Is EuroBug GDPR-compliant?

Yes. EuroBug is designed for GDPR compliance. All core data is processed and stored within the EU (Scaleway, Paris). IP addresses are hashed server-side. PII is scrubbed both client-side and server-side. The tracker places no cookies on your website visitors. Optional integrations like Slack are opt-in and clearly disclosed.

How does EuroBug differ from Sentry?

Sentry is a US company subject to the CLOUD Act. Their tracking scripts are typically tens of kilobytes. EuroBug is under 2kb gzipped, fully European, and scrubs PII both client-side and server-side. Your core error data stays in the EU.

Do I need a cookie banner for EuroBug?

No. The EuroBug tracker places no cookies on your website visitors and does no tracking. The EuroBug dashboard uses a strictly necessary session cookie for logged-in customers, which does not require consent.

Can I try EuroBug without a credit card?

Absolutely. The Starter plan is free (up to 5,000 errors/month) and requires no payment details whatsoever.

Where exactly is my data stored?

All infrastructure runs on Scaleway in Paris, France — a European company with no US parent entity.

How does source map integration work?

Upload your source maps via our CLI or dashboard. We automatically match them to incoming errors and display the original source code in your stack traces instead of minified gibberish.

Data Processing Agreement — EuroBug

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service. Additionally:

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Controller" means the Customer, who determines the purposes and means of processing Personal Data through the Service.
"Processor" means EuroBug B.V., who processes Personal Data on behalf of the Customer.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed via the Service.
"Personal Data" means any information relating to a Data Subject that is submitted to the Service via the EuroBug tracker script, as further described in Section 3.
"Processing" has the meaning given in Article 4(2) GDPR.
"Sub-processor" means any processor engaged by EuroBug to process Personal Data on behalf of the Customer.
"Supervisory Authority" means the Autoriteit Persoonsgegevens (Netherlands) or another competent national data protection authority.

2. Subject Matter, Duration, and Nature of Processing

EuroBug processes Personal Data solely to provide the error tracking and monitoring Service described in the Terms of Service. Processing begins when the Customer installs the EuroBug tracker script on their digital property and ends upon termination of the Customer's account or expiry of the applicable data retention period, whichever is earlier.

The nature of the processing is collection, storage, analysis, and display of JavaScript error event data for the purpose of enabling the Customer to monitor and improve the quality of their software.

3. Categories of Data Subjects and Personal Data

3.1 Data Subjects

End-users of the Customer's website or application whose browsers execute the EuroBug tracker script when a JavaScript error occurs.

3.2 Categories of Personal Data Potentially Processed

Data Element	How Handled
IP address	Hashed with SHA-256 + daily rotating salt on receipt; raw IP never stored
User agent / browser string	Parsed into browser name + version; full UA not stored
Operating system	Derived from user agent; stored as plain text (e.g., "macOS")
Page URL	Query string stripped server-side before storage
Error message and stack trace	Passed through two-layer PII scrubber (client + server) before storage
User ID (opt-in)	Stored only if Customer explicitly passes data-user-id
User email (double opt-in)	Stored only if Customer sets sendUserEmail: true in ebConfig
Custom tags (opt-in)	Key-value pairs supplied by Customer; max 10 keys, 50 chars each
Breadcrumb events (Enhanced only)	Click targets, navigation paths, console errors, failed fetch URLs — scrubbed before storage

3.3 PII Scrubbing Technical Controls

The Service applies automatic scrubbing at two independent layers before any data reaches EuroBug infrastructure:

Client-side (tracker script): Email addresses, IBAN numbers, JWT tokens, credit card numbers (Luhn-pattern), Bearer tokens, and password-like query parameters are replaced with placeholders before transmission.
Server-side (ingest endpoint): Applies all client-side patterns plus IPv4/IPv6 addresses and Dutch BSN numbers (validated via the 11-proef algorithm). URL query strings are fully stripped.

Important: Scrubbing is best-effort. The Customer remains the Data Controller and must not knowingly transmit highly sensitive data categories (medical records, payment credentials, government identifiers) through the Service. See Section 7 of the Terms of Service.

4. Obligations of EuroBug as Processor

4.1 Processing on Documented Instructions Only

EuroBug shall process Personal Data only on documented instructions from the Customer, which are constituted by these Terms, this DPA, and the Customer's configuration of the Service. If EuroBug is required by Union or Member State law to process Personal Data beyond the Customer's instructions, EuroBug shall inform the Customer of that requirement before processing, unless prohibited by law.

4.2 Confidentiality

EuroBug shall ensure that all personnel authorised to process Personal Data are bound by appropriate obligations of confidentiality.

4.3 Security Measures (Article 32 GDPR)

EuroBug implements and maintains appropriate technical and organisational measures, including:

Encryption of data in transit (TLS 1.2+) and at rest (Scaleway managed database encryption)
IP anonymisation via daily-rotating SHA-256 hash
Two-layer automated PII scrubbing (client + server)
Role-based access control with audit logging for all administrative actions
Automated data retention enforcement (7 / 90 / 365 days depending on plan)
Rate limiting and input validation on all ingestion endpoints
Magic-link authentication (no passwords stored)

4.4 No Personal Data Outside EEA

All error event data is stored and processed exclusively on infrastructure operated by Scaleway SAS in France (EEA). No error event data is transferred outside the EEA. Payment data is processed by Mollie B.V. (Netherlands, EEA). Opt-in notification services (Slack, Microsoft Teams) receive only notification-safe summaries (project name + dashboard link) — no error data, stack traces, URLs, or personal data of end-users.

5. Sub-processors

5.1 Authorised Sub-processors

The Customer grants EuroBug general authorisation to engage the following sub-processors. EuroBug has entered into data processing agreements with each sub-processor that impose obligations equivalent to those in this DPA.

Sub-processor	Country	Purpose	Data Transferred
Scaleway SAS	France 🇫🇷 (EEA)	Cloud hosting, managed PostgreSQL database, Redis, object storage, transactional email (TEM)	All error event data, account data, audit logs
Mollie B.V.	Netherlands 🇳🇱 (EEA)	Payment processing	Billing contact data, payment identifiers (no error data)
Slack Technologies LLC	United States 🇺🇸 (opt-in only)	Slack webhook notifications	Project name + dashboard URL only. No error data, no end-user personal data. Transfer only occurs if Customer explicitly configures Slack integration.
Microsoft Corporation	United States 🇺🇸 (opt-in only)	Microsoft Teams webhook notifications	Project name + dashboard URL only. No error data, no end-user personal data. Transfer only occurs if Customer explicitly configures Teams integration.

5.2 Changes to Sub-processors

EuroBug shall provide at least 30 calendar days' prior written notice (by email to the Customer's registered address or via an in-app notification) of any intended change to the sub-processor list. If the Customer objects to a new sub-processor on reasonable, substantiated data protection grounds, the parties shall discuss in good faith. If no resolution is reached within 14 days of the Customer's objection, the Customer may terminate the Service without penalty upon written notice, and EuroBug shall refund any prepaid fees for the unused portion of the then-current billing period.

5.3 Transfers to the United States

Slack and Microsoft Teams are US-based services. They are strictly opt-in. By enabling a Slack or Teams integration, the Customer acknowledges and consents to the transfer of notification-safe summaries (project name + dashboard link only) to that provider. No error event data, stack traces, URLs, or end-user personal data is included in such notifications. The Customer is responsible for ensuring they have a valid legal basis for this transfer under Chapter V GDPR.

6. Assistance with Data Subject Rights

6.1 Obligation to Assist

EuroBug shall assist the Customer in fulfilling its obligations to respond to Data Subject requests (Articles 15–22 GDPR) by providing the technical mechanisms described in Section 6.2 and, upon written request, additional manual assistance.

6.2 Self-Service Tools

The following capabilities are available to the Customer directly in the dashboard at no additional cost:

Data export (Art. 20 portability): Export all error events for a project via the Account settings page.
Data deletion (Art. 17 erasure): Delete a project and all associated data permanently via Project Settings → Danger Zone.
Account deletion: Customers may contact hello@eurobug.eu to request full account and organisation deletion.

6.3 Cost of Manual Assistance

Manual assistance by EuroBug staff beyond the self-service tools described in Section 6.2 (for example, searching for and deleting specific records by user identifier across multiple projects) shall be provided at the Customer's expense at a rate of €150 per hour (excl. VAT), with a minimum charge of 1 hour. EuroBug shall provide a cost estimate before commencing manual assistance work. The Customer's approval is required before work begins.

6.4 Response Timeline

EuroBug shall acknowledge requests for manual assistance within 5 business days of receipt.

7. Security Incident Notification

In the event of a Personal Data Breach (as defined in Article 4(12) GDPR) affecting data processed on behalf of the Customer, EuroBug shall:

Notify the Customer without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach;
Provide, to the extent available, the information required under Article 33(3) GDPR;
Assist the Customer in meeting its notification obligations to the relevant Supervisory Authority and affected Data Subjects where required.

Notification shall be sent to the Customer's registered email address. The Customer is responsible for ensuring that address is current.

8. Audit Rights

8.1 Frequency

The Customer may request an audit of EuroBug's data processing activities under this DPA once per calendar year. Additional audits may be requested only if a confirmed Personal Data Breach has occurred affecting the Customer's data.

8.2 Advance Notice

Audit requests must be submitted in writing with a minimum of 30 calendar days' advance notice. The notice must specify the scope, proposed methodology, proposed dates, and the identity and qualifications of the auditor.

8.3 Review of Third-Party Reports First

Before conducting or commissioning an on-site audit, the Customer shall first request and review any available compliance reports provided by Scaleway SAS (including SOC 2, ISO 27001, or equivalent certifications). EuroBug shall make reasonable efforts to obtain and share such reports upon written request. If the Customer is satisfied that the reports adequately address its concerns, no further audit is required.

8.4 Audit Conditions

Audits are subject to the following conditions:

Audits shall be conducted during normal business hours and in a manner that minimises disruption to EuroBug operations;
The auditor must sign a confidentiality agreement before receiving any access or information;
EuroBug may reject or reschedule audit requests that conflict with security requirements, ongoing incidents, or third-party confidentiality obligations;
The Customer may not share audit findings with third parties without EuroBug's prior written consent.

8.5 Cost

All costs associated with the audit — including EuroBug personnel time at €150/hour (excl. VAT), auditor fees, and any third-party costs — shall be borne in full by the Customer.

9. Data Retention and Return

9.1 Retention During the Agreement

Plan	Error Event Retention	Enforcement
Developer (free)	7 days	Automated daily cron deletion
Startup (€20/mo)	90 days	Automated daily cron deletion
Agency (€50/mo)	365 days	Automated daily cron deletion

Downgrading from a higher plan to a lower plan will result in immediate enforcement of the lower plan's retention period at the next scheduled retention run.

9.2 On Termination

Upon termination of the Customer's account (whether by the Customer or by EuroBug), EuroBug shall, at the Customer's election within 30 days of termination:

Return: Make error event data available for export via the dashboard API during a 30-day wind-down period; or
Delete: Permanently delete all error event data within 30 days of the termination date.

After 30 days from termination, all Personal Data shall be permanently deleted from production systems. Anonymised, aggregated statistics may be retained indefinitely. Audit logs are retained for 12 months from the event date, regardless of termination, for legal compliance purposes.

10. Liability

Liability of EuroBug under or in connection with this DPA is strictly subject to the limitations and exclusions set out in Section 11 of the Terms of Service ("Limitation of Liability").

In particular: (a) EuroBug's aggregate liability under the DPA shall not exceed the cap on direct damages set out in the Terms of Service; (b) EuroBug shall not be liable for any indirect, consequential, special, or punitive damages, including regulatory fines levied on the Customer in its capacity as Data Controller, under any circumstances; and (c) the Customer, as Data Controller, remains solely responsible for ensuring that its use of the Service complies with applicable data protection law, including the lawfulness of the underlying processing and the appropriateness of the data transmitted.

GDPR fines imposed on EuroBug in its capacity as Processor due to the Customer's instructions or the Customer's failure to comply with its Controller obligations shall be indemnified in full by the Customer, subject to the indemnification clause in the Terms of Service.

11. Governing Law

This DPA is governed by Dutch law. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts in Amsterdam, the Netherlands, consistent with the Terms of Service.

Where any provision of this DPA conflicts with the GDPR or applicable Member State data protection law, the GDPR or applicable Member State law shall prevail to the extent of the conflict.

12. Amendments

EuroBug may update this DPA to reflect changes in law, regulation, or EuroBug's processing activities. Material changes will be communicated with at least 30 days' advance notice. Continued use of the Service after the effective date of an amendment constitutes acceptance. If the Customer does not accept a material change, the Customer may terminate the Service by written notice before the effective date of the change.

Questions or DPA Requests

For all data protection and DPA-related enquiries, contact our privacy team at hello@eurobug.eu. Enterprise customers on the Agency plan may request a countersigned PDF copy of this DPA.