There seems to be a website link missing there? A web search for "wiretap" is not supremely effective. Since we're using it for debugging and investigation, what's the plan for logs and log retention? I suspect you and I should sit down for half an hour to braindump on the plan here, but I'd like to look over their web site first.
Sorry, I had the URL in the original bug, but forgot to include it when I used the new security review request form because it wasn't an explicit field. https://httpkit.com/wiretap In the SaaS model, the default is for recorded data to expire in 24 hours. It is customizable per collection end point and also per specific headers so you can do things like throw away auth headers after 5 minutes and such. Definitely take a look at the website, it should give you a good feeling for the concept, and then feel free to ping me to chat about the plan.
Okay, I totally understand what the deal is here. Based on the use case evangelised on the site, it looks like users wouldn't be interacting with the service: it'd just be developers/testers. If that's the case, then I don't see any privacy impact at all. Please re-open if I don't get it.
This assessment is how I see it and works fine for me. If there are any privacy concerns that come up in other bugs, I will make sure and let you know.