feedback-hub Home

Legal

Privacy Policy

Effective May 11, 2026

This policy explains what data feedback-hub collects when you submit feedback through the widget, or when you sign into the inbox. It is written in plain language because the data set is small.

What we collect

From feedback submissions

  • The text you type — the body of your feedback.
  • The page URL you were on when you submitted, so we can find the bug.
  • Your viewport size and device pixel ratio — to reproduce display issues.
  • Your user-agent string — the browser and OS string your browser sends with every request.
  • A screenshot, only if you explicitly click “Add screenshot” in the widget. It is captured by your browser and uploaded to our storage.
  • Your identity, if the host app passes it — typically a user id and/or email, so we can reply to you. This is optional; the widget supports anonymous submissions.

From inbox sign-in

  • Your email address — used to deliver the sign-in code.
  • A session cookie, set by Supabase Auth, used only to keep you signed in.

What we do not collect. We do not run any analytics, fingerprinting, ad trackers, session replay, or third-party SDKs on the widget or the inbox. The widget makes no network requests beyond submitting your feedback to feedback-hub.orosa.io. The inbox makes no requests beyond its own server and Supabase.

Why we collect it

To read your feedback and improve the product you sent it from. That’s the entire purpose. We do not sell, share, or use the data for any other purpose.

Where it’s stored

All data is stored on a single self-hosted server running PostgreSQL (via Supabase) and object storage for screenshots. The server sits behind a Cloudflare Tunnel; all traffic is encrypted in transit (HTTPS). Screenshots and rows are accessed via signed URLs and row-level security tied to the project owner’s account.

Who can see it

Only the project owner. Each project in feedback-hub has exactly one owner; row-level security in the database prevents anyone else from reading the rows. Currently that owner is Mark Orosa.

Third parties

The Service uses two third parties, both for delivery only:

  • Resend — to send sign-in code emails and new-feedback notification emails to the project owner. Resend sees the recipient address and the email body.
  • Cloudflare — to provide the tunnel that exposes the self-hosted server to the public internet, plus TLS and DDoS protection. Cloudflare sees the encrypted request metadata.

How long we keep it

Indefinitely, until the project owner deletes a row, or until you ask us to remove your data. There is no automatic retention schedule because the volume is small and the data is the entire point of the product.

Your rights

You can ask us to:

  • Tell you what data we have about you,
  • Correct anything that’s inaccurate,
  • Delete it.

Email [email protected]with the email address you submitted from and we’ll respond within a reasonable time frame. There is no self-service portal yet because there is one of us.

Children

feedback-hub is not directed at, or intended for use by, children under the age of 13. Do not submit feedback on behalf of someone under that age.

Changes

Material changes to this policy will be reflected in the “Effective” date above. We will not retroactively use your data for purposes that were not disclosed at the time of collection.

Contact

Privacy questions: [email protected].