Skip to content
BubbleAudit

Privacy Policy

Last updated May 30, 2026

Jump to section

This Privacy Policy explains how BubbleAudit (“we,” “us,” or “our”) collects, uses, and protects your information when you use the BubbleAudit Chrome extension, the bubbleaudit.com website, and any related services (collectively, the “Service”).

You can contact us at support@bubbleaudit.com.

BubbleAudit is an independent tool and is not affiliated with, endorsed by, or sponsored by Bubble Group, Inc.

1. Information we collect

1.1 Information you provide directly

  • Email address. When you choose to run an audit, you provide an email address so we can deliver your audit report. We use this email solely to send your report and, if applicable, to authenticate you via magic link.
  • Payment information. When you purchase a full audit report, payment is processed by our payment processor (acting as merchant of record). We do not receive or store your card details. We only receive a transaction confirmation containing your email, the amount paid, and a transaction ID.

1.2 Information processed by the browser extension

When you click “Audit my app” inside your Bubble.io editor, our extension reads your Bubble application’s in-memory structure (the window.appquery() object) directly within your browser. Before any data leaves your browser, the extension automatically redacts known secret patterns including:

  • API keys (including common live and test key formats)
  • JSON Web Tokens (JWTs)
  • HTTP Bearer tokens
  • Cloud access keys
  • Personal access tokens for code-hosting platforms
  • Chat-platform tokens
  • Generic high-entropy strings 40 characters or longer

Only the sanitized result is transmitted to our servers for AI analysis when you explicitly opt into a full audit.

1.3 Information collected automatically when you use the Service

  • Audit metadata. When you submit an audit, we receive the sanitized app structure, the size of the captured tree, the redaction counts, and a timestamp. We do not collect IP addresses, browser fingerprints, or device identifiers from the extension.
  • Authentication logs. Our authentication service logs magic-link login attempts and successful sessions tied to your email address.

We do not use third-party advertising trackers or analytics on the extension or the bubbleaudit.com website.

2. How we use your information

We use your information to:

  • Deliver the audit report you requested
  • Authenticate you when you return to view your reports
  • Send transactional emails (magic link sign-in, audit completion notifications, payment receipts)
  • Improve the accuracy of our AI analysis prompts using aggregated, de-identified audit findings
  • Comply with legal obligations and respond to lawful requests

We do not sell your personal information. We do not use your audit data to train machine-learning models that are shared or sold to third parties. We do not display advertising in the Service.

3. Third-party services we use

We rely on a small number of third-party providers, each of which processes some of your data on our behalf:

  • AI analysis provider — analyzes your sanitized audit data under commercial API terms that prohibit using your data to train public models.
  • Managed database provider — hosts our database and handles magic-link authentication.
  • Transactional email service — sends magic links, audit completion notifications, and payment receipts on our behalf.
  • Payment processor (acting as merchant of record) — handles checkout and collects/remits applicable sales taxes (VAT, GST, US state sales tax).
  • Cloud hosting provider — hosts our backend servers.
  • Static site hosting and DNS provider — serves bubbleaudit.com and the marketing site.

We review and update our service providers periodically; the current list is available on request to support@bubbleaudit.com.

4. Where your data is stored

Audit content, account data, backend services, and email logs are stored across our service providers’ EU and US regions. Data is transferred internationally as needed to provide the Service. Where required by law, we rely on Standard Contractual Clauses or equivalent safeguards.

5. How long we keep your data

  • Audit reports: retained for 12 months from the date of purchase so you can revisit them. After 12 months, audit content is permanently deleted unless you have requested earlier deletion.
  • Account email and authentication logs: retained until you delete your account or 24 months of inactivity, whichever comes first.
  • Payment records: retained for 7 years as required by applicable tax law and payment-processor record requirements.

6. Your rights

Depending on where you live, you may have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we correct inaccurate data
  • Deletion — request that we delete your account and associated data
  • Portability — request your audit reports in machine-readable form
  • Objection — object to specific uses of your data
  • Withdrawal of consent — at any time

To exercise any of these rights, email support@bubbleaudit.com. We will respond within 30 days.

If you are in the European Union or United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of personal information we collect and the right to opt out of sale (we do not sell personal information).

7. Security

We implement reasonable technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS 1.2 or higher
  • Database access is restricted by row-level security policies tied to your authenticated email
  • API keys for third-party services are stored in environment variables and never exposed in client-side code
  • Secret patterns are redacted in your browser before any data is transmitted

No system is perfectly secure. If we become aware of a data breach affecting your information, we will notify you within 72 hours of discovery.

8. Children’s privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact support@bubbleaudit.com.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to all registered users and posted prominently on bubbleaudit.com at least 14 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance.

10. Contact

For privacy questions, requests, or complaints:

Email: support@bubbleaudit.com

BubbleAudit is an independent tool and is not affiliated with, endorsed by, or sponsored by Bubble Group, Inc. “Bubble” is a trademark of Bubble Group, Inc.