords.
- Encryption of data in transit.
- An append-only audit log of security-relevant actions to support accountability and detection.
- Access controls that limit staff access to personal data on a need-to-know basis.
9.Your Privacy Rights
Depending on where you live and applicable law, you may have some or all of the following rights over your personal data:
- Access: obtain confirmation of whether we process your data and a copy of it.
- Rectification: correct inaccurate or incomplete data.
- Erasure: ask us to delete your data in certain circumstances.
- Restriction and objection: limit or object to certain processing, including processing based on legitimate interests.
- Portability: receive certain data in a structured, commonly used, machine-readable format.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
- Non-discrimination (CCPA/CPRA): not receive discriminatory treatment for exercising your rights.
California residents: we do not sell or 'share' personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. You may also have the right to know the categories of personal information collected, the purposes, and the categories of sub-processors — all of which are described in this Policy.
To exercise any right, email [email protected]. We will verify your request (typically via your account email) and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits. If you are in the EEA or UK and are unhappy with our response, you may lodge a complaint with your local data protection authority, though we ask that you contact us first.
11.Children
Bug Circuit is a business service intended for organizations and is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.
12.Changes and How to Contact Us
We may update this Policy from time to time. When we make material changes, we will update the 'last updated' date and, where appropriate, notify you. Your continued use of Bug Circuit after an update means you accept the revised Policy.
To contact us about privacy or to exercise your rights, reach the data controller at:
- Privacy matters: [email protected]
- General and support: [email protected]
- Legal: [email protected]
- Security: [email protected]
- Postal: WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka
This Policy is governed by the laws of Sri Lanka, without prejudice to any mandatory data-protection rights you have under the laws of your place of residence.