Privacy Policy

1. Introduction

Testoro ("we", "us", "our") is an AI-powered Playwright test generator operated by Piotr Gębski, NIP 7732424192, ul. B. Stolarskiego 10/12, 97-200 Tomaszów Mazowiecki, Poland (the data controller within the meaning of the GDPR). This Privacy Policy explains what data we collect, how we use it, and the rights you have over your information. By using Testoro you agree to the practices described below.

2. Data We Collect

2.1 Account Information

When you create an account we collect your email address, display name, and authentication provider details (e.g. GitHub or Google OAuth tokens). This data is required to identify you and provide access to the service.

2.2 Usage Data

To generate Playwright tests we process the test descriptions you write in plain English, the DOM context crawled from your application URLs, and the generated .spec.ts code. This data is necessary for the core functionality of the service.

2.3 Billing Data

Payments are handled entirely by Stripe. We receive and store your Stripe customer ID, subscription status, and invoice history. We never receive, process, or store your credit card number, CVC, or full card details.

2.4 Technical Data

We automatically collect your IP address, browser type and version, operating system, referring URL, and session cookies. This data helps us maintain security, diagnose issues, and improve the service.

3. How We Use Your Data

• Service delivery — Authenticate you, manage your projects, and serve your dashboard. (Lawful basis: contract performance, GDPR Art. 6(1)(b))
• Test generation — Send your test descriptions and crawled DOM context to our AI models to produce Playwright test code. (Lawful basis: contract performance, GDPR Art. 6(1)(b))
• Billing — Process subscription payments and manage invoices through Stripe. (Lawful basis: contract performance, GDPR Art. 6(1)(b))
• Analytics — Measure aggregate usage patterns to improve features and reliability. (Lawful basis: legitimate interests, GDPR Art. 6(1)(f))
• Security — Detect abuse, prevent fraud, and enforce rate limits. (Lawful basis: legitimate interests, GDPR Art. 6(1)(f))

4. Sub-Processors and Third Parties

We share data with the following third-party processors, each under appropriate data processing agreements:

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

AI model training opt-out: Testoro uses the OpenAI API and Anthropic API under terms that prohibit the use of customer data for model training. Your test descriptions, DOM context, and generated code are processed solely for inference and are not used to train or improve any third-party AI models.

5. Data Retention

• Account data is retained for as long as your account remains active. When you delete your account, personal information is removed immediately upon deletion, subject to backup retention of up to 30 days.
• Test data (test descriptions, generated code, crawled DOM snapshots) is retained for 90 days after account deletion, then permanently erased.
• Billing data held by Stripe is retained according to Stripe's Privacy Policy. We retain invoices and subscription records for up to 7 years to comply with tax and accounting obligations.
• Server logs containing IP addresses and request metadata are automatically purged after 30 days.

6. AI Prompt Data

When generating or healing tests, we send your test descriptions and crawled DOM context to our AI providers (OpenAI and Anthropic) as API prompts. These prompts may be temporarily logged on our servers for debugging and error tracking purposes. Prompt logs are automatically purged after 7 days and are never shared with third parties.

7. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to restrict processing — Ask us to limit how we process your data in certain circumstances.
• Right to object — Object to processing based on legitimate interests or direct marketing.

To exercise any of these rights, contact us at privacy@testoro.dev. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority. If you are located in Poland, the competent supervisory authority is the President of the Personal Data Protection Office (UODO — Urząd Ochrony Danych Osobowych).

8. Your Rights Under the CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to know — You may request details about the categories and specific pieces of personal information we have collected.
• Right to delete — You may request deletion of personal information we have collected from you.
• Right to opt-out of sale — We do not sell your personal information to third parties. Because we do not engage in the sale of personal data, there is no need to opt out.
• Non-discrimination — We will not discriminate against you for exercising your CCPA rights.

9. Cookies

Testoro uses HttpOnly session cookies exclusively for authentication. These cookies are strictly necessary to keep you signed in and cannot be accessed by client-side JavaScript.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required because we only use cookies that are essential to the operation of the service.

10. Security Measures

We implement industry-standard security practices to protect your data:

• Encryption at rest and in transit — All data stored in Supabase is encrypted at rest using AES-256. All connections use TLS 1.2 or higher.
• Row-Level Security (RLS) — Database access is enforced at the row level so users can only access their own data.
• HttpOnly cookies — Session tokens are stored in HttpOnly cookies to prevent cross-site scripting (XSS) attacks.
• SSRF protection — Our crawler validates and sanitizes target URLs to prevent server-side request forgery attacks.
• Rate limiting — API endpoints are rate-limited to prevent abuse and denial of service.

11. Children's Privacy

Testoro is not intended for anyone under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@testoro.dev.

12. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our sub-processors operate. When we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms to ensure an adequate level of protection.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account at least 14 days before the changes take effect. The "Effective date" at the top of this page will be updated accordingly. Continued use of Testoro after the effective date constitutes acceptance of the revised policy.

14. Data Processing Agreement

A Data Processing Agreement (DPA) is available upon request for enterprise customers who require one under GDPR Article 28. To request a DPA, contact us at privacy@testoro.dev.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

We aim to respond to all privacy-related inquiries within 30 days.