Effective date: 1 May 2025 · Version 1.1
EuroBug is built privacy-first. This policy explains precisely what data we collect, why, how it is protected, and what rights you have. We have written it to be transparent and readable, not to obscure our practices.
EuroBug B.V. ("EuroBug", "we", "us") acts as Data Controller for:
For error event data submitted by the EuroBug tracker script on behalf of our customers, EuroBug acts as a Data Processor. The customer (the business that installed the tracker on their website) is the Data Controller for that data. Our processing is governed by the Data Processing Agreement (DPA) and the customer's instructions.
For any privacy-related enquiry or to exercise your rights, contact us at hello@eurobug.eu. We aim to respond within 5 business days.
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Authentication (magic-link login), account management, billing invoices, service notifications | Performance of contract (Art. 6(1)(b)) |
| Name | Dashboard display, team member identification | Performance of contract (Art. 6(1)(b)) |
| Session token | Maintaining authenticated sessions in the dashboard (stored in HTTP-only cookie) | Legitimate interest (Art. 6(1)(f)) |
| Billing information | Payment processing via Mollie — name and email passed to Mollie; payment card details processed by Mollie directly | Performance of contract (Art. 6(1)(b)) |
| IP address (login events) | Security audit log — hashed with SHA-256 + daily rotating salt | Legitimate interest: fraud prevention and security (Art. 6(1)(f)) |
When a JavaScript error occurs on an end-user's browser on a customer's website, the EuroBug tracker may collect the following data elements. All data is subject to automatic scrubbing before reaching our servers (see Section 3).
| Data Element | Collected By Default? | Notes |
|---|---|---|
| Error message | Yes | Scrubbed for PII before storage |
| Stack trace | Yes | Scrubbed; query params stripped; max 5,000 chars |
| Page URL | Yes | Query string fully stripped before storage |
| Browser name & version | Yes | Derived from User-Agent string; full UA not stored |
| Operating system | Yes | Derived from User-Agent string |
| IP address | Yes — but never stored raw | Hashed with SHA-256 + daily rotating salt on receipt; irreversible |
| Release identifier | Only if configured | Value of data-release attribute; e.g., "1.0.0" or a git hash |
| Environment | Only if configured | Value of data-environment attribute; e.g., "production" |
| User ID | Only if configured | Requires explicit data-user-id attribute |
| User email | Only if double-opted in | Requires sendUserEmail: true in ebConfig; not collected otherwise |
| Custom tags | Only if configured | Key-value pairs from window.ebConfig.tags; max 10 keys |
| Breadcrumbs | Enhanced tracker only | Clicks (selector only, no text), navigation paths, console errors, failed fetch URLs — scrubbed |
We do not use analytics tracking tools on our marketing website. We do not load Google Analytics, Google Fonts, or any third-party tracking scripts. We may review server-side access logs (retained for 30 days) for security and operational purposes.
EuroBug applies PII scrubbing at two independent layers before any data reaches our databases:
Layer 1 — Client-Side (tracker script, before transmission):
| Pattern | Replaced With |
|---|---|
| Email addresses | [EMAIL_REMOVED] |
| IBAN numbers (EU format) | [IBAN_REMOVED] |
| JWT tokens (eyJ… format) | [TOKEN_REMOVED] |
| Credit/debit card numbers (4×4 digit groups) | [CARD_REMOVED] |
| Bearer token headers | Bearer [TOKEN_REMOVED] |
| Password/secret/token query parameters | [REDACTED] |
Layer 2 — Server-Side (ingest endpoint, authoritative):
Applies all Layer 1 patterns, plus:
| Pattern | Replaced With |
|---|---|
| IPv4 addresses | [IP_REMOVED] |
| IPv6 addresses | [IP_REMOVED] |
| Dutch BSN (validated via 11-proef checksum) | [BSN_REMOVED] |
| URL query strings | Fully stripped — only the path is stored |
Limitation: Scrubbing is best-effort and pattern-based. It cannot guarantee complete removal of all possible personal data from all error payloads. Customers must not rely on scrubbing as their primary data protection measure and must not send prohibited data categories.
The requesting IP address is never stored in plain text. On receipt, our ingest server applies: SHA-256(ip + ":" + YYYY-MM-DD) and stores only the first 16 hexadecimal characters of the result. The salt rotates daily at UTC midnight, making the hash irreversible and preventing cross-day linkability.
The EuroBug tracker script does not set any cookies on the end-users of our customers' websites. It does not use localStorage, sessionStorage, or any other persistent client-side storage. It does not fingerprint users or track behaviour across sessions or pages beyond the single error event being reported.
The EuroBug dashboard (eurobug.eu/dashboard) uses only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Authenticated dashboard session (HTTP-only, Secure) | 30 days (rolling) |
| eurobug_active_project | Remembers the last-selected project | Session / 30 days |
| eurobug_active_org | Remembers the last-selected organisation | Session / 30 days |
No analytics, advertising, or third-party cookies are set by EuroBug.
All error event data and account data is stored and processed on infrastructure exclusively located in the European Economic Area (EEA). We use the following sub-processors:
| Provider | Country | Data Processed | Basis |
|---|---|---|---|
| Scaleway SAS | France 🇫🇷 | All error events, account data, audit logs, source maps, email delivery | Primary infrastructure — DPA in place |
| Mollie B.V. | Netherlands 🇳🇱 | Payment data, billing contact — no error data | DPA in place |
| Slack Technologies | United States 🇺🇸 | Project name + dashboard URL only. No error data, no end-user personal data. | Opt-in only. Customer must explicitly enable. Customer responsible for transfer basis. |
| Microsoft Corporation | United States 🇺🇸 | Project name + dashboard URL only. No error data, no end-user personal data. | Opt-in only. Customer must explicitly enable. Customer responsible for transfer basis. |
We will notify customers at least 30 days in advance before adding or replacing a sub-processor. See the DPA for full details.
| Data Category | Retention Period | Notes |
|---|---|---|
| Error events — Developer plan | 7 days | Enforced by automated daily cron job |
| Error events — Startup plan | 90 days | Enforced by automated daily cron job |
| Error events — Agency plan | 365 days | Enforced by automated daily cron job |
| Account & billing data | Duration of contract + 7 years | Statutory retention under Dutch accounting law (Boek 2 BW) |
| Audit logs | 12 months from event date | Security and compliance |
| Server access logs | 30 days | Operations and security |
| Backups | Consistent with Scaleway managed database retention | Point-in-time recovery |
Downgrading your plan will cause the lower plan's retention period to be applied to all existing data at the next scheduled retention run. Data exceeding the new limit will be permanently deleted.
If EuroBug acts as Controller for your data (i.e., you are a registered dashboard user), you have the following rights under the GDPR. These rights apply to account and billing data held by EuroBug. For rights relating to error event data, please contact the business (our customer) that operates the website on which the tracker is installed, as they are the Data Controller for that data.
Right of Access (Art. 15)
Request a copy of the personal data we hold about you.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data. You can update your name and email directly in account settings.
Right to Erasure (Art. 17)
Request deletion of your account and associated data. Use Project Settings → Danger Zone to delete project data, or email hello@eurobug.eu for full account deletion. We will action erasure requests within 30 days.
Right to Data Portability (Art. 20)
Export your error event data via the dashboard (Settings → Export). Machine-readable JSON format.
Right to Restriction (Art. 18)
Request that we restrict processing of your data in certain circumstances (e.g., while a dispute is resolved).
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
To exercise any of these rights, contact hello@eurobug.eu. We respond within 30 days (or 5 business days for urgent requests).
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands
Dashboard users can export all error events for a project at any time via Project Settings. The export is provided in JSON format and includes all stored event fields (scrubbed, as stored). There is no charge for self-service exports.
Project owners can permanently delete a project and all associated error events, source maps, and configurations via Project Settings → Danger Zone → Delete Project. Deletion is immediate and irreversible. Audit log entries associated with the project are retained for 12 months per our retention policy.
To delete your entire EuroBug account and all associated organisations and projects, email hello@eurobug.eu from the registered email address. We will complete the deletion within 30 days and confirm by email.
We implement appropriate technical and organisational measures, including:
To report a security vulnerability, please email hello@eurobug.eu. We will acknowledge within 2 business days.
We may update this Privacy Policy to reflect changes in our practices, technology, or law. We will notify registered customers by email at least 30 days before any material change takes effect. The "Effective date" at the top of this page indicates when the current version was published. Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.
EuroBug B.V.
Email: hello@eurobug.eu
We aim to respond to all privacy enquiries within 5 business days.