Privacy Policy
1. Controller
Nedim Agic, sole proprietor (Einzelunternehmen, trading as United DigiArt Vision), Kossensee 2a, 91361 Pinzberg, Germany. Contact: [email protected]. A Data Protection Officer is not named β not legally required for an operation of this size.
2. What we process, why, and on what legal basis
We keep data minimal. The Service deliberately uses no CAPTCHAs and no behavioral/ad tracking.
| Data | When | Purpose | Legal basis (GDPR Art. 6(1)) |
|---|---|---|---|
| Email address | Email signup | Create/verify the account, send the verification link, account recovery, service notices | (b) performance of contract |
| GitHub identity (id, login, verified email) | GitHub signup (OAuth) | Create/link the account | (b) performance of contract |
| API keys | Account use | Authenticate your requests | (b). Stored only as a salted/sha256 hash β we cannot recover the raw key |
| IP address | Every request | Rate limiting, abuse prevention, security | (f) legitimate interest (protecting the Service and third parties) |
| Usage metadata (deploy timestamps, counts, tier) | Deploying | Enforce quotas, operate the Service | (b) and (f) |
| Submitted content / code ("Your Content") | Deploying | Build, run, and serve your app | (b). Ephemeral β see Β§5 |
| Server logs | Operation | Security, debugging, abuse handling | (f) |
We do not sell personal data and do not use it for advertising.
3. Email delivery
Verification and service emails are sent through Resend (Resend, Inc.) acting as our processor, under a data-processing agreement (GDPR Art. 28). We use Resend's EU sending region (Ireland, eu-west-1); the provider processes your email address and the message to deliver it. Resend, Inc. is US-incorporated β we rely on the EU Standard Contractual Clauses for any transfer.
4. Hosting
The Service runs on servers operated by Hetzner Online GmbH (Germany, EU), our hosting processor under a data-processing agreement. Data is processed in the EU.
5. Retention
- Deployments / Your Content: ephemeral β unclaimed previews are deleted after ~72 hours, claimed previews after ~7 days (current product values). We do not keep your deployed content beyond its lifecycle except in routine backups, which rotate.
- Accounts: kept until you delete the account or ask us to.
- API key hashes: until the key is revoked or the account is deleted.
- Logs / IP / usage windows: kept only as long as needed for security and quota enforcement (deploy-timestamp windows roll over within 24 hours; security logs are kept for a limited period and then deleted).
6. Recipients / processors
- Resend (Resend, Inc., US; EU sending region) β email delivery (Β§3).
- Hetzner Online GmbH (Germany, EU) β hosting (Β§4).
- Cloudflare, Inc. (US) β DNS, reverse proxy and TLS for openpouch.dev and openpouch.sh; processes request IP addresses, under Cloudflare's data-processing agreement.
A current list of processors is available on request. We do not otherwise share personal data, except where legally required or to respond to lawful requests.
7. International transfers
Our processors Resend, Inc. and Cloudflare, Inc. are US-incorporated; we rely on the EU Standard Contractual Clauses (with supplementary measures as appropriate) under their respective data-processing agreements. Resend email sending is configured to the EU (Ireland) region, and Hetzner hosting is in the EU.
8. Your rights
Under the GDPR you have the right to access (Art. 15), rectification (16), erasure (17), restriction (18), data portability (20), and to object to processing based on legitimate interest (21). To exercise them, contact [email protected]. You also have the right to lodge a complaint with a supervisory authority β for Bavaria (the controller's state) this is the Bayerisches Landesamt fΓΌr Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.
Where we rely on consent, you may withdraw it at any time with future effect.
9. Automated decision-making
We do not carry out automated decision-making producing legal or similarly significant effects (GDPR Art. 22). Quota enforcement is a simple technical limit, not a profiling decision.
10. Cookies / tracking
The Service and landing page use only what is technically necessary (e.g. a session/CSRF value during GitHub login). No advertising or cross-site tracking cookies. The openpouch.dev landing page sets no cookies and runs no analytics/tracking (static page). A cookie banner is therefore not required; we will add one only if non-essential cookies are later introduced.
11. Changes
We may update this Policy; the effective date marks the current version, and material changes will be announced.
12. Contact
Nedim Agic, Kossensee 2a, 91361 Pinzberg, Germany Β· [email protected].
β Back to openpouch.dev