Privacy Policy
Last updated: May 9, 2026
1. Data Controller
eubase (independent developer, France) is the data controller for all personal data processed through eubase. Contact: hello@eubase.dev
2. Data We Collect
We collect only what is necessary to provide the Service:
| Data | Source | Purpose | Retention |
|---|---|---|---|
| GitHub username & email | GitHub OAuth | Account creation | Until account deleted |
| API key hash (SHA-256) | Generated at signup | Authentication | Until key revoked |
| API usage logs | Each API call | Billing & quota | 13 months |
| Stripe customer ID | Stripe checkout | Billing | Until account deleted |
| IP address (requests) | HTTP headers | Security / abuse prevention | 30 days (logs) |
API keys are never stored in plaintext. Only a SHA-256 hash is stored; the full key is shown to you once at creation.
3. Legal Basis (GDPR)
- Contract performance (Art. 6(1)(b)): account data, API usage logs, billing data — necessary to provide the Service.
- Legitimate interest (Art. 6(1)(f)): security logs, abuse prevention.
4. Sub-processors
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & auth | EU (AWS Frankfurt) |
| Upstash Redis | Rate limiting & cache | EU (AWS Frankfurt) |
| Stripe | Payment processing | US (SCCs apply) |
| Vercel | Hosting | EU edge + US |
| GitHub | OAuth authentication | US (SCCs apply) |
5. Company Data (API Responses)
Data returned by the API (company names, addresses, officers, etc.) comes from official public registries (SIRENE, Companies House, VIES). This is public information as defined by applicable law. We cache it for up to 24 hours to reduce latency. We do not sell or share this data beyond serving your API requests.
6. Your Rights
Under GDPR, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your account and associated data
- Export your data in a portable format
- Object to processing based on legitimate interest
To exercise any of these rights, email hello@eubase.dev. We respond within 30 days. You may also lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés).
7. Data Deletion
Deleting your account removes your profile, API keys (hashes only), and email from our systems within 7 days. Usage logs are anonymized (key_id set to null) and retained for 13 months for billing reconciliation, then deleted.
8. Cookies
We use one session cookie set by Supabase Auth to maintain your login session. No tracking cookies, no analytics, no third-party advertising pixels.
9. Changes
We will notify you by email at least 14 days before any material change to this policy.
10. Contact
DPO / privacy questions: hello@eubase.dev