ShieldedStack Privacy Policy

1. The honest summary

• The ShieldedStack software does not phone home. We receive nothing about your installation, your packages, your scan results, or your users.
• The only personal data we hold is what you give us directly — a trial request form, an email, a support ticket, or a signed Order Form.
• We do not sell data. We do not run advertising. We do not profile you.
• We are established in Denmark. We are not subject to the United States CLOUD Act or analogous extraterritorial disclosure regimes.

2. What the Software does not collect

To be explicit about the things a reasonable buyer assumes we collect and that we do not:

• The Software does not transmit usage data, logs, metrics, identifiers, or any other information to us during normal operation.
• We do not receive package names, package versions, registry traffic, scan results, vulnerability findings, or audit logs from your installation.
• We do not see your developers, your CI agents, your IP addresses, your repository names, or your Keycloak identities.
• License Key validation is performed locally on your installation using public-key cryptography. No remote call to us is required or made.

This is a contractual commitment under the Terms of Service, section 7.

3. What we collect and why

3.1 Trial requests

When you submit the trial request form at /trial, we collect the fields you provide: name, work email, organisation, country, the package ecosystems you use, and a short free-text description of what is prompting your interest.

How it flows: the form is submitted to a Cloudflare Worker (located on Cloudflare's edge), which (a) verifies a Cloudflare Turnstile token to prevent bot submissions, (b) stores a hashed IP-derived rate-limit counter in Cloudflare KV for 24 hours, and (c) sends the form contents to [email protected] via Resend (transactional email provider). The submission is not stored in any database. The email lands in our Proton Mail mailbox.

Why: to evaluate trial requests, issue License Keys, and follow up with prospective customers. Lawful basis: legitimate interest in responding to inbound business enquiries (GDPR Article 6(1)(f)), and steps taken at your request prior to entering into a contract (Article 6(1)(b)).

3.2 Customer and order data

If you license ShieldedStack under an Order Form, we hold your organisation's legal name, the registered contact details on the Order Form (typically primary, billing, and technical contacts), the License Key claims (which include the contact email), and invoicing data.

Why: to perform the contract, issue License Keys, send invoices, and provide support. Lawful basis: performance of a contract (Article 6(1)(b)) and compliance with bookkeeping obligations under Danish law (Article 6(1)(c)).

3.3 Support and direct communication

Emails you send to us, support tickets, and any attachments you choose to include. We process these to respond to you.

Why: legitimate interest in providing support and operating the business (Article 6(1)(f)), and contract performance where you are a customer (Article 6(1)(b)).

3.4 Website analytics

Our public website uses self-hosted Umami analytics, served from analytics.bytebard.org. Umami operates in cookieless mode and honours Do Not Track browser signals. Collected data points are page URL, referrer, browser and device type, country-level location derived from the IP address (the IP itself is not retained), and event timestamps. The analytics database is hosted in the European Economic Area on infrastructure we control.

Why: understanding aggregate traffic to improve the website. Lawful basis: legitimate interest (Article 6(1)(f)). No cookies or persistent identifiers are set.

4. Subprocessors

We use the following third parties to operate the website and contact channels. None of them have access to ShieldedStack installations or customer data processed by the Software.

• Cloudflare, Inc. — hosts the public website (Cloudflare Pages), runs the trial form Worker (Cloudflare Workers), and stores rate-limit counters (Cloudflare KV). Cloudflare may process visitor IP addresses transiently for DDoS protection and Turnstile bot challenges. Cloudflare offers EU-only data routing for the relevant products under its Data Localisation Suite.
• Resend, Inc. — delivers transactional emails (trial form submissions and License Key delivery). Resend processes the recipient address, sender address, and email content for the purpose of delivery.
• Proton AG (Switzerland) — hosts our mailbox at the shieldedstack.com domain. Inbound emails to [email protected] are stored on Proton Mail's end-to-end encrypted infrastructure in Switzerland.

Cloudflare and Resend are US-headquartered. Transfers to these providers rely on the EU Standard Contractual Clauses and supplementary measures as described in their respective Data Processing Addenda. Proton is established in Switzerland, which the European Commission has determined provides an adequate level of data protection (Adequacy Decision 2000/518/EC).

We will update this list when subprocessors change. The current list is what is published here.

5. What we are not

We are not a processor or sub-processor of any data your ShieldedStack installation processes. The Software runs on your infrastructure, scans packages and produces findings locally, and never transmits any of that to us. No Data Processing Agreement is required between us in respect of that data, because no processing relationship exists.

If your procurement or DPO team needs written confirmation of this position to satisfy an internal review, we will provide a short signed letter at no cost. Contact [email protected].

6. Retention

• Trial form submissions: retained in our Proton mailbox until they are no longer commercially relevant, typically up to 24 months after the last interaction, then deleted.
• Customer and order data: retained for the duration of the customer relationship and thereafter as required by Danish bookkeeping law (Bogføringsloven, currently 5 years from the end of the financial year the records relate to).
• Support correspondence: retained for up to 24 months after the last interaction.
• Rate-limit counters in Cloudflare KV: 24 hours, then deleted automatically.
• Umami analytics events: retained in aggregated form indefinitely. No individual identifiers are stored.

7. Sharing and disclosure

We do not share personal data with third parties except:

• with the subprocessors listed in section 4, as necessary to operate the website and contact channels;
• where required by law, valid Danish or EU legal process, or to protect rights, property, or safety. We will resist overbroad or improper requests and will challenge any request that conflicts with EU law.

We do not sell personal data. We do not share data with advertising networks or data brokers.

8. Your rights under the GDPR

If we hold personal data about you, you have the right to:

• access the data we hold about you;
• have inaccurate data corrected;
• have your data erased, subject to legal retention obligations;
• restrict or object to processing based on legitimate interest;
• receive your data in a portable format;
• withdraw consent where processing is based on consent (this Policy does not currently rely on consent);
• lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Security

Personal data we hold is stored on infrastructure with the following protections:

• HTTPS / TLS for all website and form transport.
• End-to-end encryption at rest for the Proton mailbox.
• Access to subprocessor consoles (Cloudflare, Resend) is protected by multi-factor authentication on accounts under our control.
• Cloudflare KV entries are short-lived (rate-limit counters expire within 24 hours).

If you believe a personal data incident has occurred involving us, please notify [email protected]. Confirmed breaches affecting EU residents will be reported to Datatilsynet within 72 hours where required under GDPR Article 33.

10. International transfers

Trial form data, transactional email content, and rate-limit counters may be processed by Cloudflare and Resend, which are US-headquartered. Transfers rely on the EU Standard Contractual Clauses adopted by the European Commission in 2021 and on additional safeguards described by each provider. The Proton mailbox is hosted in Switzerland under the EU adequacy decision for Switzerland.

We will move to EU-only providers where commercially reasonable. Cloudflare Pages, Workers, and KV are already deployable with EU-only data residency, which we use where available.

11. Updates to this Policy

We may update this Privacy Policy. If we make material changes, we will notify customers with an active Order Form by email before the change takes effect. For visitors and trial requesters, the current Policy at this URL is the operative version. The effective date is shown at the top.

12. Contact

Privacy questions, requests, or concerns: [email protected].

We do not have a designated Data Protection Officer because Bytebard does not meet the GDPR Article 37 thresholds. Alexander Carlsen is the responsible contact.