Privacy Policy

Last updated: May 14, 2026

The Basics & Key Definitions

OverlayQA is a visual QA tool for web product teams. It ships as a Chrome extension and a companion web dashboard at overlayqa.com. When you use a feature — capturing a bug, running an accessibility audit, or comparing a live page to a Figma frame — OverlayQA turns that interaction into a structured issue report and stores it in your account.

"Service" means the OverlayQA Chrome extension, the dashboard at overlayqa.com, and the API at api.overlayqa.com. "We", "us", and "our" mean OverlayQA. "You" means the person using the Service.

This policy explains what information we collect, how we use it, who we share it with, and the rights you have over it. OverlayQA's use and transfer to any other app of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

What Information We Collect and How We Use It

1. Your Account Details

When you create an OverlayQA account, we collect your email address, password, and name (managed by our authentication provider, Clerk). Passwords are hashed by Clerk before storage and are never stored in plaintext or accessible to OverlayQA staff. If you sign in via Google, no password is collected. A signed session token (JWT, HMAC-SHA256, 30-day TTL) is stored locally in chrome.storage.local to keep you logged in. If you connect Figma, Jira, Linear, or Notion, we store the OAuth access tokens those services issue, encrypted at rest using AES-256-GCM.

We use this information to identify your account, associate your issues with you, keep you signed in across browser restarts, and send you product-related communications.

2. Data from the OverlayQA Chrome Extension

The Chrome extension collects data only when you explicitly trigger a feature such as capture, accessibility audit, Figma comparison, or AI analysis. Nothing in this section is collected passively or in the background.

When you initiate a feature, the extension captures:

Screenshots — a visible screenshot of the current browser tab, produced via the Chrome tabs.captureVisibleTab API and uploaded to our server.
Element selectors and metadata — the HTML tag name, CSS selector, class names, parent selector, ARIA role, alt text, and bounding rectangle of the element you pin or that an accessibility audit flags.
Element text content — up to 200 characters of the visible innerText of elements you actively pin for bug capture. We do not capture text from form inputs, password fields, or content that is not visibly rendered.
Element HTML snippets — up to 200 characters of outerHTML for elements associated with reported issues or accessibility violations.
Computed CSS properties — for pinned elements we extract computed style values including color, background-color, font-family, font-size, font-weight, line-height, letter-spacing, padding, margin, gap, border-radius, border styles, display, flex properties, width, and height.
Design system token extraction — when you initiate an AI design analysis, visual comparison, or Design Token Audit, the extension samples up to 200 visible elements from the current page and extracts their computed CSS properties (colors, typography, spacing, borders, shadows) to detect design system patterns. The Design Token Audit is an AI-powered feature: the extracted token inventory (unique CSS values, their frequencies, and CSS custom property declarations from :root stylesheets), client-detected inconsistency findings (near-duplicate colors, orphan font sizes, off-scale spacing) with element selectors and bounding rectangles, optional Figma design tokens (if a Figma file is connected), the page URL, and viewport dimensions are forwarded to OpenAI's GPT-4o API for enrichment analysis. No form inputs, passwords, or hidden content are captured during this sampling.
axe-core accessibility results (AI-enriched) — the accessibility audit is an AI-powered feature. axe-core scans your page's DOM locally in your browser and produces a list of WCAG rule violations. For each rule that produced violations, the extension sends our server the rule ID, impact level, WCAG criterion, description, help text, help URL, tags, and the count of affected nodes. Along with this, the extension sends a small DOM metadata bundle for flagged elements (computed color, background-color, font-size, font-weight, line-height, display, and bounding rectangles), the total element count on the page, a screenshot of the current browser tab, and — if you have linked a Figma frame — the Figma frame image. Our server forwards this bundle to OpenAI's GPT-4o API, which visually analyzes the page to identify WCAG violations that automated tools cannot detect (non-text contrast, touch target size, clickable-but-not-focusable elements, hover/focus dismissal issues, ARIA composite pattern gaps, color-only information conveyance). The full page DOM is never transmitted.
Figma frame images — when you start a design comparison, the selected frame's PNG image is fetched from Figma's API, converted to base64, and sent to our server. The frame image is stored on Cloudflare R2 so the resulting issue can be viewed later.
Browser and device context — when you create an issue, the extension captures the following from your browsing session (parsed from your browser's User-Agent Client Hints API or the navigator.userAgent string) and attaches it to the issue as reproducibility context for the developer fixing the bug:
- Browser name (for example Chrome, Edge, Firefox, Safari)
- Browser version
- Operating system and version
- Viewport width and height
- Screen width and height
- Device pixel ratio
This information is visible to anyone you share the issue with. We do not use it for tracking, profiling, or fingerprinting.
Page URL and title — recorded at the moment you actively use a feature such as creating an issue, running an accessibility scan, or starting a design comparison, and stored alongside the issue you create.
Issue comments and @mentions — when you write a comment on an OverlayQA issue, the extension sends the comment text, the IDs of any team members you @mention, and a timestamp to our server. Comments are visible to all members of the team that owns the issue and can optionally be synced to the linked Figma comment thread when Figma is connected. You can edit or delete your own comments at any time. Comment text is not forwarded to OpenAI or any AI provider.
Fix Verification (AI-powered) — when you mark an issue as resolved and re-capture it, the extension uploads a new screenshot of the page (or element) and our server sends the following to OpenAI's GPT-4o API so it can compare the before and after states: the original screenshot URL, the current screenshot URL (both stored on Cloudflare R2), the issue title, issue description, element selector, and severity. For accessibility issue verifications, we also send the WCAG criterion, the axe-core rule ID, and the boolean results of re-running axe-core (whether the rule still flags the page and whether it still flags the original selector). If the element is no longer found on the page, or the viewport differs from the original capture, a single sentence describing that condition is appended to the prompt. GPT-4o returns a pass / fail / inconclusive verdict with a short natural-language explanation, which is stored alongside the issue.

We use this information to generate the issue report, draft AI-powered title and severity suggestions, compare your Figma design against the live page for visual comparison, and run accessibility audits. Issue reports can be exported to Jira, Linear, or Notion when you choose to do so.

The extension also maintains a local LRU index in IndexedDB of pages where you have used OverlayQA features (maximum 200 entries, 50 per hostname). Each entry contains the page URL, title, visit timestamp, and a compressed 200×200 JPEG thumbnail of the page captured at the time you used the feature. This index is stored only on your device and is never transmitted to our servers. It is removed when you uninstall the extension or clear browser data.

Passive browsing history. We do not track, record, or transmit a list of every page you visit. Page URLs and titles are only captured at the moment you actively use a feature such as creating an issue, running an accessibility scan, or starting a design comparison.

Passive page content. The extension does not read, log, store, or transmit the content of pages you visit unless you actively use a feature (creating an issue, running an audit, or starting a comparison). When you are signed in, an authenticated Server-Sent Events connection to api.overlayqa.com is maintained to deliver real-time notifications and Figma comment updates to your browser; this connection only carries notification payloads from our server to your browser and does not transmit page content, browsing history, or user activity from your browser back to us.

3. Usage Data (How You Use Our Service)

We collect basic usage data to understand how the Service is used and to improve it:

Your IP address, transmitted as part of standard HTTPS requests to api.overlayqa.com. Your IP address is stored in our database solely for rate-limit tracking on the free design comparison feature (to prevent abuse of the unauthenticated endpoint). PostHog, our product analytics sub-processor, also receives your IP address and derives approximate geolocation (city, country, region, timezone) for each analytics event — see the PostHog entry under Sub-processors below. IP addresses may also appear in server access logs maintained by our hosting provider (Railway) for security and abuse prevention.
Product analytics events such as sidebar opened, issue created, audit started, and screenshot captured, sent to PostHog. Event properties include feature usage metadata such as issue severity, issue type, and the page URL of the page you are inspecting when you initiate an accessibility scan or design comparison. These events do not contain page content or screenshots.

4. Info from Third-Party Logins

You can create an OverlayQA account using Google. When you sign up or log in to your OverlayQA account using Google, we store your profile information (name, email address, and profile picture), as authorized by you.

How We Use Your Data

We use the information described above to:

Operate the OverlayQA Service — create issue reports, run accessibility audits, and compare designs against live pages.
Generate AI-powered issue suggestions, visual design comparisons, and accessibility remediation guidance by forwarding the relevant page data to OpenAI. These AI features are core functionality of the product, not optional.
Authenticate you and keep you signed in across browser restarts.
Sync issues to external trackers (Jira, Linear, Notion) when you connect them and choose to export.
Send you account-related and service-related communications.
Analyze and improve the Service through aggregate usage data.
Detect and prevent abuse, fraud, and security incidents.

When We Share Your Information

We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed under "Third-Party Services We Use" below, and only as required to operate the Service.

When you create an issue, run an accessibility audit, start a Figma design comparison, run a Design Token Audit, or verify a fix, the following data is forwarded to OpenAI's GPT-4o API: page screenshots, Figma frame images (when a Figma frame is linked), element selectors and metadata, computed CSS for pinned elements, element text content (innerText, up to 200 characters), page URL, page title, viewport dimensions, axe-core accessibility violation results, design system token data sampled from up to 200 page elements, and — for Design Token Audits — the token inventory (extracted CSS values, frequencies, CSS custom property declarations), client-detected findings with element selectors and bounding rectangles, and optional Figma design tokens. For Fix Verification, we additionally forward the original screenshot URL, the current (re-captured) screenshot URL, the issue title, issue description, element selector, and severity; for accessibility-issue verifications, we also include the WCAG criterion, the axe-core rule ID, and the boolean results of re-running axe-core (whether the rule still flags the page and whether it still flags the original selector), plus an optional single-sentence note when the element is no longer present or the viewport differs from the original capture. Your name, email, and account credentials are never sent to OpenAI. Per our agreement with OpenAI, data sent through their API is not used to train their models.

When you connect Figma, Jira, Linear, or Notion, the relevant issue or design data is sent to those services via their APIs using your OAuth credentials. This only happens when you initiate the connection and choose to export.

How Long We Keep Your Data & How We Protect It

Account data and issues are retained for as long as your account is active. You can request deletion of your account and all associated data at any time by contacting hello@overlayqa.com.
Screenshots and Figma frame images are retained for as long as the associated issue exists.
OAuth tokens (Figma, Jira, Linear, Notion) are encrypted at rest using AES-256-GCM.
Extension session tokens are signed using HMAC-SHA256 and expire automatically after 30 days.
All data in transit is encrypted via HTTPS/TLS.
API endpoints are protected by authentication middleware and rate limiting.
Local browser data is removed when you uninstall the extension or clear browser data.

No method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

Your Rights and How to Exercise Them

You have the right to request access, correction, or deletion of your personal data; to delete your account; to disconnect integrations (which revokes our access to those services); to unsubscribe from communications; and to uninstall the extension at any time (which removes all locally stored data). To exercise any of these rights, contact hello@overlayqa.com.

Your Rights Under GDPR (For Users in the EU/EEA and the UK)

If you are in the EEA or the UK, we process your personal data under the following legal bases: contract performance (to provide the Service you signed up for), consent (for optional integrations and marketing communications), and legitimate interests (product analytics to improve the Service, including the IP address and derived geolocation data that PostHog captures on every analytics event — see the PostHog entry under Sub-processors). You have the right to access, rectify, erase, restrict, object to, and port your personal data.

Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we have collected about you, to request deletion, to opt out of the sale of personal information (we do not sell personal information and have no plans to do so), and to non-discrimination for exercising these rights.

Third-Party Services We Use (Our Sub-processors)

We use the following third-party services that collect or process data on our behalf:

OpenAI — AI analysis of screenshots, element metadata, computed CSS, element text content, page URLs, accessibility audit results, and fix-verification comparisons (before-and-after screenshots plus issue context) via their GPT-4o API. Core feature of the Chrome extension. Per our agreement with OpenAI, data sent through their API is not used to train their models.
Clerk — Authentication (including Google sign-in) and user management for the web dashboard.
Neon — PostgreSQL database hosting in the United States.
Railway — API server hosting in the United States.
Cloudflare — Hosting for uploaded screenshots and Figma frame images (R2) and CDN services.
PostHog — Product analytics for both the Chrome extension and the marketing website. For signed-in users, receives user ID and email to link analytics events to your account. PostHog also receives the IP address of analytics events and derives approximate geolocation (city, country, region, timezone) from it, which is stored alongside each event in PostHog's US infrastructure.
Netlify — Marketing website hosting.
Smartlook — Session recordings and analytics on the marketing website only. Not loaded by the Chrome extension.
Apollo — B2B lead intelligence loaded on the marketing website (assets.apollo.io) only. Apollo collects page views, IP address, and browser metadata for visitors to our marketing pages. Not loaded by the Chrome extension.

Each of these services operates under their own privacy policies. We encourage you to review them.

Other Important Details

Children. OverlayQA is not intended for use by children under the age of 13. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 13, we will delete it promptly.

Do Not Track. The extension does not alter its data collection in response to DNT signals, but performs no passive background tracking regardless of DNT settings — data is only collected when you actively use a feature.

International transfers. Data may be processed in the United States and other countries where our sub-processors operate. By using OverlayQA, you consent to this transfer. We ensure that all third-party processors maintain appropriate data protection standards.

Cookies and local storage. Our services use cookies and similar technologies (localStorage, chrome.storage) to maintain your session, remember preferences, and collect product analytics (PostHog, which also receives your IP address and derived geolocation — see Sub-processors). You can control cookie behavior through your browser settings. The Chrome extension's local storage can be cleared by removing the extension.

Changes to this policy. We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at hello@overlayqa.com.