Privacy Policy

Annoture is a visual QA bug capture tool. When this policy refers to "Annoture", "we", "us", or "our", it means Annoture.

We are the data controller for personal data collected through the Annoture website (annoture.com), web application, and Chrome extension.

We collect the following categories of personal data:

• Account data: your name and email address when you register.
• Usage data: bug reports you submit (including screenshots, page URLs, browser, operating system, and viewport metadata captured by the extension).
• Billing data: payment method details and invoice history, processed and stored by Stripe. We do not store full card numbers.
• Technical data: IP address, browser type, device information, and pages visited, collected via cookies and server logs.
• Communications: messages you send us via the contact form.

We use your data to:

• Create and manage your account and team workspace.
• Provide and improve the Annoture service.
• Process payments and send billing communications.
• Send transactional emails (e.g. account verification, password reset).
• Diagnose bugs and monitor service performance via error tracking.
• Analyse aggregate usage trends to improve the product (via analytics).
• Respond to support requests.

We do not sell your personal data to third parties or use it for advertising.

We process your data under the following lawful bases:

• Contract: processing necessary to provide the service you signed up for (account management, bug reports, billing).
• Legitimate interests:service monitoring, fraud prevention, and product improvement — where these don't override your rights.
• Consent: analytics cookies and non-essential tracking. You can withdraw consent at any time via the cookie banner.
• Legal obligation: where we are required to retain records (e.g. financial records for tax purposes).

We share data with trusted third parties only as needed to operate the service:

• Stripe — payment processing. Your card details are handled directly by Stripe and governed by Stripe's Privacy Policy.
• Supabase — database hosting for account and project data (EU/US servers).
• Vercel — hosting for the web application and landing page.
• Render — hosting for the backend API.
• Sentry — error monitoring (collects anonymised error context and stack traces).
• Google Analytics — aggregate usage analytics (only loaded with your consent).

All sub-processors are required to handle your data in accordance with applicable data protection law.

We retain your account and project data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial compliance (e.g. invoice records, which we keep for 7 years in line with UK tax law).

Under UK GDPR and applicable data protection law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your data ("right to be forgotten").
• Restrict or object to certain processing.
• Data portability — receive your data in a machine-readable format.
• Withdraw consent for analytics at any time.

To exercise any of these rights, contact us via the contact form on our website. We will respond within 30 days.

We use cookies for authentication, preferences, and (with your consent) analytics. See our Cookie Policy for full details.

We use industry-standard measures to protect your data, including encryption in transit (TLS), hashed passwords (bcrypt), and access controls. No method of transmission over the internet is 100% secure, but we take reasonable precautions to protect your information.

We may update this policy from time to time. We will notify registered users of material changes by email. The "last updated" date at the top of this page always reflects the current version.