Privacy Policy
Last updated: 2026-04-07
1. Data Controller
NestFleet (“we”, “us”, “our”) is the data controller for personal data processed through the NestFleet SaaS service (nestfleet.dev). The legal entity details will be updated upon company registration. For data protection enquiries, contact: [email protected]
Self-hosted deployments: If you run NestFleet on your own infrastructure, you are the data controller for all data processed within your instance. This Privacy Policy applies only to the managed SaaS service at nestfleet.dev.
2. Data We Collect
Account Data
- Email address and display name (provided at registration)
- Encrypted password hash (never stored in plaintext)
- Account role and product association
Product Configuration Data
- Product name, slug, and stage metadata
- LLM provider and model selection (API keys stored encrypted)
- GitHub integration settings (PAT tokens stored encrypted)
- Lead role assignments (email addresses)
- Support policy configuration
Operational Data (Signal Processing)
- Inbound support signals: email content, sender details, subject lines
- Cases: triage decisions, severity, status history, AI-generated content
- Audit events: actions taken, timestamps, operator IDs
- Knowledge base articles you create
- Change request metadata and GitHub PR links
Technical Data
- Server-side structured logs (no raw request bodies logged)
- Health and performance metrics (anonymised)
- IP addresses in access logs (retained for 30 days)
3. Legal Basis for Processing (GDPR)
| Processing Purpose | Legal Basis |
|---|---|
| Provide the Service (account, product, cases) | Contract performance (Art. 6(1)(b)) |
| Billing and subscription management | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Improving the Service (anonymised analytics) | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications (if opted in) | Consent (Art. 6(1)(a)) |
| Legal compliance and dispute resolution | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Processors
We share data with the following third-party processors. All processors are contractually bound to protect your data and process it only on our instructions.
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting, object storage | EU (Germany) |
| Cloudflare, Inc. | DNS, TLS, CDN | EU/US (SCCs applied) |
| Stripe, Inc. | Payment processing, billing | US (SCCs applied) |
| GitHub, Inc. | Source code integration (PR drafting) | US (SCCs applied) |
| LLM providers (OpenAI / Anthropic / Google) | AI inference (your API key, your contract) | Per provider |
5. Data Retention
- Account data: retained for the lifetime of your account + 30 days post-deletion grace period.
- Case and signal data: retained for the duration of your subscription + 30-day export window after termination.
- Billing records: retained for 7 years to comply with financial regulation.
- Access logs: retained for 30 days, then purged.
- Anonymised usage analytics: retained indefinitely.
6. Your Rights (GDPR)
If you are in the EU/EEA or UK, you have the following rights:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of your personal data (“right to be forgotten”).
- Portability: Receive your data in a machine-readable format (JSON/CSV).
- Restriction: Request we restrict processing of your data.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, submit a Data Subject Access Request (DSAR) to [email protected]. We will respond within 30 days.
7. Cookies and Tracking
The NestFleet console uses a single session cookie (nf_last_product) to remember your last-visited product. No third-party tracking cookies, no analytics pixels. The landing page (nestfleet.dev) does not use any tracking scripts.
8. Security
We implement technical and organisational measures to protect your data, including: AES-256 encryption of secrets at rest, TLS 1.3 in transit, parameterised SQL queries (no injection risk), JWT-based authentication with short expiry, and structured audit logging. To report a security vulnerability, see /.well-known/security.txt.
9. Children's Privacy
NestFleet is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at [email protected].
10. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email at least 14 days before they take effect. The “last updated” date at the top of this page always reflects the current version.
11. Contact & Complaints
For privacy enquiries: [email protected]
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national DPA in the EU).