Data and privacy

bugstack sends error metadata, stack traces, environment info, and optional sanitized request context. It does not send cookies, IP addresses, or user data unless you explicitly enable capture.

What gets sent

Each SDK sends a different payload shape. Below is the exact data transmitted by each language.

JavaScript / TypeScript

The JS SDK sends the richest payload by default, including request context:

json

{
  "id": "unique-error-id",
  "fingerprint": "hash-for-deduplication",
  "name": "TypeError",
  "message": "Cannot read properties of undefined (reading 'name')",
  "stack": "TypeError: Cannot read properties of undefined ...",
  "stackFrames": [
    { "file": "src/users.ts", "function": "getUserName", "line": 42, "column": 12 }
  ],
  "route": "/api/users/:id",
  "method": "GET",
  "statusCode": 500,
  "url": "/api/users/123",
  "queryParams": { "include": "profile" },
  "requestBody": { "...redacted fields removed..." },
  "requestHeaders": { "...sensitive headers removed..." },
  "routeParams": { "id": "123" },
  "environment": "production",
  "projectId": "proj_xxx",
  "metadata": {}
}

Python

json

{
  "apiKey": "...",
  "error": {
    "message": "AttributeError: 'NoneType' object has no attribute 'name'",
    "stackTrace": "Traceback (most recent call last): ...",
    "file": "app/models/user.py",
    "function": "get_display_name",
    "fingerprint": "hash-for-deduplication"
  },
  "environment": {
    "language": "python",
    "languageVersion": "3.12.0",
    "framework": "django",
    "frameworkVersion": "5.0.1",
    "os": "linux",
    "sdkVersion": "0.1.0"
  },
  "timestamp": "2026-04-18T12:00:00Z"
}

Ruby

json

{
  "apiKey": "...",
  "error": {
    "message": "NoMethodError: undefined method 'name' for nil:NilClass",
    "stackTrace": "app/models/user.rb:12:in 'get_display_name' ...",
    "file": "app/models/user.rb",
    "function": "get_display_name",
    "fingerprint": "hash-for-deduplication"
  },
  "environment": {
    "language": "ruby",
    "languageVersion": "3.3.0",
    "framework": "rails",
    "frameworkVersion": "7.1.2",
    "os": "linux",
    "sdkVersion": "0.1.0"
  },
  "timestamp": "2026-04-18T12:00:00Z"
}

Go

json

{
  "apiKey": "...",
  "error": {
    "message": "runtime error: invalid memory address or nil pointer dereference",
    "stackTrace": "goroutine 1 [running]: main.getUserName(...) ...",
    "file": "handlers/user.go",
    "function": "getUserName",
    "fingerprint": "hash-for-deduplication"
  },
  "environment": {
    "language": "go",
    "languageVersion": "1.22.0",
    "framework": "gin",
    "frameworkVersion": "1.9.1",
    "os": "linux",
    "sdkVersion": "0.1.0"
  },
  "timestamp": "2026-04-18T12:00:00Z"
}

What is never sent

Cookies — never transmitted by any of the four SDKs
IP addresses — never transmitted by any of the four SDKs
User data — never transmitted by any of the four SDKs
Request bodies — off by default in Python, Ruby, and Go. The JavaScript SDK has captureRequestBody: true by default — set it to false to disable. Note this difference if your JS app handles sensitive form data.

Automatic redaction

The JavaScript SDK automatically redacts the following fields from request bodies and headers before transmission:

Redacted body fields: password, secret, token, apikey, api_key, apiKey, authorization, auth, credential, private, credit_card, creditcard, card_number, cvv, ssn, social_security

Always-redacted headers: authorization, cookie, set-cookie, x-api-key, x-auth-token, proxy-authorization

The Python, Ruby, and Go SDKs accept custom redaction via the redact_fields configuration option, letting you specify additional fields to strip before transmission.

Inspect or drop events with before_send

Every SDK supports a before_send hook that lets you inspect, modify, or drop error events before they leave your server.

JavaScript / TypeScript

javascript

const { initBugStack } = require('bugstack-sdk');

initBugStack({
  apiKey: process.env.BUGSTACK_API_KEY,
  beforeSend(event) {
    // Drop health-check errors
    if (event.route === '/health') return null;
    return event;
  }
});

Python

python

import bugstack

def before_send(event):
    # Drop health-check errors
    if "health" in event.get("error", {}).get("message", ""):
        return None
    return event

bugstack.init(
    api_key="your-api-key",
    before_send=before_send
)

Ruby

ruby

require "bugstack"

Bugstack.configure do |config|
  config.api_key = "your-api-key"
  config.before_send = Proc.new do |event|
    # Drop health-check errors
    next nil if event["error"]["message"].include?("health")
    event
  end
end

Go

import "github.com/bugstackai/bugstack-go"

bugstack.Init(bugstack.Config{
    APIKey: "your-api-key",
    BeforeSend: func(event map[string]interface{}) map[string]interface{} {
        // Drop health-check errors
        if strings.Contains(event["error"].(map[string]interface{})["message"].(string), "health") {
            return nil
        }
        return event
    },
})

Preview without sending: dry run mode

Dry run mode lets you see exactly what the SDK would send without actually transmitting data. The payload is logged locally so you can inspect it. The JavaScript SDK does not currently support dry run mode.

Python

python

bugstack.init(
    api_key="your-api-key",
    dry_run=True
)

Ruby

ruby

Bugstack.configure do |config|
  config.api_key = "your-api-key"
  config.dry_run = true
end

Go

bugstack.Init(bugstack.Config{
    APIKey: "your-api-key",
    DryRun: true,
})

Encryption at rest

All sensitive credentials stored by bugstack — your API keys and GitHub tokens — are encrypted at rest using AES-256-GCM. Each user account has isolated encryption keys. bugstack never stores your source code; files are retrieved transiently per fix and discarded after the pull request is created.

Next steps

Ship with confidence

bugstack captures only what it needs to fix your errors. No cookies, no IP addresses, no user data by default.

Start Free

14-day free trial · No credit card required