Privacy Policy
TestDossier is built around a simple promise: your test data is yours. This page explains exactly what we collect, what we don't, and why.
Local authoring without sign-up
If you use TestDossier without signing in, local authoring data — tabs, screenshots, results — is stored in your browser's IndexedDB. None of that local authoring data is sent to our servers unless you choose a server-backed feature, such as creating a share link or submitting a browser capture.
Accounts, Free sharing, and Pro sync
If you sign in or use server-backed features, we store only what is needed to operate those features:
- Your email address (for login and account recovery)
- Free share links: the frozen report payload, share settings, password hash if you set one, expiry data, comments or verdicts if enabled, and view analytics
- Free capture submissions: a temporary capture bundle and evidence inbox long enough for the app to import it into your browser; free capture bundles expire after 7 days if not imported
- Pro synced data: your test cases, projects, test plans, history, and screenshots so they sync across devices and workspaces
- Your subscription status and payment-provider identifiers, only if you have a paid plan managed via Lemon Squeezy
We do not read, mine, sell, or train AI on your test content. We never share your data with third parties except as required to operate the service: Cloudflare for hosting, Resend for transactional email (sign-in, comment and sign-off notifications, and sign-off verification codes), and Lemon Squeezy for payments if you have a paid subscription. TestDossier does not use AI — your test content is never sent to any AI service.
Retention after cancellation. If your Pro subscription ends, the data synced to your account (cases, runs, and screenshots) is kept for a 30-day grace period — re-subscribe to restore access, or download a complete backup (cases plus evidence) in the meantime; we email you when the window opens and before it closes. After the grace period that synced cloud data may be permanently deleted to free storage. Re-subscribing within the window cancels the deletion. Deleting your account erases everything immediately. (See Terms §6.)
Team workspaces (Pro)
If you create a workspace and invite teammates, we store: the email addresses you invite, each member's account membership and role (owner / member), and an activity feed recording who edited which test case and when. We also broadcast lightweight presence signals (which test case a teammate is currently viewing) in real time to other members of the same workspace.
Workspace data stays inside the workspace — it is not shared with other workspaces or used for anything besides operating the workspace. Owners can remove members at any time; removed members lose access immediately.
CI ingest (Pro)
If you POST results from your CI pipeline (Cypress, Playwright, JUnit XML, or generic JSON) to /api/ci/ingest, we store: run metadata (build, environment, duration, branch), per-test results (name, status, duration, error messages), and any attachments included in the payload. CI runs land in your project's history alongside manual runs.
The per-project bearer token used to authenticate ingest requests is stored hashed at rest and never displayed again after creation. You can rotate it any time from project settings.
Browser extension — TestDossier Capture
The optional TestDossier Capture browser extension records a manual test session — clicks, form submissions, page navigations, screenshots, network request metadata (via the browser's webRequest observer), and uncaught JavaScript errors (via a page-level hook) — and turns it into a test case. Capture is always user-initiated: it runs only after you press Record, and stops when you stop.
Nothing leaves your browser until you submit. The session is buffered locally in the browser's IndexedDB; you review it in the panel and choose to submit or discard. Only on submit is the assembled capture sent to /api/capture. On Free, the bundle is held temporarily so the app can import it back into this browser, then it expires if not imported. On Pro or workspace projects, submitted capture evidence is stored with the synced project. Capture tokens are stored hashed at rest and can be revoked from project settings.
Because a captured case can be published as a public share link, the extension is redacted by construction: password fields are never captured (masked at the source, before anything is buffered), and known-sensitive values (card numbers, SSNs, secrets, tokens, OTPs) are masked the same way — whether they're typed into an <input>, a <textarea>, or a rich-text editor. For network activity we record metadata only — method, URL, status, and timing — never request or response bodies. Access tokens you add to the panel — one per project you capture into — are held in the browser's extension storage on your own machine and never leave it except as the Authorization header on your own submissions; you can revoke any of them from project settings at any time.
A note on screenshots. Field-level masking redacts values you type, not what the page renders. Screenshots are pixel captures of the visible page area — anything on screen at the moment of capture (account names, customer data, internal copy, an open chat panel) is in the screenshot. Review each screenshot before you submit the case, and use the side panel's Pause to temporarily stop capture before you do anything sensitive on the page.
Test inbox (Pro)
The test inbox gives you disposable email addresses (of the form name.xxxx@inbox.testdossier.com) for exercising sign-up, verification, and notification flows. You can hold up to three personal addresses plus one per workspace and rotate any of them at any time.
When mail arrives at one of your addresses we store the sender, subject, a text preview, and the full message body (HTML and raw source, in Cloudflare R2) so you can inspect it. Messages auto-expire seven days after they arrive and are then deleted. Rotating an address bounces new mail to the old one but leaves already-received messages readable until they expire. Inbox messages are scoped to your account or workspace and are never shared, mined, or used for anything besides showing them to you.
Anyone who knows one of your addresses can send mail to it, so treat it as a test mailbox — don't route real personal or production data through it.
Shared evidence links — viewers and commenters
When you generate a shareable evidence link, anyone with the link (and password, if you set one) can view it. We don't require viewers to sign in or share any personal information.
For each link you create, we collect the following analytics so you can see how it's being used:
- View rows: a daily-rotating, non-reversible hash of the viewer's IP, a hash of their browser's User-Agent string, the host portion of the referring page (e.g. slack.com), and the country code Cloudflare reports at our edge. We never store raw IP addresses.
- Comments: if a viewer leaves a comment on your shared report, we store the name they typed, the optional email they provided (never displayed publicly — only stored so you can reply manually), the comment body, and an approximate country code from Cloudflare's edge. The country is visible only to the share owner during moderation; other public viewers don't see it. The share owner gets an email notification.
You (the share owner) can disable commenting per-share at any time, delete individual comments, or revoke the share entirely — which removes both the link and all associated comments and view rows.
Verified sign-off (Pro)
A share owner can ask reviewers to record a verdict — approve, request changes, or block — on a shared report. Casting a verdict requires a name and an email address, and, when the owner requires verification, confirming a one-time code we email to that address. This only proves the reviewer controls the mailbox: no account is created, and the share link itself is never emailed by us.
For each verdict we store the reviewer's name, email, the verdict chosen, any note they add, and timestamps. New verdicts are appended rather than overwritten, so the record reflects what was decided and when. Public viewers of the share see only aggregate counts — individual reviewer names, emails, and notes are visible only to the share owner, who is emailed when a verdict is cast. Revoking the share removes its verdicts along with it.
Analytics
We use Cloudflare Web Analytics on our marketing pages and the app to count pageviews. It does not use cookies, does not collect personal information, and does not track you across sites. We don't use Google Analytics or any third-party advertising tracker.
Cookies
Unsigned local authoring uses no login cookie. If you sign in — Free or Pro — we use one essential cookie to keep you logged in (HttpOnly, Secure, SameSite=Lax). No advertising or tracking cookies, ever.
Data retention
Local-only authoring data stays in your browser until you delete it or clear site data. Server-backed Free share links and capture bundles follow their expiry rules. If you cancel Pro, your synced account data remains accessible for 30 days, then may be permanently deleted from our servers. You can export your data as JSON at any time.
Logged snapshots are kept as you logged them. Once a test run is logged, TestDossier doesn't rewrite the snapshot. You can delete a run for cleanup, but deletion removes the run instead of changing what was recorded. Shared reports keep showing the frozen copy that was shared, so viewers don't see quiet edits after the fact.
If you free up image storage from your account settings, the image bytes are deleted from our object store but the test run row itself keeps its references. Old screenshots show as unavailable rather than the historical record silently changing.
Your rights
You can request a copy or deletion of your data at any time. The account-settings page has a Download all my data button (JSON export) and a Delete my account action. For requests we can't satisfy through the UI, email support@testdossier.com — we respond within 7 days.
What account deletion removes: your email address, login sessions, personal projects (and their tabs, runs, and shares), saved preferences, and your subscription identifiers.
What account deletion preserves and why: test runs you logged inside a team workspace stay with that workspace. The system identifiers connecting those rows to you — your user id, your email — are removed, so “logged by” appears blank to other members. The structural record of what was tested, when, and with what result remains so the team's shared history stays intact. If you contributed to a workspace and want additional content reviewed for redaction, email support and we'll handle it case by case.
Contact
Questions about privacy? Email support@testdossier.com.