Privacy Policy

Chuggy Labs, Inc., a Delaware corporation ("Company," "we," "us," or "our"), operates the StreamBack platform ("Service"). We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website, use our console application, or interact with our feedback layer embedded in third-party applications. It applies to all users of our Service, including account holders ("Customers"), their team members, and end users who submit feedback through the StreamBack feedback layer ("End Users").

Where we act as a data controller, we determine the purposes and means of processing your personal data. Where our Customers embed the StreamBack feedback layer on their own websites or applications, the Customer is the data controller for End User data and we act as a data processor on their behalf pursuant to a Data Processing Agreement.

1. Information We Collect

1.1 Account Data

When you register for a StreamBack account, we collect:

• Identity Data: Full name, email address, and organisation name.
• Authentication Data: Password (stored in hashed form), OAuth tokens where you choose to sign in via a third-party identity provider (e.g., Google, GitHub).
• Profile Data: Avatar, role within your organisation, and notification preferences.

1.2 Payment Data

• Billing name, billing address, VAT identification number (where applicable), and payment card details.
• Payment card information is collected and processed directly by our payment processor (Stripe, Inc.). We do not store full credit card numbers on our servers. We retain only a tokenised reference, card brand, last four digits, and expiration date for transaction record purposes.

1.3 Feedback Content

• Text Feedback: Written feedback, comments, and suggestions submitted through the feedback layer.
• Screenshots: When automatic or manual screenshots are enabled, visual captures of the page at the time of feedback submission. Customers may configure sensitive-element masking to exclude personal data from screenshots.
• Metadata: Browser console logs, current URL, element selectors, and other technical context attached to feedback submissions.

1.4 Usage Analytics

• Pages visited within the StreamBack console, features used, actions taken (e.g., creating projects, configuring feedback layers), session duration, and interaction patterns.
• We collect analytics to improve the Service and do not use this data for advertising purposes.

1.5 Device and Technical Information

• Device Information: Browser type and version, operating system, device type, screen resolution, and language settings.
• Network Information: IP address (which may be truncated or anonymised for analytics), access times, referring URLs, and standard server log data.

1.6 Information from Third Parties

We may receive information from third-party services you integrate with StreamBack, such as Linear, Slack, GitHub, Jira, and other project management or communication tools. The data we receive depends on the specific integration, the permissions you grant, and your configuration within those third-party services.

1.7 Communications

When you contact our support team, participate in surveys, or otherwise communicate with us, we collect the content of those communications along with associated metadata (e.g., timestamps, communication channel).

2. How We Use Your Information

We process your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the StreamBack platform, including processing feedback submissions and delivering them to the appropriate recipients.
• Account Management: To create and manage your account, authenticate your identity, and manage your subscription and billing.
• Reward Processing: To calculate quality scores and administer credit-based rewards for feedback submissions.
• Service Improvement: To analyse usage patterns and trends, conduct research, and develop new features to improve user experience.
• Communications: To send administrative messages, service updates, security alerts, and support responses. We may also send product announcements, which you can opt out of at any time.
• Security and Fraud Prevention: To detect, prevent, and address technical issues, security threats, fraud, and abuse of the Service.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service.
• Integration Functionality: To synchronise feedback data with third-party tools you have connected (e.g., creating issues in Linear or Jira from feedback).

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data only where we have a valid legal basis under the GDPR. The legal bases we rely on are:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to perform our contract with you, including providing the Service, managing your account, processing payments, and delivering feedback data to your configured destinations.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, provided those interests are not overridden by your rights. This includes improving the Service, analytics, security monitoring, fraud prevention, and sending you product updates about features relevant to your subscription. You may object to processing based on legitimate interests at any time.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for optional marketing communications or non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject, such as tax reporting, accounting requirements, and responding to lawful requests from public authorities.

4. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

• Within Your Organisation: Feedback data is shared with members of your team and organisation as configured in your account settings and role-based access controls.
• Third-Party Integrations: When you enable integrations (e.g., Linear, Slack, GitHub, Jira), feedback data is transmitted to those services as necessary to provide the integration functionality you have configured. Each integration is activated only at your explicit direction.
• Service Providers: We engage trusted third-party vendors (sub-processors) who provide infrastructure hosting, analytics, payment processing, email delivery, and customer support services. These providers process data solely on our instructions and are bound by Data Processing Agreements that ensure GDPR-compliant safeguards.
• Legal Requirements: We may disclose your information where required by applicable law, regulation, governmental request, judicial proceeding, court order, or legal process served on us. Where permitted, we will notify you of such disclosure.
• Protection of Rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our Terms of Service.
• Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data becomes subject to a different privacy policy and, where required by law, seek your consent.

5. Data Retention Periods

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:

• Account Data: Retained for the duration of your active account. Upon account deletion, personal data is purged within 30 days, except where longer retention is required by law.
• Feedback Data: Retained according to your subscription plan (7 days for Free tier; configurable retention for Pro and Enterprise tiers) or until manually deleted by you. After your account is closed, feedback data is deleted within 30 days.
• Screenshots: Retained for the same period as the associated feedback data. Screenshots are stored in encrypted form and purged following the same deletion schedule.
• Server Logs: Retained for up to 90 days for security monitoring, incident investigation, and debugging purposes, after which they are automatically purged.
• Payment and Billing Records: Retained for 7 years from the date of the transaction to comply with applicable U.S. federal, state, and local tax, accounting, and financial reporting obligations.
• Analytics Data: Aggregated and anonymised analytics data may be retained indefinitely as it does not constitute personal data.

When data is no longer needed, we securely delete or irreversibly anonymise it in accordance with our data retention and disposal procedures.

6. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights with respect to your personal data:

• Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request a copy of that data along with information about the processing.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, where you object to processing, or where the data has been unlawfully processed. This right is subject to certain exceptions, such as where retention is required for legal compliance.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data where you contest its accuracy, where processing is unlawful, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller without hindrance, where processing is based on consent or contract and carried out by automated means.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data where it is based on legitimate interests or carried out for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately.
• Right Regarding Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Our quality scoring of feedback is used solely to assist Customers in prioritising submissions and does not produce legal or similarly significant effects on End Users.
• Right to Withdraw Consent: Where we rely on your consent as a legal basis, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact our Data Protection Officer at privacy@streamback.tech. We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request. We may ask you to verify your identity before processing your request.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. U.S.-based users may also contact applicable state or federal consumer protection or privacy regulators. See Section 15 for additional details.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on the StreamBack console application. Our use of cookies is governed by applicable U.S. federal and state privacy, consumer protection, and electronic communications laws.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for the Service to function (e.g., session authentication, CSRF protection, load balancing). These cookies do not require consent under the ePrivacy Directive and cannot be disabled.
• Functional Cookies: Remember your preferences and settings (e.g., theme, language, dashboard layout) to provide a personalised experience.
• Analytics Cookies: Help us understand how visitors interact with the Service so we can measure performance and improve functionality. We use privacy-focused analytics that do not track users across sites.

7.2 Cookie Management

Non-essential cookies are only placed after you have given your consent via our cookie banner. You can manage your cookie preferences at any time through the cookie settings in the application footer or through your browser settings. Please note that disabling certain cookies may affect the functionality of the Service.

7.3 Feedback Layer Storage

The StreamBack SDK does not set cookies on End Users' browsers. The feedback layer uses sessionStorage for transient state and does not persist any tracking data on the End User's device.

8. End User Data

An important distinction exists between data we collect as a data controller (from our Customers directly) and data we process as a data processor (End User data collected via the feedback layer on our Customers' behalf).

8.1 Our Role as Data Processor

When End Users submit feedback through the StreamBack feedback layer embedded on a Customer's website or application, the Customer is the data controller and we act as a data processor. We process End User data strictly in accordance with the Customer's instructions and our Data Processing Agreement (DPA).

8.2 Data Collected via the Feedback Layer

The StreamBack feedback layer may collect the following End User data, depending on the Customer's configuration:

• Feedback text and any ratings provided by the End User.
• Screenshots of the page (if enabled by the Customer), which may contain visible personal data. Customers can configure element masking to redact sensitive content.
• Technical metadata: browser type and version, operating system, screen resolution, current page URL, and console logs (if enabled).
• IP address of the End User (which may be used to derive approximate geolocation at the country level).
• Any identifying information the Customer passes to the feedback layer via their implementation (e.g., user ID, email address, or custom attributes).

8.3 Customer Responsibilities

Customers who embed the StreamBack feedback layer are responsible for: (a) providing appropriate notice to their End Users about the data collection that occurs via the feedback layer; (b) obtaining any required consents; (c) ensuring their use of the feedback layer complies with applicable data protection laws; and (d) responding to End User rights requests. We will assist Customers in fulfilling these obligations as described in our DPA.

9. Sub-Processors

We engage the following categories of sub-processors to deliver the Service. Each sub-processor is bound by a Data Processing Agreement and processes data only as necessary to provide their specific service:

A detailed list of our current sub-processors, including specific entity names, is available upon request by contacting privacy@streamback.tech. We will notify Customers of any intended changes to our sub-processor list at least 30 days in advance, providing an opportunity to object.

10. International Data Transfers

Chuggy Labs, Inc. is based in the United States. We may store and process data in the United States and other jurisdictions where we or our service providers operate.

Where we transfer personal data from the EU/EEA, the United Kingdom, or Switzerland to the United States or another jurisdiction, we ensure that adequate safeguards are in place in accordance with Chapter V of the GDPR and other applicable data protection laws. The transfer mechanisms we rely on include:

• Adequacy Decisions (Art. 45): Where the European Commission has determined that the recipient country provides an adequate level of data protection.
• Standard Contractual Clauses (Art. 46(2)(c)): We execute the European Commission's Standard Contractual Clauses (SCCs) with sub-processors located in countries without an adequacy decision, supplemented by additional technical and organisational measures where the Transfer Impact Assessment indicates they are necessary.
• EU-U.S. Data Privacy Framework: Where applicable, transfers to certified U.S. entities may rely on the EU-U.S. Data Privacy Framework.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@streamback.tech.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. Our security measures include:

• Encryption: All data in transit is protected using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent algorithms.
• Access Controls: Role-based access controls with the principle of least privilege. Multi-factor authentication is enforced for all internal systems.
• Infrastructure Security: Production environments are isolated in Virtual Private Clouds with network-level firewalls, intrusion detection, and continuous monitoring.
• Regular Assessments: Periodic security audits, penetration testing, and vulnerability assessments are conducted to identify and remediate risks.
• Incident Response: We maintain a documented incident response plan. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours (where required under Article 33 of the GDPR) and affected data subjects without undue delay (where required under Article 34).
• Employee Security: All team members undergo security awareness training. Access to personal data is limited to personnel who require it for their role.

While we strive to protect your personal data using commercially reasonable measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing and remediating any security incidents.

12. Children's Privacy

The StreamBack platform is a business-to-business service and is not directed at children. We do not knowingly collect personal data from children under the age of 16 (or the applicable age of digital consent in the relevant jurisdiction). If we become aware that we have inadvertently collected personal data from a child under this age without valid parental or guardian consent, we will take prompt steps to delete such data. If you believe we may have collected information from a child, please contact us immediately at privacy@streamback.tech.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Service. When we make changes, we will update the "Last updated" date at the top of this page. For material changes that significantly affect how we process your personal data, we will provide prominent notice (such as an in-app notification or email to the address associated with your account) at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

14. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with the GDPR. You may contact our DPO for any questions or concerns regarding our processing of your personal data, or to exercise your data protection rights.

15. Regulatory Contacts and Complaints

Because Chuggy Labs, Inc. is a Delaware corporation operating in the United States, there is no single omnibus U.S. privacy supervisory authority equivalent to an EU data protection authority.

If you are located in the EU/EEA, the United Kingdom, or Switzerland, you may lodge a complaint with the supervisory authority in your place of habitual residence, work, or the location of the alleged infringement. If you are located in the United States, you may also contact your state attorney general, state privacy regulator, or other applicable consumer protection authority.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us using the details below:

We aim to respond to all legitimate inquiries within a reasonable timeframe and no later than one month from receipt, in accordance with the GDPR.