Privacy Policy

Last updated June 10, 2026

This Privacy Policy explains how Rebase collects, uses, and protects personal data when you visit our website, install our widget, or use our service to capture and manage feedback.

Rebase (Collectables Ltd, “Rebase”, “we”, “us”) provides an embeddable widget and platform that lets teams capture on-page feedback, turn it into structured tickets, and sync those tickets to their issue tracker. This policy applies to rebase.dev, the widget served from cdn.rebase.dev, and our API at api.rebase.dev.

For personal data processed on behalf of our customers (the feedback their end-users submit through the widget), the customer is the data controller and Rebase acts as a processor under our Data Processing Addendum. For our own website visitors and account holders, Rebase is the controller.

1. Data we collect

Account & profile data

When you create an account or are invited to a project, we store your email address, display name, optional public username (@handle), optional avatar, role, and authentication metadata. Rebase uses passwordless, magic-code sign-in — we do not store passwords.

Feedback & diagnostic data (captured by the widget)

When someone submits feedback through the widget, Rebase captures context to help your team reproduce and resolve the ticket:

  • The selected element and its selector, attributes, and computed styles;
  • A screenshot of the visible viewport;
  • Console messages (errors and warnings) and recent network request metadata (URL, method, status, timing);
  • Page URL/path, referrer, and a recent trail of interactions (clicks, inputs, navigation);
  • Browser, operating system, viewport, language, timezone, and connection information;
  • The identity of the signed-in reporter (email, name) where applicable.

Privacy by default. Before capture, the widget masks password fields, payment-card fields, hidden inputs, and any element marked with data-rebase-mask. URLs, request headers, and common secrets are scrubbed, and request/response bodies are not captured unless a customer explicitly opts in. Customers are responsible for configuring additional masking for sensitive fields on their site.

Billing data

Payments are processed by Stripe. Rebase stores subscription status, plan, and seat counts, but never receives or stores full payment-card numbers.

Website & log data

Like most services, our servers record technical logs (IP address, user agent, timestamps) for security, debugging, and abuse prevention. Our marketing website also uses Google Analytics to understand aggregate usage; see our Cookie Policy.

2. How we use data

  • To provide, operate, and secure the widget, API, and dashboard;
  • To create tickets and sync them to the issue tracker you connect;
  • To send transactional messages and notifications (e.g. mentions and digests) you can configure or unsubscribe from;
  • To process payments and manage subscriptions;
  • To prevent fraud and abuse and to comply with legal obligations.

We do not sell personal data, and we do not use customer feedback data to train machine-learning models. See our AI Policy for how AI features work.

3. Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on: performance of a contract (providing the service), legitimate interests (securing and improving the service), consent (where required, e.g. optional communications), and compliance with legal obligations.

4. Sharing & subprocessors

We share data with vetted service providers who process it on our behalf — for cloud hosting and storage, payment processing, email delivery, and the issue trackers you choose to connect. A current list is on our Subprocessors page. We may also disclose data to comply with law or to protect our rights, and in connection with a merger or acquisition (with notice where required).

5. International transfers

Rebase is hosted in the United Kingdom (London) and the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

6. Data retention

Account data is retained while your account is active. Screenshots are retained for a configurable period (90 days by default) and then deleted. Tickets and comments are retained until you or your project owner delete them or close the project. Backups and logs are retained for a limited period and then rotated.

7. Security

Data is encrypted in transit (TLS) and at rest. Screenshots are stored in access-controlled object storage and served only via short-lived signed URLs. Access to production systems is restricted and authentication tokens are short-lived and rotated.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object or withdraw consent. To exercise these rights, contact support@rebase.dev. If we process data on behalf of a customer, we will refer your request to that customer. You may also lodge a complaint with your local supervisory authority.

9. Children

Rebase is not directed to children and is not intended for anyone under 16. We do not knowingly collect data from children.

10. Changes

We may update this policy from time to time. Material changes will be posted here with a new “Last updated” date.

11. Contact

Questions? Email support@rebase.dev or write to Collectables Ltd, 124 City Road, London, England, EC1V 2NX.