Privacy Policy
Last updated: February 19, 2026
1. Introduction
TesterArmy ("we," "us," or "our") operates the tester.army platform — an AI-powered QA testing service that helps teams test their websites automatically. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, API, and related services (collectively, the "Service").
By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service. This policy should be read alongside our Terms of Service.
2. Information We Collect
2.1 Account Information
When you create an account via Google OAuth, GitHub OAuth, or email magic link, we collect:
- Name (as provided by your OAuth provider)
- Email address
- Profile image/avatar (from your OAuth provider)
- OAuth provider account identifiers
2.2 Onboarding Information
During onboarding, we may ask for your role, how you heard about us, your current testing methods, and your goals. This information is optional and used to improve your experience.
2.3 Project Data
To use the Service, you provide project information including:
- Website URLs and descriptions
- Website credentials (username/password) — stored encrypted with AES-256-GCM
- GitHub repository connections and deployment settings
- Test schedules and automation configuration
2.4 Test & Chat Data
When you run tests through our AI agent, we collect and store:
- Test queries, instructions, and prompts
- AI-generated test results and reports
- Screenshots captured during test execution
- Chat conversation history
- AI-learned project memories (site structure insights, test patterns)
2.5 Payment Information
Payment processing is handled entirely by Stripe. We do not store credit card numbers or full payment details. We store only Stripe customer IDs, subscription IDs, plan names, and subscription status for account management.
2.6 Usage & Technical Data
We automatically collect technical and usage data including:
- IP address, browser type, device information
- Feature usage events (pages visited, actions taken, test runs executed)
- Error logs and performance metrics
- Monthly team usage counters (request counts)
3. How We Collect Information
- Directly from you — when you sign up, configure projects, enter credentials, send test queries, or contact support
- From OAuth providers — Google and GitHub provide profile information during sign-in
- Automatically — through analytics tools, error tracking, and server logs when you interact with the Service
- From third-party integrations — GitHub webhooks deliver deployment and repository event data when you connect a repository
4. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve the Service
- Execute AI-powered tests against your websites using the credentials and context you provide
- Process payments and manage subscriptions through Stripe
- Send transactional emails (magic links, team invitations) via Resend
- Analyze usage patterns to improve features and user experience
- Monitor and fix errors, bugs, and security issues
- Enforce our Terms of Service and prevent abuse
- Respond to legal obligations, disputes, and enforcement requests
5. AI Data Processing
Our Service uses AI models (via Vercel AI Gateway) to execute automated QA tests. This is a core part of the Service and requires sharing certain data with AI providers.
What the AI processes
- Your project URL and description
- Website credentials you store — decrypted in-memory during test execution only
- Screenshots captured from your website during testing
- Your test queries and instructions
- Chat conversation history for context
- Project memories (learned insights about your site structure and testing patterns)
Web search
The AI agent may perform web searches (via ExaLabs) to gather context relevant to your test queries. Search queries are derived from your test instructions.
We select AI providers that offer commercially reasonable security and data handling practices. However, data sent to AI providers is processed on their infrastructure and subject to their respective privacy policies.
6. Third-Party Services
We use the following third-party services to operate the platform:
| Service | Purpose |
|---|---|
| Google OAuth | Authentication provider |
| GitHub | OAuth authentication + repository integration (webhooks, PR comments) |
| Stripe | Payment processing and subscription management |
| PostHog | Product analytics (client and server-side) |
| Sentry | Error tracking and performance monitoring (includes personal data in error reports) |
| Resend | Transactional email delivery (magic links, invitations) |
| Cloudflare R2 | Screenshot and file storage |
| Hetzner | Server hosting infrastructure |
| Vercel | AI gateway |
| ExaLabs | Web search for AI agent context |
Each service processes data according to its own privacy policy. We encourage you to review their policies independently.
7. Data Sharing & Disclosure
We do not sell your personal information. We share data only in the following circumstances:
- Service providers — with the third-party services listed above, strictly to operate the platform
- Team members — project data, test results, and chat history are visible to members of your team based on their role
- Shared links — if you share a chat session via its share link, that session becomes accessible to anyone with the link, without authentication
- Legal requirements — when required by law, subpoena, court order, or government request
- Safety & enforcement — to protect rights, property, or safety of TesterArmy, our users, or the public
- Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users
8. Cookies & Tracking
We use the following cookies and storage:
- Session cookie — JWT-based authentication cookie managed by NextAuth (essential, 7-day expiry)
- Local storage — theme preference (light/dark mode) stored in browser localStorage
- PostHog analytics — first-party analytics tracking for product usage (production only)
We do not use third-party advertising cookies or cross-site tracking pixels.
9. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest — website credentials and sensitive tokens encrypted with AES-256-GCM
- Encryption in transit — all data transmitted over HTTPS/TLS
- API key security — API secrets hashed with bcrypt and validated using timing-safe comparison
- Access controls — role-based team permissions (owner, admin, user)
- Infrastructure — hosted on Hetzner via Coolify with Cloudflare for storage, leveraging their security infrastructure
No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security of your data.
10. Data Retention
We retain data for different periods depending on its type and purpose:
- Account data — retained for the lifetime of your account
- Chat and message history — retained indefinitely while your account is active
- Test run results — retained indefinitely while your account is active
- Screenshots — stored in Cloudflare R2; presigned access URLs expire after 7 days
- API keys — configurable expiration (default 90 days) or non-expiring
- Magic link tokens — expire after 1 hour
- Team invitations — expire after 7 days
- Stream data (Redis) — automatically deleted after 24 hours
Account deletion is permanent and immediate. All associated personal data is deleted at the time of deletion, except where retention is required by law (e.g., billing records).
11. International Data Transfers
Your data may be processed in Germany (Hetzner), the United States, and other countries where our service providers operate (including Cloudflare, Google, Stripe, and Sentry). These transfers are necessary to provide the Service. We rely on Standard Contractual Clauses and other lawful transfer mechanisms where required by applicable data protection laws.
12. Your Rights
GDPR Rights (EEA/UK residents)
If you are in the European Economic Area or United Kingdom, you have the right to:
- Access your personal data we hold
- Rectify inaccurate or incomplete data
- Erase your personal data ("right to be forgotten")
- Port your data to another service in a machine-readable format
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Withdraw consent at any time where processing is based on consent
CCPA/CPRA Rights (California residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Correct inaccurate personal information
- Opt-out of the sale or sharing of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us at hello@tester.army. We will respond within 30 days (or sooner as required by applicable law).
13. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at hello@tester.army and we will promptly delete it.
14. Shared Content
You may share chat sessions via a unique share link. Shared sessions are accessible to anyone with the link without requiring authentication. Shared content may include your test queries, AI responses, and screenshots. Consider the sensitivity of your data before sharing — you are responsible for any data exposed through shared links.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email. We review this policy at least annually. Your continued use of the Service after changes constitutes acceptance of the updated policy.
16. Contact
For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at: hello@tester.army