Privacy Policy

TuscanoLabs ("we", "us", "our") provides a test automation migration platform that helps engineering teams convert Selenium and Cypress test suites to Playwright. This Privacy Policy explains what information we collect when you use the service at tuscanolabs.com, how we use it, and the rights you have over it.

We have built TuscanoLabs around a simple promise: your test code is yours. We process it to produce a conversion report, retain it only as long as your report needs it, and we never use it to train AI models. This page describes that promise in detail.

Account information. When you sign up we collect your email address. If you sign in with GitHub we additionally receive your GitHub username and a scoped OAuth access token (used only to read repositories you choose to scan).

Scan inputs. To produce a migration report we process the test files you upload or the GitHub repository you point us at. This typically includes Selenium/Cypress test scripts, page object files, fixtures, framework configuration, and CI workflow files.

Generated reports. The output of a scan — converted Playwright code, findings, statistics — is stored against your account so you can revisit it later. You can delete any report at any time from the Dashboard.

Technical telemetry. We collect limited operational data such as IP address (for rate limiting and abuse prevention), user-agent string, and timestamps. We use Sentry to capture application errors and PostHog to understand product usage in aggregate.

We use the information above to operate, secure, and improve TuscanoLabs.

• Run scans, conversions, and AI-assisted enhancements you request
• Display your past reports in the Dashboard and let you re-download or re-convert them
• Authenticate you and protect your account from unauthorized access
• Detect abuse, rate-limit excessive usage, and investigate security incidents
• Diagnose bugs and crashes via aggregated error reports
• Understand which product features are used so we can improve the platform
• Respond to support requests you send us

We want to be explicit about what TuscanoLabs does not do with your data, because trust matters more than any feature we ship.

• We do not sell your personal data to anyone, ever
• We do not use your test code, source files, or scan results to train AI models — ours or anyone else's
• We do not store uploaded files permanently. Source files are kept alongside the report only as long as needed to power conversion preview, regeneration, and ZIP download, and are automatically purged after 30 days (or immediately when you delete the report)
• We do not share your code with third parties beyond the subprocessors strictly required to deliver the service (listed below)
• We do not access your GitHub repositories beyond the specific repository you ask us to scan
• We do not retain GitHub OAuth tokens in plaintext — they are encrypted at rest with AES-GCM

When you request an AI-assisted conversion, the relevant test code is sent to Anthropic's Claude API to produce the converted Playwright output. Anthropic processes this data under their commercial terms, which contractually prohibit using API inputs or outputs to train their models.

We send only the minimum context needed for the conversion: the source file, helper files referenced by the source, and a project-context summary. We do not send your account email, billing information, or any data unrelated to the file being converted.

Conversion output is returned to you in the report. Both input and output are kept only as long as the report itself exists in your account.

TuscanoLabs relies on the following third-party services to operate. Each provider processes data only as needed to deliver their part of the service, under their own privacy commitments and security certifications.

• Supabase — authentication, database, and edge function hosting (data hosted in Supabase managed infrastructure)
• Vercel — frontend application hosting and CDN delivery
• Anthropic (Claude API) — AI-assisted code conversion (zero-retention commercial terms)
• GitHub — OAuth identity and repository read access (only when you connect your GitHub account)
• Cloudflare Turnstile — bot protection and CAPTCHA on public scan endpoints
• PostHog — product analytics and feature usage telemetry
• Sentry — application error and crash reporting

Source files uploaded with a scan are stored alongside the report so that conversion preview, Convert All, regeneration, and ZIP download work correctly. They are automatically purged 30 days after the scan, or immediately when you delete the report.

Authenticated reports tied to your account are retained until you delete the report or your account. Deleting a report removes the report metadata, findings, converted artifacts, and any source snapshot stored alongside it. Public share links point at the same report and are revoked when the report is deleted.

Account information (email, GitHub connection, audit logs) is retained while your account is active and for a short period afterward to support fraud prevention, dispute resolution, and legal obligations.

Regardless of where you live, you can:

• Access — request a copy of the personal data we hold about you
• Correct — update inaccurate account information directly from your account settings
• Delete — remove individual reports from the Dashboard, or delete your entire account from Settings
• Export — download your reports as JSON or as a complete Playwright project ZIP
• Object — opt out of analytics tracking by using your browser's Do Not Track signal or contacting us
• Withdraw consent — disconnect GitHub at any time, which immediately deletes the stored OAuth token

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following lawful bases under the GDPR: (a) performance of the contract you enter when you create an account and use the service, (b) our legitimate interests in operating, securing, and improving the platform, and (c) your consent for optional analytics and marketing communications.

You have the rights granted by Articles 15–22 of the GDPR, including access, rectification, erasure, restriction of processing, data portability, and objection. To exercise any of these rights contact support@tuscanolabs.com and we will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data appropriately.

TuscanoLabs uses a small number of cookies and similar technologies for authentication, security, and product analytics. For full details — including a per-cookie purpose and duration table and instructions on how to opt out — see our Cookie Policy.

We follow industry standard practices to protect your data: TLS encryption in transit, AES-256 encryption at rest for sensitive fields, row-level security policies on every database table that holds customer data, signature-verified JWT authentication on every API endpoint, rate limiting on expensive operations, and continuous security monitoring.

If you believe you have discovered a security vulnerability, please report it to security@tuscanolabs.com. We treat security reports as a top priority.

TuscanoLabs is not directed at children under 16 and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be announced in-product or by email to account holders before they take effect. The "Last Updated" date at the top of this page always reflects the current version.

For privacy questions, data subject requests, or anything else covered by this policy:

support@tuscanolabs.com