Privacy Policy
Last updated: 2026-07-07
1. What Glitch Captures
When you use Glitch to capture a bug report, it may collect the following data from the active browser tab or desktop:
- Screenshots: full-page or selected-area images of the current tab
- Screen recordings: video of the current tab or desktop, optionally including microphone audio
- Console logs: JavaScript console output (log, warn, error, info, debug) from the page
- Network requests: URLs, HTTP methods, status codes, request/response headers and bodies (text-based, up to 1 MB). Sensitive values such as Authorization headers, API keys, and JWT tokens are automatically redacted before storage
- User actions: clicks, form inputs (passwords are masked), scroll events, and page navigation events
- Performance data: Core Web Vitals (LCP, CLS, INP, FCP, TTFB), long tasks, and navigation timing
- WebSocket messages: messages sent and received (up to 2 KB per message)
- Storage snapshot: a snapshot of localStorage, sessionStorage, and cookies at the time of capture (keys and values, capped at 50 entries of 500 characters each)
- Environment information: browser name and version, operating system, viewport size, device pixel ratio, memory, CPU cores, network connection type, timezone, and locale
All of this data is collected only when you actively trigger a capture (screenshot, recording, or instant replay). Glitch does not run background data collection passively.
2. How Data Is Stored
All captured data is stored exclusively on your local device using Chrome's built-in storage APIs (chrome.storage.local) and your browser's local file system (via the Chrome Downloads API). No data is transmitted to any Glitch server, cloud service, or third party as part of the capture process.
Bug reports are saved as self-contained HTML files on your device. Recordings are saved as WebM video files. You control where these files are saved.
3. Microphone Access
Glitch requests microphone access only when you explicitly enable the mic toggle before starting a recording. Microphone audio is captured solely for inclusion in the screen recording. The audio is stored locally as part of the video file and is never sent to any server by Glitch.
You can revoke microphone access at any time via Chrome's site settings (chrome://settings/content/microphone) or the browser's address bar lock icon.
4. Third-Party Integrations
Glitch includes optional integrations with third-party services. Data is only sent to these services when you explicitly choose to share a report using that integration.
- Slack: Bug reports and recordings may be uploaded to your Slack workspace. Data is sent directly from your browser to Slack's API using your personal OAuth token. Governed by Slack's Privacy Policy.
- Jira: Bug reports may be attached to Jira issues. Data is sent directly from your browser to your Jira instance using your API token. Governed by Atlassian's Privacy Policy.
- GitHub: Bug reports may be attached to GitHub issues. Data is sent directly from your browser to GitHub's API using your personal access token. Governed by GitHub's Privacy Statement.
- GitLab: Bug reports may be uploaded to GitLab issues. Data is sent directly from your browser to your GitLab instance using your personal access token. Governed by GitLab's Privacy Policy.
- Linear: Bug reports may be attached to Linear issues. Data is sent directly from your browser to Linear's API using your personal API key. Governed by Linear's Privacy Policy.
- Notion: Bug reports may be added to a Notion database. Data is sent directly from your browser to Notion's API using your integration token. Governed by Notion's Privacy Policy.
- ClickUp: Bug reports may be attached to ClickUp tasks. Data is sent directly from your browser to ClickUp's API using your personal API token. Governed by ClickUp's Privacy Policy.
- Azure DevOps: Bug reports may be attached to Azure DevOps work items. Data is sent directly from your browser to your Azure DevOps organization using your personal access token. Governed by Microsoft's Privacy Statement.
Glitch does not receive, store, or process any data sent to these third-party services.
5. Accounts, Pro Plan & Billing
Glitch is fully usable signed-out, with no account. Creating a free account (optional) or upgrading to the Pro plan introduces a small amount of data that is processed off your device — solely to operate accounts and billing. Your captured bug reports, screenshots, and recordings are never uploaded; they always stay local.
- Authentication: When you choose to sign in, an account is created through our authentication provider, Supabase. You can sign in with a one-time email magic link or with Google. We store your email address, basic profile details, and a unique account identifier. For a full disclosure of the Google user data we access and how we use it, see section 6. Governed by Supabase's Privacy Policy.
- Plan status: The free plan is unlimited — Glitch does not count or cap your captures. For signed-in users, Glitch calls a server function to resolve your plan (free, Pro, or founder); to apply that status consistently across sign-ins it may send a randomly generated installation identifier and a normalized form of your email. The contents of your captures are never sent.
- Billing: Pro subscriptions are processed by Lemon Squeezy, our payment provider and merchant of record. Card details are handled entirely by Lemon Squeezy; Glitch never sees or stores your card information. We store your subscription status to unlock Pro features. Governed by Lemon Squeezy's Privacy Policy.
6. Google Account Sign-In, Google User Data & Google Drive Backup
Signing in with Google is one optional way to create and access your Glitch account (the other is a one-time email magic link). When you choose "Sign in with Google," Glitch — through our authentication provider, Supabase — requests only Google's basic sign-in scopes: openid, email, and profile. Signing in does not grant access to Gmail, Google Calendar, Contacts, or the contents of your Google Drive. Google Drive backup is a separate, optional feature that you turn on yourself; it is described at the end of this section.
Google user data we access. Only your basic Google profile: your email address, your name, your profile picture, and your unique Google account identifier.
How we use it, and why:
- Authentication and account identity: to create and sign you into your Glitch account without a password, and to associate your settings and subscription status with your account.
- In-app display: to show your email, name, and profile picture in the app so you can see which account is signed in.
- Essential service emails: to send account-related messages to your email address — sign-in links, billing receipts, and security or account notices — as part of operating the service.
- Product updates (opt-in only): if, and only if, you explicitly opt in, to send occasional product-update emails. Every such email includes an unsubscribe link, and you can opt out at any time. We do not send marketing email without your consent.
How we store it. This data is held by Supabase (our authentication provider) and cached locally in your browser to keep you signed in. We retain it only for as long as your account exists.
How we share it. We do not sell, rent, or share your Google user data with third parties. It is processed only by Supabase, acting as our infrastructure provider on our behalf.
What we never do. We do not use Google user data for advertising, and we do not use it to develop, improve, or train any generalized or individualized artificial-intelligence or machine-learning models. Glitch's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Deletion. You can request deletion of your account and the associated Google user data at any time by emailing support@glitched.wtf; we will delete it promptly.
Google Drive backup (optional, Pro)
Pro users can optionally connect Google Drive to automatically back up their own captures. This feature is off until you explicitly connect Drive and enable it in the extension's settings.
- Scope. Drive backup uses Google's
drive.filescope, authorized through Chrome'sidentityAPI. This is a narrow, per-file scope: Glitch can only see and manage the files it creates in your Drive. It has no access to any other file or folder in your Google Drive. - Where your captures go. When enabled, your captured bug reports and recordings upload to a
Glitchfolder in your own Google Drive. They are never uploaded to, routed through, received by, or stored on any Glitch server. Glitch cannot read them back. - Share links. A shareable "anyone with the link" link is created only when you explicitly click to create or share one. Glitch never makes your Drive files public automatically.
- Turning it off. You can disconnect Google Drive at any time from the extension's settings, which revokes Glitch's access token. Files already saved to your Drive remain yours and are unaffected.
- Limited Use. Data accessed via the Drive API is used solely to provide this backup feature at your direction and is never used for advertising or to train AI/ML models. Glitch's use of Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
7. Permissions Justification
Glitch requests the following Chrome permissions. Each is required for core functionality:
- Access to all sites (
<all_urls>): Required to inject the debug capture script into any page you choose to record. Glitch only activates on a tab when you explicitly trigger a capture. - Tab capture (
tabCapture): Required to record the video and audio stream of the active tab. - Tabs (
tabs): Required to query the active tab when you open the popup, and to manage the recording overlay. - Storage (
storage,unlimitedStorage): Required to store settings, theme preferences, recording state, and temporary recording buffers locally. - Scripting (
scripting): Required to inject the recording overlay and debug capture script into pages. - Downloads (
downloads): Required to save bug reports and recordings to your local file system. - Web navigation (
webNavigation): Required to track page navigations during a recording session for the debug log. - Web request (
webRequest): Required to capture network request metadata (URLs, methods, status codes) during a recording. - Identity (
identity): Required for the OAuth authorization flow when connecting Slack, and for the Google authorization flow when you connect the optional Google Drive backup (drive.filescope — see section 6). - Offscreen documents (
offscreen): Required to run the media recording engine in the background without a visible UI. - Alarms (
alarms): Required to enforce the optional recording time limit setting. - Active tab (
activeTab): Grants Glitch temporary access to the current tab at the moment you invoke it (clicking the toolbar icon or starting a capture), without standing access to your browsing. - Notifications (
notifications): Required to show brief system notifications about capture status and errors (for example: recording started or saved, screenshot saved, microphone unavailable, or an instant-replay save failure).
8. Data Glitch Does Not Collect
- Glitch does not collect any analytics, usage telemetry, or crash reports
- Glitch does not require an account — it is fully usable signed-out; an account is created only if you choose to sign in (see section 5)
- Glitch does not track you across websites
- Glitch does not upload your captured content to a Glitch server — screenshots, recordings, console logs, and network data never reach us. They leave your device only when you explicitly share through an integration, or back them up to your own Google Drive (see section 6)
- Glitch does not sell or rent your data, and shares it only when you explicitly use an integration, enable Google Drive backup, or as described in section 5 (accounts and billing)
9. Automatic Redaction
Glitch automatically redacts sensitive values from captured network data — across request and response headers and bodies (JSON, form-urlencoded, and multipart) — before it is stored. Redaction covers:
- Authentication, session, and cookie headers — including Authorization, Proxy-Authorization, WWW-Authenticate, Cookie/Set-Cookie, CSRF/XSRF tokens, X-API-Key, X-Auth-Token, and any header whose name contains auth, token, secret, key, credential, jwt, or session
- Bearer tokens, Basic-auth credentials, and JSON Web Tokens (JWTs)
- Common credential fields by name (password, secret, token, API key, credit-card number, CVV, SSN) in JSON and form bodies
- Recognizable vendor secret formats — AWS, Stripe, GitHub, GitLab, Slack, Google (API keys & OAuth tokens), OpenAI, SendGrid, npm, Linear, and Notion keys
- PEM-encoded private keys
Redacted values are replaced with the placeholder [glitch-redacted]. While Glitch makes reasonable efforts to redact sensitive data, no automated redaction is perfect — you should review captured reports before sharing them externally.
10. Children's Privacy
Glitch is a developer tool intended for adults. It is not directed at children under the age of 13, and we do not knowingly collect personal information from children.
11. Changes to This Policy
If this privacy policy changes materially, the updated version will be published at the same URL with a revised "Last updated" date. Continued use of Glitch after a policy update constitutes acceptance of the updated policy.
12. Contact
If you have questions about this privacy policy or Glitch's data practices, please email support@glitched.wtf, or reach us directly at clarkkentkalel1995@gmail.com.