Privacy Policy

Last updated: March 29, 2026

OverlayQA ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our Chrome extension, visit our website at overlayqa.com, or use our related services.

Chrome Extension: Data Collection

The OverlayQA Chrome extension collects and processes the following types of data to provide its design QA, bug reporting, and accessibility audit functionality:

Account and Authentication Data

Email address — Collected during account creation and used for authentication and communication.
Session tokens — A signed session token (JWT) is stored locally in your browser (chrome.storage.local) to keep you logged in. This token expires after 30 days.
User ID and Team ID — Internal identifiers stored locally to associate your work with your account and team.

Screenshots and Page Content

Screenshots — When you initiate a bug capture or accessibility audit, the extension captures a screenshot of the current browser tab using the Chrome tabs.captureVisibleTab API. Screenshots are uploaded to our servers for storage and analysis.
Page URLs — The URL of the page you are inspecting is stored alongside issues and reports you create.
DOM metadata — When performing accessibility audits or bug captures, the extension reads HTML element selectors, computed CSS property values (such as colors, font sizes, padding), and element bounding rectangles from the current page. This data is used for visual comparison and issue reporting.
Element HTML snippets — Short excerpts of HTML markup (up to 200 characters) for elements associated with reported issues or accessibility violations.

Figma Integration Data

Figma OAuth tokens — If you connect your Figma account, we store an OAuth access token to retrieve your design files. These tokens are encrypted at rest using AES-256-GCM on our servers.
Figma file and frame data — File keys, frame names, and frame images retrieved from Figma via their API to enable design overlay comparison.

Third-Party Integration Tokens

Jira, Linear, and Notion OAuth tokens — If you connect these services, we store OAuth tokens to sync issues you create. These tokens are encrypted at rest using AES-256-GCM on our servers.

Locally Stored Data

chrome.storage.local — Stores your session token, authentication state, selected project, user preferences (such as QA mode and notification state), and extension settings. This data remains on your device and is not transmitted unless required for functionality.
IndexedDB — Stores per-tab state such as cached screenshots and overlay settings for the current browsing session. This data remains on your device.

Chrome Extension: How We Use Your Data

Bug reporting — Screenshots, page URLs, element metadata, and descriptions you provide are combined to create issue reports that can be exported to Jira, Linear, or Notion.
AI-powered analysis — Screenshots and DOM metadata may be sent to our server, which forwards them to OpenAI's API (GPT-4o) for visual comparison analysis and accessibility audit enrichment. We do not send personally identifiable information to OpenAI — only page screenshots and structural DOM data.
Accessibility audits — The extension runs axe-core locally in your browser to detect WCAG violations. Results may be enriched by AI analysis as described above.
Design overlay — Figma frame images are retrieved and displayed as overlays on top of web pages for visual comparison. This processing happens locally in your browser.
Authentication — Session tokens and user identifiers are used to authenticate API requests and associate your work with your account.

Chrome Extension: Data Storage

Server-side storage — Issue reports, screenshots, and account data are stored on our servers hosted on Cloudflare (R2 for file storage) and Neon (PostgreSQL database). OAuth tokens for Figma, Jira, Linear, and Notion are encrypted at rest using AES-256-GCM.
Client-side storage — Session tokens, preferences, and tab state are stored locally in your browser using chrome.storage.local and IndexedDB. This data is not accessible to other extensions or websites.
Retention — Server-side data is retained for as long as your account is active. You may request deletion of your account and all associated data at any time.

Chrome Extension: Data Sharing

We share your data only in the following circumstances:

OpenAI — Page screenshots and DOM metadata are sent to OpenAI's API for AI visual analysis and accessibility enrichment. OpenAI processes this data according to their API data usage policies and does not use API data to train their models.
Figma — Your Figma OAuth token is used to retrieve design files from Figma's API on your behalf.
Jira, Linear, Notion — If you connect these integrations, issue data you choose to export is sent to the respective service via their API using your OAuth credentials.
PostHog — Anonymous usage analytics events (such as feature usage counts) are sent to PostHog. These events do not contain page content, screenshots, or personally identifiable information beyond a random device identifier.
We do not sell, rent, or trade your personal data to any third parties.

Chrome Extension: Permissions

The extension requests the following Chrome permissions and uses them as described:

storage — To save your session, preferences, and extension state locally.
activeTab — To capture screenshots and read page content on the tab you are actively inspecting.
scripting — To inject the sidebar UI and accessibility scanner (axe-core) into web pages.
tabs — To track which tabs have the sidebar open and restore the sidebar after page navigation.
webNavigation — To detect page navigations and re-inject the sidebar when needed.
contextMenus — To provide right-click menu options for quick bug capture.
Host permissions (api.overlayqa.com) — To communicate with the OverlayQA API for issue storage, authentication, and AI analysis.
Host permissions (api.figma.com) — To retrieve Figma design files when the Figma integration is connected.
Host permissions (us.i.posthog.com) — To send anonymous usage analytics.

Website: Data Collection

When you visit overlayqa.com, we collect:

Email address — When you sign up for our waitlist or create an account.
Usage analytics — We use PostHog and Smartlook to understand how visitors interact with our website, including pages visited, time on site, and interaction patterns.
Device and browser information — Standard technical data such as browser type, operating system, screen resolution, and referring URL.

Website: How We Use Your Information

Communicate with you about product updates and announcements
Analyze and improve our website experience
Understand user behavior to inform product development
Maintain the security and performance of our services

Third-Party Services

We use the following third-party services that may collect or process data on our behalf:

PostHog — Product analytics for both the website and Chrome extension.
Smartlook — Session recording and analytics on the website only.
OpenAI — AI analysis of screenshots and DOM data via their API (Chrome extension only).
Cloudflare — Hosting (R2 file storage) and CDN services.
Neon — PostgreSQL database hosting.
Clerk — Authentication and user management for the web dashboard.
Netlify — Marketing website hosting.

Each of these services operates under their own privacy policies. We encourage you to review their respective policies.

Cookies and Local Storage

Our website and services may use cookies and similar technologies (such as localStorage and chrome.storage) to:

Maintain your authenticated session
Remember your preferences and settings
Collect anonymous analytics data

You can control cookie behavior through your browser settings. The Chrome extension's local storage can be cleared by removing the extension.

Data Security

We implement the following security measures to protect your data:

OAuth tokens (Figma, Jira, Linear, Notion) are encrypted at rest using AES-256-GCM
Extension session tokens are signed using HMAC-SHA256 and expire after 30 days
All data in transit is encrypted via HTTPS/TLS
API endpoints are protected by authentication middleware and rate limiting

No method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

Data Retention

Account data and issues — Retained for as long as your account is active.
Screenshots — Retained for as long as the associated issue or report exists.
Session tokens — Expire automatically after 30 days.
Analytics data — Retained according to the default retention policies of PostHog and Smartlook.
Local browser data — Removed when you uninstall the extension or clear browser data.

Your Rights

You have the right to:

Request access to the personal data we hold about you
Request correction or deletion of your personal data
Request deletion of your entire account and all associated data
Disconnect third-party integrations at any time, which revokes our access to those services
Unsubscribe from communications at any time
Uninstall the Chrome extension, which removes all locally stored data

Children's Privacy

OverlayQA is not intended for use by children under the age of 13. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 13, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of our services after changes are posted constitutes your acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at privacy@overlayqa.com.