Privacy Policy

Last updated: July 18, 2026

At a glance — what we actually collect:

  • Account: email, display name, country, avatar (via Google OAuth or email signup).
  • Tester data: the Google email submitted per campaign, screenshot check-ins (EXIF metadata is stripped on upload).
  • Fraud signals: a hashed device fingerprint, IP addresses and user-agent on sensitive actions.
  • Payments: none. TesterWiz is free — we never collect card numbers, payout accounts, or any payment details.
  • Emails: sent via Resend (transactional only, no marketing).

1. Data we collect

Account data — email address, display name, country, and avatar URL, provided when you sign up with email or Google OAuth. Legal basis: performance of our contract with you.

Tester data — the Google account email you register for each campaign, and the screenshot check-ins you upload. Screenshots are re-encoded on upload, which removes EXIF metadata including GPS location. Legal basis: performance of contract.

Fraud-prevention signals — a hashed device fingerprint, and the IP address and browser user-agent recorded when you perform sensitive actions (signing up, enrolling). Legal basis: our legitimate interest in preventing fraud on a reciprocal platform where fake testing harms other users.

Payment data — none. The Service is free and has no payment features; we never collect card numbers, bank details, or payout accounts.

We do not collect data from children; the Service requires users to be 18 or older. We do not sell personal data and we do not use it for advertising.

2. How we use data

  • Operating the marketplace: matching campaigns and testers, verifying opt-ins, running the 14-day window.
  • Credit accounting on our internal ledger.
  • Fraud prevention: detecting duplicate accounts, fake check-ins, and coordinated abuse.
  • Transactional email: campaign status and check-in reminders. We do not send marketing email.
  • Support and dispute resolution.

3. Who sees your data

We share data only with the processors that run the Service:

  • Supabase — database, authentication, and file storage.
  • Resend — transactional email delivery.
  • Vercel — application hosting.

Within the product, a campaign's developer sees each applicant tester's display name, country, rating, completed-campaign count, the Google email that tester submitted for that campaign, and that tester's check-in screenshots. Testers see the campaign's app details and the developer's display name. We disclose data to authorities only when legally required.

4. Retention

  • Credit-ledger records: retained after account deletion for platform integrity and abuse prevention — but anonymized (no longer linked to you).
  • Screenshots: retained for the campaign's dispute window and deleted with your account.
  • Fraud signals (IP, fingerprint hashes): retained while your account exists.
  • Account data: deleted when you delete your account.

5. Your rights

Depending on where you live (GDPR in the EU/UK, CCPA in California, and similar laws elsewhere) you have the right to access, correct, export, and delete your personal data, and to object to or restrict certain processing.

You can exercise the two big ones yourself, immediately, from Settings: download a complete JSON export of your data, or delete your account. Deletion removes your profile, screenshots, and personal identifiers; credit-ledger records are kept in anonymized form. For anything else, email [email protected] and we will respond within 30 days. You also have the right to complain to your local data-protection authority.

6. Security

  • Row-level security scopes every database read and write to the signed-in user.
  • Screenshots live in a private bucket, served only through short-lived signed URLs to authorized viewers.
  • No payment or bank data exists on the platform at all.
  • Secrets are held in the hosting platform's encrypted environment, not in code.

If a breach affecting your personal data occurs, we will notify you and the relevant authorities as required by law.

7. International transfers

Our infrastructure providers (Supabase, Vercel, Resend) may process data in the United States and other countries. Where GDPR applies, transfers rely on the providers' Standard Contractual Clauses or equivalent safeguards, per each provider's data processing agreement.

8. Changes and contact

We will announce material changes to this policy by email or in-product notice before they take effect.

Privacy contact: [email protected]. We accept and respond to privacy requests by email. A postal address will be published here if and when the service incorporates.