[brackets] and must be reviewed by counsel before you rely on it.Privacy Policy
Last updated: [DATE]
This Privacy Policy explains how [LEGAL ENTITY] ("we", "us") collects and processes personal data when you use OTA Console (the "Service"). We act as a data controller for account data and as a data processor for the update, device, and telemetry data our customers push through the Service on behalf of their own users. Governing law: [JURISDICTION].
1. Data we collect
- Account & identity — name, email, and organization membership, handled by our authentication provider (Clerk). Passwords are never stored by us.
- Tenant & app configuration — tenant, app, channel, flag, and API key metadata you create (API key secrets are stored only as hashes).
- Release & device telemetry — update-apply events, adoption counts, and crash/incident reports reported by your end-user devices. These may include device identifiers and error diagnostics.
- Operational logs — request metadata (timestamps, paths, status) used for security and debugging.
2. How we use it
To operate the Service: authenticate you, store and serve your releases, compute rollout and adoption metrics, detect crash-driven incidents, enforce plan limits, and keep an audit trail. We do not sell personal data or use it for advertising.
3. Legal bases (GDPR)
We process account data to perform our contract with you, operational and security data under our legitimate interests, and any optional processing with your consent. Where we process customer end-user data, we do so under a Data Processing Agreement (see our Terms) as your processor.
4. Subprocessors
- Clerk — authentication and user management.
- Hetzner Online GmbH — EU-based hosting and compute (Germany).
- Cloudflare — DNS. [Add any others you enable.]
5. Data location & retention
Data is hosted in the EU (Hetzner, Germany). We retain account data for the life of your account and telemetry for [RETENTION PERIOD, e.g. 90 days], after which it is deleted or aggregated. You can trigger event pruning from the Service at any time.
6. Your rights
Subject to applicable law, you may request access, correction, deletion, portability, or restriction of your personal data, and may object to certain processing. To exercise these rights, contact [PRIVACY CONTACT EMAIL]. You may also lodge a complaint with your supervisory authority.
7. Security
Traffic is encrypted in transit (TLS). Update packages are Ed25519-signed and verified on-device; API key secrets are stored as hashes; access is authenticated and audited.
8. Contact
[LEGAL ENTITY], [ADDRESS] — [PRIVACY CONTACT EMAIL].