Privacy Policy

Gotcha is a developer tool that captures a reproducible bug report — a screenshot, console output, failed network requests, recorded reproduction steps, a DOM snapshot, and browser environment — when you deliberately trigger a capture. This policy explains exactly what Gotcha does and does not do with your data.

The short version

• Capture only runs on a deliberate user action (toolbar click or keyboard shortcut). Gotcha never records in the background.
• Captured data is stored locally on your device (IndexedDB and extension storage). There is no Gotcha server.
• Redaction of secrets (auth headers, cookies, tokens, emails, card numbers, password fields) is on by default on every report.
• Data leaves your device only when you file a report to an issue tracker you configured, or use the optional AI assistant with your own API key.
• Gotcha does not sell data, serve ads, or track your browsing.

What Gotcha collects

When you trigger a capture, Gotcha may record, for the active page only:

• Page content & screenshots — a visual capture and a DOM snapshot of the page under test.
• Console & errors — console messages and uncaught errors.
• Network activity — requests/responses (and, in opt-in deep-capture mode, response bodies) needed to reproduce the bug.
• Reproduction steps — the interactions you performed while recording.
• Environment — browser, OS, viewport, and the page URL/title.

Where your data goes

• On your device: all captures and settings stay local until you choose to act on them.
• Issue trackers (you configure): when you file a report, it is sent directly from your browser to the endpoint you set up — Linear, Jira, GitHub, or Slack — using credentials you provide.
• AI assistant (optional): if enabled, a redacted report is sent to the LLM provider you choose (OpenAI, Anthropic, or Google Gemini) using your own API key. Gotcha adds no server in between.

Permissions

Gotcha requests scripting, storage, tabs, and (opt-in) debugger, plus host access so it can capture on whatever page you are debugging and file the report to your tracker. scripting is used only to attach Gotcha's own capture scripts to a tab that was open before the extension was installed or updated (so your first capture works without a manual reload); it never reads or modifies the page's own scripts. Each permission is used solely for the capture-and-file workflow described above.

Your controls

• Add extra redaction patterns and block specific domains in Settings.
• Review, edit, and redact every report before filing.
• Delete any stored report from the dashboard; uninstalling removes all local data.

Contact

Questions about this policy? Reach us at privacy@gotcha.dev.