Privacy Policy on the Processing of Personal Data by Cloud Automation Solutions EOOD
1. Introduction
This Privacy Policy ("Policy") explains how Cloud Automation Solutions EOOD ("we", "our", or "us"), operating the Bugzy AI platform, collects, uses, discloses, and safeguards personal data in connection with the provision of our services.
This Policy applies to the processing of personal data when you:
- Visit or register on our website and platform at https://bugzy.ai
- Use our AI-powered QA testing services
- Interact with our company (e.g., support requests, communications)
This Policy does not apply to third-party websites, platforms, or services that are not owned or controlled by us, even if they are accessible through links on our Platform or integrated with our Service. We encourage you to review the privacy policies of any third-party services you access.
The purpose of this Policy is to inform you — as a data subject — about what personal data we collect, for what purposes we process it, on what legal bases, how long we retain it, with whom we share it, and how you can exercise your rights.
This Policy complies with the EU General Data Protection Regulation (GDPR), the Bulgarian Personal Data Protection Act (PDPA), and other applicable data protection laws.
2. Who Are We
Cloud Automation Solutions EOOD is the data controller responsible for the processing of your personal data as described in this Policy.
Company: Cloud Automation Solutions EOOD Registration Number (EIK): 203094836 Registered Address: Bulgaria, Sofia, 1797, 131-VA str. 1B Website: https://bugzy.ai
Data Protection Contact Person: Milko Slavov Email: privacy@bugzy.ai
If you have any questions regarding the processing of your personal data or wish to exercise your rights, please contact our Data Protection Contact Person at the email address above.
By registering an account and/or using any of our services, you acknowledge that you have read and understood this Privacy Policy.
We encourage you to contact us directly at privacy@bugzy.ai if you have concerns about our data practices before contacting regulatory authorities.
3. Personal Data We Collect and How We Use It
Personal data means any information that describes and can be linked to a specific identifiable individual. We collect and process personal data for the purpose of providing, maintaining, and improving our Service.
3.1 Roles of the Parties
- When we act as data controller: For Account data (registration, billing, usage data), we determine the purposes and means of processing and act as the data controller.
- When we act as data processor: For data from the Customer's systems (documentation, issue trackers, communication systems) that we access to generate test plans, the Customer remains the data controller and we act as the data processor, processing data solely on the Customer's instructions. This relationship is governed by our Data Processing Agreement.
3.2 Account Information
- Email Address: Professional email address for account creation and communication
- Name: Name for personalization (if provided)
- Company Information: Company name and business identification data
- Authentication Data: Encrypted passwords or OAuth tokens for secure access
3.3 Access to Customer Systems (Read-Only)
When the Customer authorizes Bugzy AI to connect with development tools, we gain read-only access to:
- Documentation systems: Product documentation, API docs, README files
- Issue tracking systems: Bug reports, feature requests, user stories
- Communication systems: Team discussions, support tickets, feedback
- Code repositories: Repository structure, commit history (for context)
Important: We read this data to understand the Customer's product and generate test plans, but we do not permanently store raw content from these systems. We only store the generated test plans and test cases.
3.4 Test Execution Data
- Test Results: Pass/fail status, execution logs, error messages
- Screenshots: Visual captures during test execution
- Video Recordings: Screen recordings of test runs (when enabled)
- Performance Metrics: Load times, response times, resource usage
3.5 AI-Generated Content
- Test Plans: AI-generated testing strategies
- Test Cases: Automated test scenarios
- Bug Reports: Issues identified during testing
In accordance with the EU AI Act, we inform you that Bugzy AI uses artificial intelligence models (specifically Anthropic's Claude API) to analyze product documentation and generate test scenarios. The results produced by the Service are subject to review by a qualified human (developer or QA engineer) and do not represent final automated decisions with legal consequences without human intervention.
3.6 Usage and Technical Data
- Usage Analytics: Features used, frequency of use (collected only with consent)
- Technical Information: IP address, browser type, device information
- Integration Credentials: Encrypted API keys for third-party integrations
3.7 Data Voluntarily Provided
Personal data that you voluntarily provide when using our services, such as information included in support requests, communications with our team, or content uploaded to the Platform.
4. Methods of Data Collection
We collect personal data through the following methods:
- Directly from you: When you register an account, configure the Service, submit support requests, or otherwise communicate with us.
- Through third-party integrations: When you authorize Bugzy AI to connect with your development and communication tools (GitHub, Slack, Jira, etc.), we receive data through API interfaces as configured by you.
- Automatically: Technical data (IP address, browser type, device information) collected automatically when you access the Platform. Analytics data collected with your explicit consent via cookies.
5. Purposes of Data Processing
We process your personal data for the following purposes:
5.1 Service Delivery
- Account creation and management
- Reading Customer documentation and systems to generate AI-powered test plans
- Executing automated tests on Customer applications
- Delivering test results, screenshots, videos, and bug reports
- Managing integrations with third-party development tools
5.2 Communication
- Informing you about new features, improvements, and service updates
- Alerting you to test failures, bugs found, or system issues
- Responding to your questions and providing support
5.3 Service Improvement
- Understanding how you use our platform to improve it (only with your consent)
- Using anonymized, non-personalized data for monitoring and improving system reliability and cybersecurity — a requirement for trustworthy AI
5.4 Security and Legal Compliance
- Detecting and preventing fraud, abuse, and security threats
- Meeting our obligations under Bulgarian and EU law
- Maintaining records as required by applicable legislation
We do not: Sell your data to third parties, use your data for unrelated marketing, or share your confidential business information.
6. Legal Bases for Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
- Performance of a contract (Art. 6(1)(b)): Processing necessary for the performance of our agreement with you or to take steps at your request prior to entering into a contract (e.g., account registration, service delivery, integration management).
- Pre-contractual measures (Art. 6(1)(b)): Processing necessary to take steps at your request before entering into a contract (e.g., account setup, trial period).
- Legitimate interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, provided these are not overridden by your rights (e.g., security monitoring, service communications, fraud prevention).
- Legal obligation (Art. 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject (e.g., retention of financial records under Bulgarian tax law, responding to lawful government requests).
- Consent (Art. 6(1)(a)): Processing based on your explicit consent, which you may withdraw at any time (e.g., analytics cookies, marketing communications if applicable).
7. Data Retention
We retain your personal data only as long as necessary to fulfill the purposes described in this Policy and to meet our legal obligations. All retention periods run from the date of collection of the personal data, unless otherwise specified below:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active Account Data | Duration of service use | Service provision |
| Deleted Account Data | 30 days from account deletion | Recovery period |
| Backup Data | Maximum 90 days | Disaster recovery |
| Test Results | 1 year (configurable per project) | Historical analysis |
| Execution Logs | 90 days | Debugging and support |
| Security Logs | 1 year | Security auditing |
| Financial Records | 5 years | Bulgarian tax law |
| Analytics (Anonymized) | 2 years | Service improvement |
Account Deletion: When you delete your account, we immediately mark it for deletion and stop all active processing. Your data is permanently deleted after 30 days from the date of account deletion, except for data we are legally required to retain (e.g., financial records for five (5) years under Bulgarian tax law).
Right to Deletion: You can request deletion of your data at any time by contacting privacy@bugzy.ai. We will process deletion requests within 30 days.
In the event of a documented security breach involving personal data, we will notify the Bulgarian CPDP and affected data subjects as quickly as possible, in accordance with GDPR requirements.
8. AI and Data Minimization
8.1 AI Processing
Bugzy AI uses artificial intelligence models provided by Anthropic (Claude API) for analyzing documentation and generating test scenarios. Data sent to the AI provider is minimized to the volume strictly necessary for test generation purposes.
8.2 No Model Training
Customer data is not used for training third-party AI models. Anthropic's commercial terms prohibit the use of customer data for model training, and we enforce this contractually.
8.3 Automated Decision-Making
The Service does not make automated decisions with legal or similarly significant effects on individuals. All AI-Generated Content is intended to assist human decision-making and must be reviewed by a qualified person before being acted upon. Data subjects retain all rights under GDPR, including the right to human intervention.
9. Data Sharing and Sub-Processors
9.1 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for marketing or any other purposes.
9.2 Sharing for Service Provision
We may share minimal personal data with:
- Sub-processors engaged to help us provide the Service (see Section 9.3)
- Payment providers (banks, payment institutions, electronic money institutions) as necessary for processing payments
- Companies or organizations with your explicit consent, where you have authorized sharing
9.3 Sub-Processors
We use carefully selected sub-processors, all bound by Data Processing Agreements with obligations no less protective than those in our DPA:
| Provider | Purpose | Location | GDPR Compliance |
|---|---|---|---|
| Vercel Inc. | Web hosting, edge computing | EU Region | EU infrastructure, DPA |
| Supabase Inc. | Database, authentication | EU Region | EU infrastructure, DPA |
| Google Cloud Platform | File storage, compute infrastructure | EU Region | EU infrastructure, DPA |
| PostHog Inc. | Product analytics | EU Region | EU infrastructure, DPA |
| Anthropic PBC | AI processing (Claude API for test generation) | US (with EU DPA, SCCs) | DPA, Standard Contractual Clauses |
| Stripe Inc. | Payment processing, billing | US (with EU DPA, SCCs) | DPA, Standard Contractual Clauses, PCI DSS |
We maintain a complete list of our sub-processors and will notify Customers of any intended changes at least thirty (30) days in advance. For the full sub-processor list and change notification process, see our Data Processing Agreement.
9.4 Legal Disclosures
We may disclose your information when required by law:
- To comply with court orders, subpoenas, or legal processes
- To enforce our Terms of Service or protect our rights and property
- To protect the personal safety of users or the public
- To detect, prevent, or address fraud and security issues
We will notify you of legal requests unless prohibited by law.
9.5 Business Transfers
If Cloud Automation Solutions EOOD is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice and ensure the new entity is bound by this Privacy Policy.
10. Data Storage and Security
10.1 Data Location
Your data is primarily stored within the European Union:
- Vercel (EU Region): Web hosting and edge computing
- Supabase (EU Region): Database and authentication
- Google Cloud Platform (EU): File storage and compute infrastructure
- PostHog (EU Region): Product analytics
For AI-powered test generation, limited data may be processed by Anthropic (Claude API) in the United States under appropriate safeguards including Standard Contractual Clauses (SCCs) and a Data Processing Agreement.
10.2 Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Bulgarian CPDP within 72 hours as required by GDPR Article 33
- Notify affected data subjects without undue delay via email
- Provide details about the breach, its impact, and remediation steps
- Take immediate action to contain and resolve the breach
11. International Data Transfers
Your data is primarily processed and stored within the European Union. For AI-powered test generation, limited data may be processed by Anthropic (Claude API) in the United States, subject to Standard Contractual Clauses (SCCs) and appropriate safeguards.
If we need to engage additional processors outside the European Economic Area (EEA) in the future, we will:
- Notify you in advance
- Ensure appropriate safeguards are in place in accordance with GDPR Chapter V (adequacy decisions, Standard Contractual Clauses, or other approved mechanisms)
- Update this Privacy Policy accordingly
12. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right to Confirmation and Access (Art. 15): You can request confirmation of whether your personal data is being processed and, if so, request a copy of that data. Email privacy@bugzy.ai and we will provide a complete data export within 30 days.
- Right to Rectification (Art. 16): You can request correction of inaccurate personal data by contacting privacy@bugzy.ai.
- Right to Erasure (Art. 17): You can request deletion of your personal data using the account deletion feature in your team settings or by emailing privacy@bugzy.ai.
- Right to Restrict Processing (Art. 18): You can request that we limit the processing of your personal data.
- Right to Data Portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format (JSON/CSV). We will process export requests within 30 days.
- Right to Object (Art. 21): You can object to the processing of your personal data based on legitimate interest, including analytics.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
How to Exercise Your Rights: Contact us at privacy@bugzy.ai. We will respond within 30 days as required by GDPR. For account deletion and data export, you can also use the features available in your team settings.
Unfounded or Excessive Requests: If requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse to act on the request, in accordance with GDPR Article 12(5).
13. Age Restriction
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from persons under 18 years of age. If we become aware that we have collected personal data from a person under 18 without a valid legal basis, we will take the necessary steps to delete such data without undue delay, unless we are required by law to retain it.
If you become aware that a person under 18 has provided us with personal data, please inform us immediately at privacy@bugzy.ai.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of material changes by posting the new Privacy Policy on this page and, where appropriate, by email. If we make significant changes, we will provide at least thirty (30) days' notice before the changes take effect.
15. Supervisory Authority
If you have concerns about how we handle your personal data that we have not been able to resolve, you have the right to lodge a complaint with the Bulgarian data protection authority:
Commission for Personal Data Protection (CPDP) Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria Website: https://cpdp.bg Email: kzld@cpdp.bg Phone: +359 2 91 53 518
As an EU citizen, you may also contact the data protection authority in your country of residence.
16. Contact Information
If you have any questions about this Privacy Policy or our data practices, please contact us:
Data Controller: Cloud Automation Solutions EOOD Data Protection Contact Person: Milko Slavov Email: privacy@bugzy.ai
Last updated: March 24, 2026