Overview
Shuddhi QA (shuddhiqacloud.vercel.app) is an AI-powered QA test case generator built and maintained by Ramya, Senior QA Engineer, Bengaluru, India. This privacy policy explains what data is collected, how it is used, and your rights regarding that data.
Sign In & Account Data
Signing in to Shuddhi QA is entirely optional. Anonymous users get 3 free generations. Signed-in users get 10 free generations and cross-device preference sync.
Shuddhi QA uses Firebase Authentication (Google LLC) as its identity provider. Sign-in is available via:
- Google Sign-In — OAuth 2.0 scopes requested:
openid,profile(display name, profile photo URL),email. No access to Gmail, Drive, Calendar, or any other Google service. - Microsoft Sign-In — OAuth 2.0 scopes requested:
openid,profile,email. No access to Microsoft 365, OneDrive, Teams, or any other Microsoft service.
When you sign in, Firebase Authentication provides Shuddhi QA with:
| Data | Source | How we use it | Stored where |
|---|---|---|---|
| Display name | Google / Microsoft profile | Show your name in the navigation bar | Browser memory only |
| Email address | Google / Microsoft account | Identify your account, shown in nav bar | Browser memory only |
| Profile photo URL | Google / Microsoft profile | Show your avatar in the nav bar | Browser memory only |
| Firebase UID (unique ID) | Firebase Authentication | Key your preferences in Firestore, scope trial counter | Firestore + localStorage |
| Sign-in provider | Firebase Authentication | Display which account type is active | Browser memory only |
How to sign out and delete your account data: Click your avatar in the navigation bar → Sign Out. To delete all Firestore preferences associated with your account, use Settings → Usage & Cost → Reset all data, then sign out. You can also revoke Shuddhi QA's access from your Google Account permissions or Microsoft account.
Firestore Preference Sync
When signed in, Shuddhi QA syncs a small set of non-sensitive preferences to Google Firestore so your settings follow you across devices. This data is stored in your personal Firestore document at users/{your_firebase_uid} and is accessible only to you.
| Preference synced | Example value | Why synced |
|---|---|---|
| Last session (platform, module, domain, format) | D365 F&O, Accounts Payable, Full | Pre-fill settings on next visit / new device |
| Generation history | Last 30 events (platform, module, timestamp) | Smart suggestions after 3+ generations |
| Dismissed suggestions | {suggestion_id: timestamp} | Don't re-show suggestions you've dismissed |
| Total TCs generated | 247 | Cumulative hours-saved counter |
| Advanced panel state | true / false | Remember if Customize panel is open |
| Theme preference | dark / light | Your theme follows you to new devices |
/api/claude, /api/ado, /api/jira), which never stores them server-side and uses them only to forward the request to the respective AI or integration provider.Data Collected Without Sign-In
For anonymous users (no sign-in), Shuddhi QA collects only what is stored in your own browser:
| Data | Where stored | Purpose | Sent to server? |
|---|---|---|---|
| AI provider preference | Browser localStorage | Remember your selected provider | No |
| Personal API keys (Claude, Gemini, Groq, OpenAI, Together AI, Azure OpenAI) | Browser localStorage | Forwarded to the AI provider to generate test cases | Yes — POST body to our /api/claude proxy (not stored), then the AI provider |
| ADO / Jira credentials | Browser localStorage | Connect to your Azure DevOps or Jira | Only to ADO/Jira via proxy |
| Usage statistics (token counts, cost estimates) | Browser localStorage | Usage & Cost panel display | No |
| Session history (last 20 generations) | Browser localStorage | Reload recent test cases | No |
| Free trial counter | Browser localStorage | Track free generation usage (3 anon / 10 signed-in) | No |
| Google OAuth access token (billing) | Browser sessionStorage only | Read Google Cloud billing info (optional feature) | Proxied to Google Cloud API |
| Google billing account ID | Browser localStorage | Remember selected billing account | No |
localStorage and sessionStorage — standard browser storage never shared across sites. Firebase Authentication uses IndexedDB for session persistence; this is not used for tracking.Google Cloud Billing Data
Shuddhi QA offers an optional Google Cloud Billing sync (separate from Sign-In) that displays your AI spending directly inside the Usage & Cost tab.
- Scope requested:
https://www.googleapis.com/auth/cloud-billing.readonly— read-only access to your billing account information only. - What we read: Billing account name, account ID, status, linked project, budget caps, and spending information.
- What we do NOT read: Gmail, Google Drive, Google Calendar, contacts, or any other Google service data.
- Token storage: The OAuth access token is stored only in
sessionStorage— deleted automatically when you close the browser tab. Never written to localStorage, cookies, or any server. - Server handling: The access token is passed to our Cloudflare proxy solely to forward requests to the Google Cloud Billing API. It is never logged, stored, or retained.
How to revoke: Click Disconnect in Settings → Usage & Cost, or visit myaccount.google.com/permissions.
AI Provider Data Processing
When you generate test cases, your requirement text and uploaded documents are sent to the selected AI provider. Each provider processes this data under their own privacy policy:
| Provider | Privacy Policy | Data region | |
|---|---|---|---|
| 🤖 Anthropic (Claude) | anthropic.com/privacy | United States | |
| ✦ Google (Gemini) | policies.google.com/privacy | United States | |
| ⚡ Groq (Llama) | groq.com/privacy-policy | United States | |
| OpenAI (optional) | GPT-4o mini | openai.com/policies/privacy-policy | United States |
| Together AI (optional) | DeepSeek V3 / Llama | together.ai/privacy | United States |
| ☁️ Azure OpenAI (optional · BYO) | privacy.microsoft.com | Your own Azure resource region |
localStorage. With each generation request they are sent as a POST body over HTTPS to our Cloudflare Functions proxy (/api/claude), which uses them solely to forward the request to the respective AI provider — they are never logged or stored on Shuddhi QA's servers. All bundled providers are US-hosted; Azure OpenAI (optional · BYO) runs in the region of your own Azure resource, which you control. No data is transmitted to Chinese servers.🧠 Smart Detect — Platform & Domain Detection
When you click Smart Detect, your requirement text (up to 3,000 characters) is sent to Groq's Llama 3.3 70B model via Shuddhi QA's Cloudflare Function (/api/detect) to identify the enterprise platform, business domain, compliance context, and stakeholders.
| Attribute | Detail |
|---|---|
| Data sent | Requirement text only (truncated to 3,000 chars) |
| Personal data | None — no user identifiers, keys, or account info |
| API key used | Shuddhi QA's Groq server key — free for all users |
| Storage | Not stored — Groq processes and returns result only |
| Activation | Optional — only triggered when you click the button |
| Provider policy | groq.com/privacy-policy |
Third-Party Services
Shuddhi QA integrates with the following services:
- Google Firebase (Authentication + Firestore) — Used for optional sign-in and cross-device preference sync. Governed by Firebase Privacy Policy. Data stored in the
us-central1region. - Azure DevOps — Test plan push uses your Personal Access Token, stored in browser localStorage and forwarded via our proxy to
dev.azure.com. - Jira (Atlassian) — Ticket fetch uses your API token, stored in browser localStorage and forwarded via our proxy to your Jira instance.
- Cloudflare Pages — Hosts the application. May retain standard server access logs (IP, path, timestamp) for up to 30 days per Cloudflare's Privacy Policy. No request body is logged.
- Google Fonts — Fonts loaded from
fonts.googleapis.com. Google may log the font request IP address. - Exchange Rate APIs — USD→INR rate fetched from
exchangerate-api.comfor cost display. No personal data is sent.
No analytics services, advertising networks, or social media trackers are used.
Microsoft Copilot & MCP Integration
When you invoke Shuddhi QA from Microsoft 365 Copilot or any other Model Context Protocol (MCP) client (Claude Desktop, Cursor, Continue, etc.), the following data flows occur:
1. Tool invocation requests — Your MCP client sends a JSON-RPC 2.0 request to our MCP server at https://shuddhiqa-mcp.ramya9-b.workers.dev/mcp. The request includes the tool name (generateTestCases, fetchJiraIssue, pushToADO, listTemplates, detectPlatform), the arguments you provided, and any caller-supplied credentials.
2. What we store from MCP calls — Operational metrics only: request counts, error rates, tool-name frequencies. Retention: 90 days, then aggregated to monthly counts for 12 months. We do not store the text of your requirements, the content of Jira tickets you fetch, the test cases generated for you, or any caller-supplied credentials.
3. What we forward, and to whom — Depending on the tool you invoke, your data is forwarded to:
generateTestCases→ the AI provider you select (Anthropic, Google, Groq, OpenAI, Together AI, or Azure OpenAI). The provider's privacy policy applies.fetchJiraIssue→ your Jira instance (the URL you provide). We act as a stateless proxy.pushToADO→dev.azure.com. We act as a stateless proxy with your supplied PAT.listTemplates→ no external call. Templates are bundled in the MCP server.detectPlatform→ our hosted detection endpoint, which forwards to your configured AI provider.
4. Where the MCP server runs — Cloudflare Workers global edge network. Stateless — no database, no persistent storage of customer content. Cloudflare's privacy policy applies to network-level telemetry.
5. Caller-supplied credentials — Jira API tokens, Azure DevOps PATs, and AI provider keys you pass in tool calls are held in memory for the duration of a single request and explicitly discarded before the request completes. They are never logged, persisted, or shared.
6. Data residency for AI provider responses — We do not control the geographic region of most AI provider responses. Organizations with data residency requirements can use the Azure OpenAI provider (live now) — bring your own Azure endpoint and the request is processed in your chosen Azure region — or self-host the Shuddhi QA MCP server (source at github.com/ramya9b/shuddhiqacloud) in their preferred region.
Data Retention & Deletion
- Browser localStorage — Persists until you clear browser data or click Reset all data in Settings → Usage & Cost.
- Browser sessionStorage — Deleted automatically when you close the browser tab.
- Firestore preferences — Retained as long as your Firebase account exists. Delete via Settings → Usage & Cost → Reset all data (signed in), then revoke access in your Google or Microsoft account settings.
- Firebase Auth account — Exists as long as you have signed in at least once. To delete your account and all associated data, click your avatar → Delete my data & account from inside the app. This permanently deletes your Firestore document, clears all localStorage, and removes your Firebase Auth account.
- Generated test cases — Stored only in browser localStorage (last 20 sessions). Never on servers.
- Server logs — Cloudflare Pages access logs retained up to 30 days. No request body content is logged.
Your Rights
You have the following rights regarding your data:
- Access: Open DevTools → Application → Local Storage / IndexedDB to see all locally stored data.
- Delete local data: Settings → Usage & Cost → Reset all data, or clear browser data for this site.
- Delete Firestore data: Sign in → Settings → Usage & Cost → Reset all data, then sign out.
- Delete Firebase Auth account: Click your avatar → Delete my data & account inside the app. This deletes your Firestore document, clears all shuddhi localStorage keys, and permanently removes your Firebase Auth account.
- Revoke Google Sign-In: myaccount.google.com/permissions → Shuddhi QA → Remove access.
- Revoke Microsoft Sign-In: account.microsoft.com/privacy/app-access → Shuddhi QA → Remove.
- Revoke Google Billing access: Settings → Usage & Cost → Disconnect, or via Google Account permissions.
- Data portability: Export usage data as CSV from Settings → Usage & Cost → Download CSV.
Security
- All network traffic uses HTTPS/TLS encryption.
- API proxy endpoints validate request origins and reject cross-origin requests from non-whitelisted domains.
- OAuth tokens (Google Cloud Billing) are never written to persistent storage or server-side logs.
- Firebase Authentication is managed by Google. Shuddhi QA never sees or stores your Google or Microsoft password.
- The application is deployed on Cloudflare Pages with DDoS protection and WAF.
- Firebase Firestore security rules restrict each user's document to their own Firebase UID only:
allow read, write: if request.auth.uid == userId.
Changes to This Policy
The updated date at the top of this page will be updated when this policy changes materially. Since Shuddhi QA collects email addresses only for signed-in users and does not use them for marketing, we cannot proactively notify users. Please check this page periodically.
Continued use of Shuddhi QA after policy changes constitutes acceptance of the updated policy.
Contact
For privacy questions, data deletion requests, or concerns:
LinkedIn Share Unlock
The free trial gate includes an optional LinkedIn share unlock. Clicking the share button opens LinkedIn's native share dialog in a new tab.
- Shuddhi QA has zero access to your LinkedIn profile, connections, posts or account data.
- No LinkedIn data is collected or stored. The share is entirely client-side.
- Clicking "I've Shared — Unlock" resets your local generation counter only.