Effective: March 12, 2026
Privacy Policy
Effective Date: March 12, 2026
Last Updated: March 12, 2026
Daniel Feinberg, doing business as QA Mode ("we," "us," "our"), operates the QA Mode browser extension and related services at qamode.io. This Privacy Policy explains what data we collect, how we use it, and your rights.
1. What We Collect
We collect data only when you actively use QA Mode to report bugs. No data is stored or transmitted without your explicit action (pressing a hotkey, clicking a button, or submitting a report). Network request metadata may be buffered temporarily in memory to provide debugging context when you capture a report, but is never persisted or sent unless you submit.
1.1 Account Data
| Data | Source | Purpose |
|---|---|---|
| Email address | Account sign-up | Account creation, communication |
| User ID | Auto-generated UUID | Identify your account |
| Authentication tokens | OAuth flows with your connected integrations | Connect your issue trackers. Encrypted and stored server-side. |
1.2 Report Data (Collected Per Submission)
When you capture a report, we collect:
| Data | What's Included | Trigger |
|---|---|---|
| Screenshot | Image of your browser viewport or full page. Sensitive form fields (passwords, credit cards, SSNs, and elements marked as sensitive) are automatically redacted before capture. | You press the capture hotkey or submit a report |
| Console errors | Recent error/warning messages from the browser console | Buffered while QA Mode is active; snapshot taken at submission |
| Network requests | HTTP metadata (URLs, methods, status codes, headers, timing) and truncated request/response bodies | Same as console errors |
| Voice recording | Audio captured from your microphone | You press the record button or hotkey |
| Transcription | Text output from speech-to-text processing | Derived from your voice recording |
| Page metadata | Browser environment (URL, page title, browser, OS, viewport, locale) | Captured at submission time |
| Element selections | Position, element type, and a snippet of text content | You click elements on the page |
| Your description | Text you type or dictate describing the issue | You enter it manually |
| AI-structured content | Title, steps to reproduce, current/expected behavior | Generated by AI from your input |
| Hosted report | Report title, body, screenshot, and page context stored server-side, viewable via a unique link | Created when you submit a report |
1.3 Usage Data
| Data | Purpose |
|---|---|
| Monthly submission count | Enforce usage limits |
| Account activation status | Track whether QA Mode is currently active |
1.4 What We Do NOT Collect
- We do not collect browsing history
- We do not track which websites you visit
- No data is stored or transmitted when QA Mode is inactive
- We do not read page content beyond what you explicitly select
- We do not collect financial or health information
- We do not use cookies on third-party websites (only authentication cookies on our own domains)
- We auto-redact sensitive form fields (passwords, credit cards, SSNs, and elements marked as sensitive) on every screenshot capture. You can also enable sensitive mode for manual redaction of additional content before submission.
2. How We Use Your Data
2.1 Core Service
| Use | Data Involved |
|---|---|
| Generate and structure reports | Report data (as described in Section 1), processed via AI and transcription providers |
| Create issues | Structured report, posted to your connected issue tracker |
| Host reports | Report data, viewable at a unique link |
| Enforce usage limits | Account data and submission counts |
2.2 Authentication
We use a third-party authentication provider that sets cookies on our subdomains to maintain your session. These cookies are first-party to our domains and are not used for tracking.
2.3 What We Do NOT Do
- We do not sell your data to anyone
- We do not use your data for advertising
- We do not share your data with data brokers
- We do not use your data to train AI models
- We do not profile you for marketing purposes
3. Data Processor / Data Controller
You (or your organization) are the Data Controller. You decide what pages to test, what bugs to report, and where to send them.
We are the Data Processor. We process your data solely to provide the QA Mode service — structuring your input, generating screenshots, and creating issues on your behalf.
We process data only on your instructions (pressing capture, clicking submit) and do not make independent decisions about your data.
4. Third-Party Services (Sub-Processors)
We share your data with the following third-party services, solely to provide QA Mode functionality:
| Service | Data Shared | Purpose | Location |
|---|---|---|---|
| Clerk | Email, user ID, session tokens | Authentication | US |
| Google Cloud (Gemini) | Report data (as described in Section 1) | AI report structuring | US |
| Deepgram | Voice recording | Speech-to-text transcription | US |
| Cloudflare | Screenshot image | Screenshot hosting for issue attachments | Global |
| Supabase | Account data, usage counts, OAuth tokens, and report data | Usage tracking, token storage, report hosting | US |
| GitHub | Issue title, body, labels | Issue creation on your account | US |
| Atlassian (Jira) | Issue summary, description | Issue creation on your instance | US/EU |
| Linear | Issue title, description | Issue creation on your workspace | US |
| Trello | Card name, description | Card creation on your board | US |
We rely on standard terms of service and data processing commitments of each sub-processor. Where no standalone DPA exists, we rely on data processing terms within their standard ToS.
Important: Issues are created on your account using your access token. We also store report data server-side for the hosted report feature (see Section 1.2). Your issue tracker content is additionally governed by their privacy policies.
AI Data Processing
- Google Gemini: Your screenshot and context are sent to Google's AI API. Google's terms prohibit using customer data for model training. We do not opt in to any data sharing or improvement programs.
- Deepgram: Your audio is sent for transcription. Per Deepgram's terms, audio is not stored or used for training.
5. Data Storage and Retention
5.1 Where Data Is Stored
| Data | Location | Encryption |
|---|---|---|
| Reports and screenshots | Cloud database and storage (US) | Encrypted at rest |
| OAuth tokens | Cloud database (US) | Encrypted at rest |
| User settings | Your browser's synced extension storage | Encrypted by your browser account |
| Usage counts | Cloud database (US) | Encrypted at rest |
| Authentication | Authentication provider (US) | Encrypted at rest |
5.2 Retention Periods
| Data | Retention |
|---|---|
| Reports and screenshots | Until you delete the report or delete your account |
| Usage counts | Retained while your account is active. Deleted on account deletion. |
| OAuth tokens | Until you disconnect the integration, token expires, or auto-deleted on failed refresh. Deleted on account deletion. |
| Account data | Until you delete your account |
5.3 Account Deletion
When you delete your QA Mode account:
- All server-side data is deleted immediately: screenshots, hosted reports, OAuth tokens, and usage records
- Deletion can be triggered via your account settings
- Local extension data remains on your device until you uninstall the extension or clear storage
6. Data About Third Parties ("Clients")
When you use QA Mode to test a website, the screenshots and page data you capture may contain information about other people visible on that page ("Clients" — e.g., customers, end-users of the site you're testing).
Your responsibilities as Data Controller:
- Ensure you have the right to capture screenshots of pages containing other people's data
- Comply with your organization's data handling policies
- Use QA Mode's auto-redaction and manual redaction tools to obscure sensitive information in screenshots before submission
- Do not use QA Mode to capture sensitive personal data (health records, financial data, government IDs) of third parties without appropriate authorization
Note: Auto-redaction reduces but does not eliminate PII risk in screenshots. Console errors and network request data are not redacted. Review all captured data before submission.
Our responsibilities as Data Processor:
- We process this data only to provide the Service
- We do not independently access, analyze, or use third-party data visible in your screenshots
- We do not attempt to identify individuals in screenshots
7. Your Rights
7.1 All Users
You can:
- Access your data by viewing your reports at qamode.io
- Delete individual reports from your reports dashboard
- Disconnect integrations and revoke OAuth tokens in extension settings
- Delete your account through your account settings
7.2 EU/EEA/UK Users (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — request we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — withdraw consent at any time by revoking microphone permission in your browser settings or choosing text input instead of voice (without affecting prior processing)
- Lodge a complaint with your local data protection authority
Legal bases for processing:
- Contract performance — processing necessary to provide the QA Mode service (Art. 6(1)(b))
- Consent — microphone access for voice recording (Art. 6(1)(a))
- Legitimate interest — usage tracking to prevent abuse (Art. 6(1)(f))
International transfers: Data is transferred to the US for processing by our sub-processors. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (2021) to safeguard these transfers.
Contact our data protection representative at danny@qamode.io.
7.3 California Users (CCPA/CPRA)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt out of sale — we do not sell your personal information
- Non-discrimination — we will not discriminate against you for exercising your rights
Categories of personal information collected (per CCPA categories):
- Identifiers (email, user ID)
- Internet activity (page URLs, console errors, network requests captured during reporting)
- Audio information (voice recordings for transcription)
- Geolocation (timezone, inferred from browser)
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
To exercise your rights, contact danny@qamode.io.
7.4 Other US State Laws
We comply with applicable state privacy laws including the Virginia CDPA, Colorado CPA, Connecticut CDPA, and Utah UCPA. Residents of these states have rights similar to those described for California users above. Contact danny@qamode.io to exercise your rights.
8. Cookies and Tracking
What We Use
| Cookie/Storage | Domain | Purpose |
|---|---|---|
| Authentication cookies | QA Mode subdomains | Maintain your sign-in session |
| Local extension storage | Extension sandbox | Store extension state |
| Synced extension storage | Extension sandbox | Sync settings across devices |
What We Do NOT Use
- No analytics cookies
- No advertising cookies
- No tracking pixels
- No fingerprinting
- The extension does not set any cookies on websites you visit
9. Children's Privacy
QA Mode is a professional software testing tool. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected data from a child under 16, contact us at danny@qamode.io and we will promptly delete it.
10. Security
We protect your data with:
- Encryption in transit for all communications
- Encryption at rest for OAuth tokens stored server-side
- Auto PII redaction of sensitive form fields in screenshots
- Authentication on all API endpoints
- Sandboxed local storage for data on your device
- Rate limiting to prevent abuse
Breach notification: In the event of a data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach and affected users without undue delay where required by law.
For security concerns, contact danny@qamode.io.
11. Changes to This Policy
We will notify you of material changes to this policy by:
- Posting an updated version at qamode.io/privacy with the new effective date
- Notifying you via email (for material changes) at least 30 days before the changes take effect
Your continued use of QA Mode after the effective date constitutes acceptance of the updated policy.
12. Contact Us
QA Mode
Email: danny@qamode.io
Website: https://qamode.io
For GDPR inquiries, include "GDPR Request" in your subject line.
For CCPA inquiries, include "CCPA Request" in your subject line.
13. Google API Limited Use Disclosure
QA Mode's use of information received from Google APIs adheres to the Chrome Web Store Limited Use Policy. Specifically:
- We only use data for the stated single purpose of feedback and bug reporting
- We do not transfer data to third parties except as necessary to provide the service
- We do not use data for advertising or to determine creditworthiness
- We do not allow humans to read user data unless the user provides affirmative consent, it is necessary for security purposes, or it is required by law