Weevil

Privacy policy

Last updated July 6, 2026

The short version

  • Weevil only records while you’ve started an active capture — never silently, never in the background.
  • Header secrets (auth tokens, cookies, API keys) and password field values are redacted automatically. Password redaction can’t be turned off.
  • You review every capture before it uploads. Discard it and nothing leaves your device.
  • We don’t sell your data, run ads, or share captures with third parties. The extension has no third-party analytics or tracking SDK.
  • No remote code — everything the extension runs ships inside the reviewed extension package.

The rest of this page covers the details — what exactly gets captured, what is and isn’t redacted, and how to reach us.

What Weevil is

Weevil is a Chrome extension and web app for capturing bug reports — combining screen recording, console logs, network activity, and user actions into one shareable timeline, so a team can reproduce an issue without back-and-forth. This policy explains what the extension and web app collect, what’s protected automatically, and how you can control it.

When we collect data

Capture data is only collected while a recording is active — something you start and stop yourself from the extension popup, with a visible recording indicator on screen the whole time. Weevil never records in the background or before you click start.

Separately, when you sign up and use the dashboard, we collect ordinary account data — your email and workspace membership. That’s account data, not capture content, and it’s handled the same way any web app handles a signup.

What a capture includes

  • Screen recording and screenshots of the tab you chose to capture.
  • Console logs and runtime errors, including the logged arguments (each truncated after roughly 2,000 characters).
  • Network requests and responses — headers, and text-based bodies (JSON, HTML, and similar) up to roughly 20,000 characters each. Binary bodies such as images and fonts aren’t read.
  • User actions: clicks, key presses, scrolling, and navigation, including values typed into form fields.
  • Page context: URL, page title, and basic performance/timing metrics.

What’s redacted automatically

  • Header secrets. Authorization, Cookie, and similarly named headers (tokens, API keys, session identifiers) are redacted by default. This can be adjusted from the extension’s options page if you need to.
  • Password fields. The value typed into a password field — or a field marked as a password, card, or one-time-code field — is replaced with [redacted] before it’s recorded, for both the field’s value and every keystroke typed into it. This protection always runs and can’t be turned off.

What isn’t redacted automatically

Other typed text, console output, and network request/response bodies are captured as they appear on the page, because Weevil has no way to know which of those might be sensitive without reading them. If a page you’re capturing displays or logs personal information outside of a password field — an email address in a support ticket, for example — that content will show up in the capture the same way it appears on the page.

If you’re about to capture a page with sensitive personal, financial, or health data you don’t want recorded, the safest option is not to start a capture on it. If you do and change your mind, see the next section — nothing uploads until you say so.

You’re in control before anything uploads

After you stop a capture, you review it locally before it’s sent anywhere. Discard it and nothing leaves your device. Uploading is a separate, explicit action you take afterward.

Where your data goes

Uploaded captures are stored on Weevil’s servers and associated with the workspace you uploaded them to. Only members of that workspace, per their role and permissions, can view a capture. We don’t sell capture data, use it for advertising, or share it with third parties outside of operating the product. The extension doesn’t include any third-party analytics or tracking SDK.

Deleting your data

You can delete a capture from your dashboard at any time, which removes it from your workspace immediately. If you need a capture permanently erased from our storage — for compliance reasons, for example — email us at centurycode23@gmail.com and we’ll take care of it directly.

No remote code

Every script the extension runs is bundled inside the extension package you install from the Chrome Web Store and reviewed by Google as part of that listing. Weevil doesn’t fetch or execute code from an external server at runtime.

Location and IP address

The extension itself doesn’t access your device’s precise location and doesn’t collect your IP address as part of a capture. Our servers may log IP addresses in standard request logs for security and abuse prevention, as most web services do.

Children’s privacy

Weevil is a developer tool built for engineering teams and isn’t directed at children. We don’t knowingly collect data from anyone under 13.

Changes to this policy

If we make a meaningful change to how Weevil handles data, we’ll update this page and its “last updated” date above.

Contact us

Questions about this policy or your data? Email centurycode23@gmail.com — the same inbox as support.