Privacy Policy

What we collect, why, and for how long.

TestTorch records testing sessions on purpose — that's the product. This page says exactly what that means for your data, in plain words.

Version 2026-07-03 · Last updated 3 July 2026

1. Who is responsible

The controller for your personal data is TTB Software Development B.V. (Lagedijk 11A, 2064 KV Spaarndam, the Netherlands — full details on the imprint). For anything privacy-related, write to info@testtorch.com.

2. What we collect and why

Data Purpose Legal basis Kept
Account data (name, email, time zone, roles) Running your account and the marketplace Contract Life of the account + 30 days
Tester application (your pitch, availability) Screening testers for quality Contract (pre-contractual measures) Life of the account
Session recordings (see section 3) Proof of work for the client; dispute evidence Contract 18 months after the job ends, then deleted
Payment & payout records Escrow, payouts, tax obligations Contract; legal obligation 7 years (Dutch fiscal retention)
Disputes and rulings Arbitration record for money decisions Contract; legitimate interest 7 years (with the money records they justify)
Technical logs (IP addresses, error reports) Security and debugging Legitimate interest Up to 90 days

3. Session recordings, specifically

When a tester starts a testing session, their walkthrough of the client's app is recorded: screen interactions (the page structure and what was clicked), console output, and request metadata (method, URL without query parameters, status, sizes — never request or response bodies, never headers). Everything typed into form fields is masked before it leaves the browser.

Recording is scoped to the tester's own session via a signed, time-limited token — it never captures a client's real users. The client who posted the job can watch the recording; TestTorch staff view it when a dispute needs a ruling. Recordings are deleted 18 months after the job they belong to ends; the tester's written findings remain with the account.

4. Automated decision-making

Tester applications are screened with the help of an AI model, which scores the application (pitch quality, experience signals, availability). High-confidence scores approve or reject the application automatically; anything the model is unsure about goes to a human reviewer. Because an automated rejection affects your ability to earn on the platform, you always have the right to request review by a human: reply to the decision email and a person will re-review your application themselves. This is the Article 22 GDPR safeguard, and it's also just how we'd want to be treated.

5. Who processes data for us

Processor What for Where / transfer safeguard
Stripe Payments, escrow, tester payouts (Stripe is independently responsible for its own account verification) EU entity; SCCs for any US processing
OpenAI Scoring tester applications (the pitch text you submit) United States; EU-US Data Privacy Framework
Google (Gmail) Sending transactional email United States; EU-US Data Privacy Framework
Sentry Error monitoring (with personal-data scrubbing enabled) United States; EU-US Data Privacy Framework
Hosting Running the application and database EU datacenter
jsDelivr CDN serving the recording library to pages being tested (not to this site) Global CDN; serves a public JS file, receives no account data

6. Cookies

TestTorch sets only strictly necessary, first-party cookies: your login session and your light/dark theme preference. No tracking cookies, no third-party cookies, no analytics cookies — which is why there is no cookie banner. If that ever changes, this policy and the site will change with it.

7. Your rights

Under the GDPR you can ask for access to your data, correction, deletion, restriction of processing, a portable copy, and you can object to processing based on legitimate interest. Email info@testtorch.com and we'll respond within 30 days. One honest caveat: payment, payout and dispute records are kept for 7 years under Dutch tax law even if you delete your account — we anonymize the account they point to instead of deleting the financial history. If you're not happy with how we handle a request, you can complain to the Dutch supervisory authority, the Autoriteit Persoonsgegevens.

8. Security

Data travels over TLS and lives in an EU datacenter. Application secrets are encrypted at rest, access to data inside the product is role-gated and deny-by-default, and recordings are reachable only by the people section 3 names. No system is perfectly secure; if a breach ever affects your data we'll notify you and the authority as the GDPR requires.

← Back to TestTorch