Legal

Privacy Policy

This Privacy Policy explains how Bug Circuit collects, uses, shares, and protects personal data when you use bugcircuit.com and our authorized security-testing services. It also describes your rights under laws such as the EU/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA), and how to exercise them.

Last updated: 6 July 2026

1.Who We Are and Scope

Bug Circuit is an authorized cybersecurity service that performs manual security audits on domains our customers own and have proven they control. This Policy applies to personal data we process through our website, customer account area, checkout, live chat, and the delivery of our PULSE, CIRCUIT, and SIGNAL plans.

For the purposes of the GDPR and equivalent laws, the data controller is WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka (Company Registration No. PV 00318975). Where we process data on behalf of a customer as part of delivering a security audit, we act as a processor and the customer is the controller for that data.

Bug Circuit only tests domains that a customer owns, has verified control of, and has explicitly authorized for testing. We do not test third-party systems, and this Policy does not cover any website or service that is merely linked from ours.

2.Data We Collect

We collect the following categories of personal data, most of it provided directly by you or generated as you use the service:

  • Account and business email: the business email address you use for passwordless one-time-code login, and the organization name associated with your account.
  • Verified domains: the domain(s) you enter, and the ownership-proof details you provide (for example a one-time code sent to a role address such as security@ or admin@, a DNS TXT record, a /.well-known file, or a homepage meta tag).
  • Authorization records: your recorded click-through 'Authorization to Test' and the associated timestamp and account context.
  • Scan data and findings: your scan requests, the passive reconnaissance data we gather (subdomains, technology fingerprint, and DNS/email posture such as SPF and DMARC), and the vulnerability findings and reports produced by our security engineers.
  • Order and payment data: your plan selection, any discount voucher used, order status, and confirmation of payment. Payment card and account details are handled by our third-party payment processor; Bug Circuit does not receive or store full card numbers.
  • Live-chat transcripts: the name and email address you provide in live chat and the content of your chat messages, including questions handled by our AI assistant.
  • Audit log: an append-only record of security-relevant actions in your account (for example logins, domain verifications, authorizations, and order events).
  • Usage and technical logs: server and application logs including IP address, browser and device information, request metadata, and timestamps.
  • Cookies and similar technologies: identifiers and settings stored on your device as described in Section 10.

Admin staff authenticate using passkeys (WebAuthn); we do not collect or store passwords for staff or customers.

4.The AI Chat Assistant

Our AI chat assistant is powered by Google Gemini and runs server-side to answer general product questions. The assistant does not have access to your account, verified domains, scan findings, audit log, or other customer data.

Please do not enter sensitive personal information into the chat. Messages you send may be processed by our AI provider to generate a response, subject to the safeguards described in Section 5.

5.Who We Share Data With (Sub-processors)

We do not sell your personal data. We share it only with service providers ('sub-processors') that help us operate Bug Circuit, and only as needed for the purposes above. Each is bound by a contract requiring appropriate confidentiality and security. Our current categories of sub-processors are:

  • Cloud hosting provider: hosts our application and databases (PostgreSQL and Redis).
  • Payment processors (PayHere and PayPal): handle card and account details and process payments; Bug Circuit does not store full card numbers.
  • Transactional email provider: delivers one-time login codes, order confirmations, and other service emails.
  • AI assistant provider (Google): powers the server-side chat assistant that answers product questions.

We may also disclose personal data where required by law or valid legal process, to protect our rights, users, or the public, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you and this Policy will continue to apply to your data).

6.International Data Transfers

We and our sub-processors may process personal data in countries other than the one in which you are located. Where we transfer data out of the UK, European Economic Area, or another region with data-transfer restrictions, we rely on an appropriate safeguard — such as an adequacy decision or Standard Contractual Clauses (with the UK International Data Transfer Addendum where relevant) — together with supplementary measures where needed.

You can request more detail about the safeguards we use, including a copy where legally required, by contacting [email protected].

7.Data Retention

We keep personal data only for as long as necessary for the purposes described in this Policy, and then delete or anonymize it. In practice:

  • Account data (business email, organization name, verified domains) is retained for the life of your account and for a reasonable period afterward.
  • Scan requests, findings, and reports are retained so you can access your results and, for SIGNAL, for the duration of your active cover; they are then retained for a limited period before deletion.
  • Order and payment records are kept as long as required to meet accounting, tax, and legal obligations.
  • Live-chat transcripts are retained for a limited period to support you and improve service quality.
  • The append-only audit log and technical logs are retained for security, integrity, and compliance purposes for a defined retention period.

Where we are required to keep certain records to comply with legal obligations or to defend legal claims, we retain them for the period required by applicable law.

8.How We Protect Data

We use technical and organizational measures appropriate to the nature of the data we handle, including:

  • Tenant isolation using database row-level security (RLS), so each customer's data is logically separated.
  • Passkey (WebAuthn) authentication for admin staff, and passwordless one-time-code login for customers — we store no passwords.
  • Encryption of data in transit.
  • An append-only audit log of security-relevant actions to support accountability and detection.
  • Access controls that limit staff access to personal data on a need-to-know basis.
No method of transmission or storage is completely secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account or data has been compromised, contact [email protected].

9.Your Privacy Rights

Depending on where you live and applicable law, you may have some or all of the following rights over your personal data:

  • Access: obtain confirmation of whether we process your data and a copy of it.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: ask us to delete your data in certain circumstances.
  • Restriction and objection: limit or object to certain processing, including processing based on legitimate interests.
  • Portability: receive certain data in a structured, commonly used, machine-readable format.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Non-discrimination (CCPA/CPRA): not receive discriminatory treatment for exercising your rights.

California residents: we do not sell or 'share' personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. You may also have the right to know the categories of personal information collected, the purposes, and the categories of sub-processors — all of which are described in this Policy.

To exercise any right, email [email protected]. We will verify your request (typically via your account email) and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits. If you are in the EEA or UK and are unhappy with our response, you may lodge a complaint with your local data protection authority, though we ask that you contact us first.

10.Cookies and Similar Technologies

We use cookies and similar technologies that are strictly necessary to operate the site (for example to keep you logged in and to secure sessions), and, where you consent, additional cookies to understand and improve usage. You can manage non-essential cookies through our cookie controls and your browser settings.

For full details of the cookies we use and how to control them, please see our Cookie Policy.

11.Children

Bug Circuit is a business service intended for organizations and is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

12.Changes and How to Contact Us

We may update this Policy from time to time. When we make material changes, we will update the 'last updated' date and, where appropriate, notify you. Your continued use of Bug Circuit after an update means you accept the revised Policy.

To contact us about privacy or to exercise your rights, reach the data controller at:

This Policy is governed by the laws of Sri Lanka, without prejudice to any mandatory data-protection rights you have under the laws of your place of residence.

Questions about this policy? Email [email protected] or see our other legal documents.