Privacy Policy

1. Who We Are

Data Controller: Mikael Vesavuori
Email: [email protected]
Location: Göteborg, Sweden

As a Sweden-based business, we comply with the General Data Protection Regulation (GDPR) and Swedish data protection laws.

Service Offerings

Phaset is available in two forms:

1. Self-Hosted Phaset: You download and run on your infrastructure
2. Managed Phaset: Hosted and operated for you on EU infrastructure

This Privacy Policy covers both offerings. Where handling differs, we explain clearly.

2. What Data We Collect

Website Analytics (Umami)

We use Umami, a privacy-focused analytics service, to understand how visitors use our website. Umami is GDPR-compliant and does not use cookies.

What we collect through Umami:

• Page views and navigation patterns
• Referrer sources (where visitors came from)
• Device type and browser information
• Anonymized location data (country/region only)

What we DON'T collect:

• Personal identifiers (no IP addresses, user IDs, or fingerprinting)
• Cookies or persistent tracking
• Cross-site tracking
• Individual user journeys

Umami data is hosted on Umami Cloud and aggregated anonymously. We cannot identify individual visitors from this data.

License and Payment Information

When you purchase a plan, we collect:

• Contact information (name, email address, organization name)
• Payment details (processed securely through Polar)
• License key
• Purchase date and license version

Payment processing is handled by Polar. We do not store your credit card information—Polar handles all payment data securely.

License Validation

When you run Phaset, the software performs a boot-time license check to validate your license key and guard against abuse. This check is made to our first-party back office system and includes:

• Your license key

This check happens only at startup and does not involve any operational data from your Phaset deployment.

Support Communications

If you contact us for support, we collect:

• Your email address and name
• The content of your messages
• Any technical information you choose to share

Managed Phaset (Hosted Service)

If you subscribe to Managed Phaset, our hosted service offering, data handling differs from self-hosted deployments:

What This Means

For Managed Phaset subscribers:

• Your operational data (catalogs, services, metrics, documentation) is stored on infrastructure we manage
• Currently hosted on Scaleway servers in France (EU)
• We are the Data Processor; you remain the Data Controller
• Data stays within the EU at all times

Data We Process for Managed Phaset

Operational data in your instance:

• Software catalog entries
• Service metadata and documentation
• Metrics and analytics data
• User management and access controls
• Organization settings and configurations

Infrastructure/system data:

• Instance health and performance metrics
• Backup snapshots (30-day retention)
• System logs for troubleshooting
• Security monitoring data

How We Access This Data

Access to your Managed Phaset data is strictly limited:

Routine access (no notification):

• Automated backups and system maintenance
• Security monitoring and threat detection
• Performance optimization

Support access (with your request):

• Troubleshooting technical issues you report
• Investigating bugs or errors you've encountered
• Assisting with configuration or setup

Emergency access (with notification):

• Responding to security incidents
• Critical system failures requiring immediate intervention

Never accessed for:

• Marketing or sales purposes
• Analytics about your usage patterns
• Training AI models
• Any purpose not related to operating your service

Your Data Protection Rights (Managed Phaset)

As a Managed Phaset customer, you have these additional rights:

• Export your data anytime: Free, no questions asked - contact [email protected]
• Request deletion: Upon cancellation, data deleted within 30 days
• Change infrastructure: If we switch providers, you can cancel with refund if you don't approve

Subprocessors for Managed Phaset

For a complete list of all subprocessors that process your operational data for Managed Phaset, including their locations, purposes, and GDPR compliance details, see:

phaset.dev/subprocessors.html

All subprocessors comply with GDPR. We'll notify you 30 days before changing subprocessors.

Data Processing Agreement (DPA)

A separate Data Processing Agreement is available upon request for Managed Phaset customers. To request a DPA, contact: [email protected]

Security Incident Notification

If a security incident affects your Managed Phaset data:

• Within 24 hours: Initial notification of incident
• Within 48 hours: Full incident report and resolution steps
• GDPR compliance: Authorities notified within 48 hours if required by law

See the Managed Service Agreement for complete details.

3. What We DON'T Collect

This is equally important. We do NOT collect:

• Your operational data (Self-Hosted Phaset): Catalogs, services, metrics, documentation, or any content you store in your self-hosted Phaset instance
• Telemetry from your Phaset instance: No usage analytics, feature tracking, or performance data beyond license validation
• Personal information from your users: We don't see who uses your Phaset instance or what they do (for self-hosted) or track individual user behavior (for Managed Phaset)
• Marketing data: No behavioral tracking, advertising profiles, or third-party data sharing
• Cookies: Our website doesn't use cookies (Umami is cookie-free)

Note: For Managed Phaset, we process your operational data as described in Section 2, but only for service operation purposes—never for marketing, analytics about usage patterns, or other purposes.

4. How We Use Your Data

We use the data we collect for these specific purposes:

Website Analytics

• Understanding which features interest visitors
• Improving website navigation and content
• Measuring the effectiveness of documentation

License Management

• Validating and managing your license
• Preventing license abuse
• Notifying you of updates and security patches
• Processing upgrades and renewals

Customer Support

• Responding to your questions and issues
• Troubleshooting technical problems
• Gathering feedback for product improvements

Legal Compliance

• Complying with GDPR and Swedish law
• Maintaining records for accounting and tax purposes
• Protecting our legal rights if necessary

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on:

• Contractual necessity: License management and support (when you purchase)
• Legitimate interests: Website analytics to improve our service
• Legal obligations: Financial records and tax compliance
• Consent: When you voluntarily contact us for support

6. Data Sharing and Third Parties

We share data only with essential service providers. The specific services depend on which Phaset offering you use:

For the Marketing Website (phaset.dev)

These services are only used on our marketing website, not within your Phaset instance:

Polar (Payment Processing)

• Purpose: Secure payment processing
• Data shared: Payment details, email, name
• Location: USA
• Privacy policy: polar.sh/legal/privacy

Umami (Website Analytics)

• Purpose: Privacy-friendly analytics for the marketing website only
• Data shared: Anonymized usage data from phaset.dev visitors
• Location: Umami Cloud (EU servers)
• Privacy policy: umami.is/privacy

For Managed Phaset Subscribers Only

If you subscribe to Managed Phaset, your operational data is processed by these additional subprocessors (see Section 2 for full details):

Scaleway (Infrastructure)

• Purpose: Virtual machine hosting for your Phaset backend
• Data shared: All operational data in your Phaset instance
• Location: France (EU)
• Privacy policy: scaleway.com/en/privacy-policy

Cloudflare Pages (Frontend Hosting)

• Purpose: Static hosting and CDN for your Phaset frontend
• Data shared: Frontend application code and assets
• Location: Global
• Privacy policy: cloudflare.com/privacypolicy

For Self-Hosted Phaset

If you self-host Phaset, none of your operational data is shared with third parties. Only the license validation check reaches our servers (see Section 2).

We do NOT:

• Sell your data to anyone
• Share data with advertisers or marketing platforms
• Use third-party tracking or ad networks
• Participate in data broking or behavioral targeting

7. Data Retention

We retain your data for as long as necessary:

• Website analytics: Aggregated data retained indefinitely (cannot identify individuals)
• License information: Retained while your license is active, plus 7 years for accounting/legal purposes
• Support communications (email): Retained for maximum 1 year after resolution
• Payment records: 7 years (Swedish tax law requirement)
• Managed Phaset operational data: Retained while your subscription is active, plus 30 days after cancellation (for data export window), then permanently deleted
• Managed Phaset backups: 30-day rolling retention during active subscription

After these periods, data is securely deleted or anonymized.

8. Your Rights Under GDPR

As an individual in the EU/EEA, you have these rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Rectification

Request corrections to inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, subject to legal retention requirements.

Right to Restriction

Request that we limit how we use your data.

Right to Data Portability

Request your data in a machine-readable format to transfer elsewhere.

Right to Object

Object to processing based on legitimate interests (e.g., analytics).

Right to Withdraw Consent

Withdraw consent for data processing that relies on it (doesn't affect lawfulness of prior processing).

Right to Lodge a Complaint

File a complaint with your local data protection authority if you believe we've violated your rights.

To exercise your rights: Email [email protected] with your request. We'll respond within 30 days.

9. Data Security

We protect your data with:

• Encrypted connections (HTTPS/TLS) for all website traffic
• Secure storage for license and customer data (provided by Polar's services)
• Regular security updates and monitoring
• Minimal data collection principle

For your self-hosted Phaset instance, you are responsible for securing your deployment, including:

• Access controls and authentication
• Infrastructure security
• Data backups and encryption
• Network security

10. International Data Transfers

Our service providers (Polar, Umami) operate within the EU and comply with GDPR. If data must be transferred outside the EU, it's done under appropriate safeguards:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other legally recognized mechanisms

11. Children's Privacy

Phaset is not intended for individuals under 16. We do not knowingly collect data from children. If we discover we've collected data from a child, we'll delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do:

• We'll post the updated policy on this page
• We'll update the "Last Updated" date
• For material changes, we'll notify license holders by email

Continued use of our website or software after changes means you accept the updated policy.

13. Contact Us

Questions, concerns, or requests about your privacy?

Email: [email protected]
Response time: We aim to respond within 5 business days

For GDPR-related requests, include "GDPR Request" in your subject line for faster processing.