Security

Fubi is a feedback and review tool that runs directly on your website. We take security seriously and believe in transparency — we want it to be clear how our product works, where your data goes, and what we do to protect it.

Our Security Principles

Encrypted communication

All data between you and Fubi is transmitted over encrypted HTTPS connections.

Secure password storage

Passwords are hashed and are never stored in readable form.

Hosting in the EU

All data is stored on servers in Germany and never leaves the European Union.

No third-party tracking

We do not use third-party analytics services and do not collect data about visitors to your website.

How the

Widget Works

Fubi is added to your website either as a JavaScript snippet or as an npm package. By default, the widget is inactive — it activates only when the parameter ?fubi is added to the page URL.

Until it is activated, it does not read the DOM, modify the page, or send any data. After activation, the widget interacts with your page in the following ways:

  • Reads the DOM to target elements and create annotations
  • Modifies element attributes for visual feedback features (e.g., highlighting, pinning comments)
  • Takes screenshots using html2canvas to provide visual context in comments
  • Sends data to our servers — comments, screenshots, page URL, and browser metadata

Secure, transparent feedback hosted entirely in the EU with a privacy-first approach that never tracks your visitors.

Authentication

Fubi uses its own authentication system. Users log in using email and password.

  • In the admin interface, sessions are managed via cookies
  • In the widget, sessions are managed via localStorage
  • Access to projects is restricted based on team membership. You can only see data from teams you belong to.

Infrastructure

Fubi runs on a dedicated server provided by Hetzner in Germany (EU). We use Coolify for server deployment and management, and PocketBase as the application backend and database. All communication between the widget, the admin interface, and our servers is encrypted via HTTPS. SSL certificates are generated automatically through Let's Encrypt.

Data Storage

All data — comments, screenshots, user accounts, and project settings — is stored in PocketBase on our Hetzner server in Germany.

Logging and Analytics

We collect technical logs for maintenance and service improvement:

  • Application events (errors, key actions)
  • Internal PocketBase logs (including request IP addresses)
  • Server-level logs via Coolify

Logs are used for debugging, monitoring, and abuse prevention. We do not use third-party analytics services.

Data Isolation

Fubi is a multi-tenant application running on a single database. Access to projects and data is controlled at the application level through team membership and roles. Users can access only the data of teams they have been invited to.

Subprocessors

Subprocessor
Purpose
Location
Hetzner Online GmbH
Server hosting
Germany (EU)
Mailjet (Sinch)
Transactional emails (SMTP)
France (EU)
Polar.sh / Paddle
Payment processing
EU / US

GDPR and Regulatory Compliance

Fubi is hosted in the EU and follows standard data protection procedures in accordance with GDPR. Details about personal data processing can be found in the following documents:

Privacy Policy Data Processing Agreement (DPA)

Incident Response

In the event of a security incident, we address the situation without delay and take appropriate measures. In relevant cases, we inform affected customers.

Questions?

Do you have questions about security? Contact us at security@fubi.app