Privacy Policy
Effective date: 2 June 2026 · Last updated: 2 June 2026
This Privacy Policy describes how Potato AI ("we," "our," or "us") collects, uses, and protects information when you use:
- The Potato AI Chrome extension ("the Extension")
- The Potato AI dashboard at app.usepotato.io ("the Dashboard")
- Any invite or join pages linked from the above (collectively, "the Service")
Please read this policy before installing or using the Service.
1. What Data We Collect
Data you provide
- Google account information — your name, email address, and profile picture, obtained when you sign in with Google.
- Session details — session name, app URL, optional description, and estimated time when you create a testing session on the Dashboard.
- Bug reports and feedback — any text, descriptions, or comments you type when submitting a bug report.
Data captured automatically during a session you start
- Screen recording — a video of the browser tab you are on, for the duration of a session. Recording only begins when you explicitly click the Potato AI icon and start a session.
- Console logs — JavaScript error messages from the website's browser console during the session. We do not read your personal browsing history from them.
- Network request metadata — URLs, HTTP status codes, and timing data for network requests made by the website during the session. We do not capture request or response bodies, passwords, cookies, or authentication tokens from third-party sites.
- User actions — click targets and navigation events on the page during the session, to help engineers reproduce the steps that led to a bug. We do not capture keyboard input or form field values.
Data derived automatically from your account
- Organisation domain — derived from your Google email domain (e.g.
yourcompany.com) to group your team's bug reports. Your full email is not stored in this derived field.
- Install timestamp — stored locally in Chrome on first install. Not transmitted to our servers.
Data collected from testers you invite
When a tester joins via your invite link, we collect the same categories as above for that tester, on their device, for the duration of their session.
What we do NOT collect
- Browsing history or visited URLs outside of an active session
- Passwords, form inputs, or keystrokes
- Cookies or authentication credentials from other websites
- Data from tabs or apps you have not started a session on
- Data from websites while the Extension is installed but no session is running
2. Chrome Extension Permissions
Chrome Web Store policy requires us to explain every permission the Extension requests and why.
| Permission |
Why we need it |
Scope of access |
activeTab |
Access the tab you are currently viewing when you click the Potato AI icon |
Only the tab you click on, only while interacting with the Extension |
tabs |
Detect which tab is active so the widget and recording target the right page |
Tab IDs and URLs — used only to route the widget, not stored remotely |
tabCapture |
Record the video stream of the active tab when you start a session |
Video stream of the single tab being recorded, only during an active session |
scripting |
Inject the Potato AI widget and session-capture scripts into web pages |
Our own scripts in the active tab — does not read page content outside a session |
storage |
Store your sign-in state and session flags locally in Chrome |
Only Potato AI data — never reads or writes data from other extensions or websites |
identity |
Sign you in using Google via Chrome's native OAuth flow |
Your Google name, email, and profile picture — only when you explicitly sign in |
offscreen |
Process the screen recording in a background document (required by Chrome MV3 for media) |
The same recording stream from tabCapture — no additional access |
<all_urls> |
Inject the Potato AI widget on any website. Users encounter bugs on any site — internal tools, staging environments, production apps — and the Extension must be ready on all of them. |
We inject our widget UI and session-capture scripts. We do not read, scrape, or transmit page content unless a session is active. |
3. How We Use Your Data
- Providing the core feature — session recordings, console logs, and network metadata are attached to bug reports so your team can reproduce issues without asking testers to describe them.
- AI-powered bug grouping and analysis — when a bug is submitted, we automatically send the bug description, console errors, and network metadata to Google Gemini to generate a summary title and group related bugs. Screen recordings are not sent to Gemini.
- Authentication and access control — your Google email identifies you, links you to your workspace, and controls which reports you can see.
- Workspace grouping — your email domain groups members of the same company together on the Dashboard.
- Operating the service — local extension state manages behaviour such as showing the sign-in popup on first install.
- Linear integration (optional) — if you connect Linear, we store your Linear OAuth access token securely in our database to enable you to push bug reports on demand. We do not store your Linear password. You can disconnect at any time from the Dashboard, which removes the stored token.
We do not use your data to:
- Serve or target advertisements
- Train AI or machine-learning models
- Profile your browsing behaviour
- Share with third parties for their own marketing or commercial use
4. Who We Share Data With
| Service |
Purpose |
Data sent |
Privacy policy |
| Supabase |
Database and file storage for bug reports, sessions, user accounts, and recordings |
All data stored on our platform |
supabase.com/privacy |
| Google OAuth |
Authentication — verifies your identity at sign-in |
Name, email, profile picture — only at sign-in |
policies.google.com/privacy |
| Google Gemini |
AI that groups and summarises bug reports automatically when a bug is submitted |
Bug description, console errors, network metadata. Screen recordings are NOT sent. |
policies.google.com/privacy |
| Google Cloud Run |
Server-side processing that merges video segments into a single recording after submission |
Raw video segments (same content as recordings stored in Supabase) |
cloud.google.com/terms/cloud-privacy-notice |
| Linear (optional) |
Bug reports you choose to push are sent to your Linear workspace |
Bug title, description, and metadata — only for reports you explicitly push |
linear.app/privacy |
We do not sell your data. We do not share your data with any other third party.
Within your workspace: workspace members can view bug reports and recordings created within that workspace. Your Google name and profile picture are visible to workspace members.
5. Screen Recordings
Screen recordings may capture anything visible on your screen during the session — including personal information on the page. Please review your screen before starting a recording.
- Who starts a recording: only you, by explicitly clicking the Potato AI icon. Recording never starts automatically or in the background.
- Who can view a recording: workspace members who have access to the attached bug report. We do not view recordings except to investigate a support issue, with your permission.
- Storage: recordings are uploaded to Supabase file storage over HTTPS and encrypted at rest.
- Retention: recordings are kept while your account is active. You can delete any bug report and its recording from the Dashboard at any time.
- What is not captured: other browser tabs, your desktop outside the browser, or any content before or after the session.
6. Cookies and Local Storage
- Dashboard: Supabase Auth uses browser cookies and
localStorage to maintain your signed-in session. First-party only — no third-party tracking cookies.
- Extension: Chrome's
storage.local and storage.session APIs store your auth state and session flags locally on your device. Not accessible to other websites or extensions.
- We do not use cookies for advertising or cross-site tracking.
7. Data Storage and Security
- Location: your data is stored on Supabase servers in the Asia Pacific (Tokyo) region —
ap-northeast-1.
- Transmission: all data is sent over HTTPS/TLS.
- At rest: data is encrypted at rest using Supabase's default AES-256 storage encryption.
- Access controls: database-level Row Level Security (RLS) policies ensure users can only access data belonging to their workspace.
8. Your Rights and Choices
All users
- Access: email us to request a copy of the personal data we hold about you.
- Deletion: email us to request deletion of your account and all associated data. We will complete deletion within 30 days.
- Correction: email us to correct any inaccurate stored data.
- Portability: email us to request an export of your bug reports and session data.
- Uninstall: uninstalling the Extension removes all locally stored data from your device. Server data (bug reports, recordings) is not automatically deleted — email us if you want it removed.
- Disconnect Linear: disconnect at any time from the Dashboard, which removes the stored OAuth token.
To exercise any right: siddharthdesai101@gmail.com
California residents (CCPA / CPRA)
You have the right to know what personal information we collect (see Section 1), the right to opt out of the sale of personal information (we do not sell), the right to deletion, the right to correct inaccurate data, and the right to non-discrimination for exercising these rights.
European Union and UK residents (GDPR / UK GDPR)
Our lawful bases for processing:
- Contract performance — processing your account and session data is necessary to provide the Service.
- Legitimate interests — storing install state, routing sessions to the correct workspace, and maintaining security.
- Consent — screen recording, which only begins when you explicitly start a session.
You have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing. Email us at siddharthdesai101@gmail.com. You also have the right to lodge a complaint with your local data protection authority (the ICO in the UK, or your national DPA in the EU).
Data controller: Potato AI, Prestige Oakwood, Koramangala, Bengaluru 560034, India.
9. Children's Privacy
The Service is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal data from children. If you believe we have inadvertently done so, contact us immediately and we will delete it.
10. Changes to This Policy
If we make material changes — such as collecting a new category of data or sharing with a new third party — we will notify you by email at least 14 days before the change takes effect. Non-material changes will be noted by updating the "Last updated" date above.
11. Contact Us
Potato AI
Prestige Oakwood, Koramangala, Bengaluru 560034, India
siddharthdesai101@gmail.com