Privacy Policy

1. Data Controller

The controller within the meaning of Art. 4(7) GDPR is:

Email: privacy@larasell.dev

2. Types of Data Collected

We collect and process the following categories of personal data:

• Account data: name, email address, password (hashed), and optional profile information you provide during registration or account management.
• Billing data: billing address, payment-related identifiers, invoice history, and subscription details as processed through our billing provider.
• Technical data: IP addresses, browser type, operating system, device identifiers, referrer URLs, and timestamps of access.
• Usage data: information about how you interact with the Platform, including pages visited, features used, and application deployment metadata.
• Error and diagnostic data: stack traces, request metadata, and technical context collected when errors occur on the Platform.
• Communication data: content of emails or support requests you send to us.

3. Purpose and Legal Basis for Processing

We process personal data only where we have a lawful basis under Art. 6(1) GDPR. The following table summarises each processing activity, its purpose, and the corresponding legal basis:

Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 11).

4. Hosting and Infrastructure (Fly.io)

Our Platform and your hosted applications run on infrastructure provided by Fly.io, Inc. (Chicago, IL, United States). We deploy workloads exclusively to Fly.io's European data centre regions to ensure that personal data is stored and processed within the European Union.

Fly.io acts as a processor on our behalf under Art. 28 GDPR. We have concluded a Data Processing Agreement (DPA) with Fly.io that includes the Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection for any incidental access from the United States (see Section 9).

5. Error Tracking (Sentry)

We use Sentry (Functional Software, Inc.) for real-time error monitoring and debugging. When an error occurs on the Platform, Sentry may receive technical data such as stack traces, request URLs, HTTP headers, IP addresses (truncated where possible), and browser or device metadata.

Sentry processes this data as a processor on our behalf under a DPA that includes Standard Contractual Clauses. Error data is used exclusively for diagnosing and resolving technical issues and is retained for a limited period (typically 90 days) before automatic deletion.

Legal basis: Art. 6(1)(f) GDPR – our legitimate interest in maintaining Platform reliability and resolving defects promptly.

6. Payment Processing and Billing (Lago)

Billing, invoicing, and usage metering are handled through Lago, which we self-host on our own infrastructure within the EU. Lago processes your billing-related data (name, email, billing address, subscription details, and usage metrics) to generate invoices and manage your subscription.

Because we self-host Lago, no personal data is transferred to a third-party provider for billing purposes. The data remains within our EU-based infrastructure.

Legal basis: Art. 6(1)(b) GDPR – performance of the contract with you; Art. 6(1)(c) GDPR – compliance with statutory bookkeeping and tax retention obligations.

7. Log Files and IP Address Processing

When you access the Platform, our servers automatically collect and store the following data in server log files:

• IP address of the requesting device
• Date and time of the request
• HTTP method and requested URL
• HTTP status code and response size
• Referrer URL and user agent string

This data is required for delivering Platform content, ensuring network security, preventing abuse, and diagnosing technical issues. Log files are retained for a maximum of 30 days and are not merged with other data sources.

Legal basis: Art. 6(1)(f) GDPR – our legitimate interest in security, system integrity, and troubleshooting.

8. Account Registration and Authentication

To use the Platform you must create an account. You can register either with an email address and password, or by authenticating through a supported social login provider (currently GitHub and Google).

Legal basis: Art. 6(1)(b) GDPR – necessary for the performance of our contract with you.

9. Data Processing by Customers (Controller vs. Processor)

Our Platform enables you ("Customer") to host your own applications, which may in turn collect and process personal data of your end users. In this relationship:

• Larasell as Controller: We are the data controller for personal data we collect directly from you (account data, billing data, technical data, and support communications) in order to provide and operate the Platform.
• Larasell as Processor: When you deploy applications on our Platform that process personal data of your own end users, we act as a data processor on your behalf under Art. 28 GDPR. In this role, we process such data solely according to your instructions and do not use it for our own purposes.

Customers who process personal data of their end users through the Platform are responsible for ensuring a lawful basis for that processing, providing appropriate privacy notices to their end users, and entering into a Data Processing Agreement (DPA) with us. Our DPA is available upon request.

10. International Data Transfers

Personal data is stored and processed primarily within the European Union. Where a transfer to a third country occurs (for example, incidental access by Fly.io or Sentry staff in the United States), we ensure an adequate level of protection through one of the following mechanisms:

• Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46(2)(c) GDPR.
• An adequacy decision by the European Commission under Art. 45 GDPR, where applicable.

We do not transfer personal data to countries without appropriate safeguards in place.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or to comply with legal obligations:

• Account data: retained for the duration of your account and deleted within 30 days after account closure, unless further retention is required by law.
• Billing and invoice data: retained for 10 years after the end of the calendar year in which the transaction occurred, in accordance with German tax law (§ 147 AO, § 257 HGB).
• Server log files: retained for a maximum of 30 days.
• Error tracking data: retained for up to 90 days.
• Customer application data: deleted promptly after contract termination in accordance with our DPA, unless the Customer instructs otherwise.

12. Your Rights Under GDPR

You have the following rights regarding your personal data. To exercise any of these rights, please contact us at privacy@larasell.dev.

• Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy.
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data where no legal retention obligation applies.
• Right to restriction (Art. 18): request that processing be restricted under certain conditions.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77): you may lodge a complaint with a supervisory authority. The competent authority for our business is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

We will respond to your request within one month. In complex cases or where we receive a high volume of requests, this period may be extended by a further two months in accordance with Art. 12(3) GDPR. We will inform you of any such extension.

13. Cookies and Tracking Technologies

The Platform uses only strictly necessary cookies required for the operation of the service, such as session cookies for authentication and CSRF protection. These cookies are essential for the Platform to function and cannot be disabled.

We do not use analytics cookies, advertising cookies, or third-party tracking technologies. Because we rely exclusively on technically necessary cookies, no consent under § 25 TTDSG is required.

14. Data Security

We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR to protect personal data against unauthorised access, loss, alteration, or destruction. These measures include, but are not limited to:

• Encryption of data in transit using TLS (HTTPS) and encryption of data at rest where applicable.
• Strong password hashing using industry-standard algorithms.
• Optional two-factor authentication for user accounts.
• Access controls and least-privilege principles for internal systems.
• Regular security reviews and software updates.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, or business operations. Material changes will be communicated to you by email or through a prominent notice on the Platform before they take effect.

We encourage you to review this policy periodically. The "last updated" date at the top of this page indicates when the policy was most recently revised.

16. Contact

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:

Email: privacy@larasell.dev