Security
Fubi is a feedback and review tool that runs directly on your website. We take security seriously and believe in transparency – so it’s always clear how Fubi works, where your data goes, and how we protect it.
Our Security Principles
Encrypted communication
All data between your browser and Fubi is transmitted over encrypted HTTPS connections.
Secure password storage
Passwords are hashed and never stored in readable form.
EU Based hosting
All data is stored on servers in Germany and does not leave the European Union.
No third-party tracking
We do not use third-party analytics and do not track visitors to your website.
How the
Widget Works
Fubi is added to your website either as a JavaScript snippet or an npm package. By default, the widget is inactive – it activates only when the "?fubi" parameter is added to the page URL.
Until activation, it does not read the DOM, modify the page, or send any data.
After activation, the widget interacts with your page in the following ways:
01
Reads the DOM to target elements and create annotations
02
Modifies element attributes for visual feedback (e.g., highlighting, pins, and comment placement)
03
Captures screenshots using html2canvas to provide visual context inside threads
04
Sends data to our servers – including comments, screenshots, page URL, and browser metadata
Secure, transparent feedback
hosted entirely in the EU with a privacy-first approach that never tracks your visitors.
Authentication
Fubi uses its own authentication system. Users log in with email and password.
01
02
In the widget, sessions are managed via localStorage
Access is restricted by team membership. Users can only view projects and data belonging to teams they’ve been invited to.
Infrastructure
Fubi runs on dedicated infrastructure hosted by Hetzner in Germany (EU). We use Coolify for deployment and PocketBase as the application backend and database.
All communication between the widget, the admin interface, and our servers is encrypted via HTTPS. SSL certificates are generated automatically through Let’s Encrypt.
Data Storage
All data – including comments, screenshots, user accounts, and project settings – is stored in PocketBase on our Hetzner infrastructure in Germany (EU).
Logging and Analytics
We collect technical logs for maintenance and service improvement:
01
Application events (errors, key actions)
02
Internal PocketBase logs (including request IP addresses)
02
Server-level logs
via Coolify
Logs are used for debugging, monitoring, and abuse prevention. We do not use third-party analytics.
Data Isolation
Fubi is a multi-tenant application running on a single database. Access is controlled at the application level through team membership and roles. Users can only access data from teams they’ve been invited to.
Subprocessors
We use a limited number of third-party services to operate Fubi:
Subprocessor
Purpose
Location
GDPR and Regulatory Compliance
Fubi is hosted in the EU and follows standard data protection practices in accordance with GDPR.
Details about personal data processing are available in:
Incident Response
In the event of a security incident, we respond without delay and take appropriate measures. When required, we inform affected customers.
Questions?
Questions about security?
Contact us at security@fubi.app
