Privacy Policy

Privacy Policy

Last updated: December 12, 2024

1. Introduction and Scope

1.1 This Privacy Policy applies to smll.io ("we," "us," or "our") and describes how we collect, use, disclose and protect your personal data when you use our development and testing services ("Services"). This policy applies to all users of our Services and visitors to our website.

1.2 This Privacy Policy should be read alongside our Terms of Service. Where you use our Services to process personal data, you should refer to Section 2 of this policy regarding our respective roles as data controller and processor.

1.3 This Privacy Policy reflects our commitment to protecting your personal data in accordance with applicable data protection laws and regulations worldwide. If you are located in the United Kingdom (UK), European Economic Area (EEA), or California, you may have additional rights, which are detailed in Section 5 of this policy.

2. Personal Data We Collect

2.1 Account Information When you create an account, we collect information necessary to provide our Services, including your name, email address, and authentication credentials. This information is processed by Supabase, our authentication provider, and stored in the United Kingdom.

2.2 Payment Information To process payments and manage credits, we collect payment details through Stripe, our payment processor. We do not store complete payment card information on our servers.

2.3 Service Usage Data We collect information about how you use our Services, including database usage patterns, resource consumption, performance metrics, and service interaction data. This information is used to provide, maintain, and improve our Services.

2.4 Technical Data: We automatically collect certain technical information when you use our Services, including IP address, browser type, device information, and log data. This information is processed through Cloudflare for security purposes, through our monitoring systems hosted on Hetzner servers, and through Sentry for error logging and application monitoring.

2.5 Communications Data We collect and store communications with you regarding service provision, technical support, and account management. This includes email communications and support requests.

2.6 Legal Basis for Processing We process your personal data on the following legal bases: a) To perform our contract with you for the Services b) For our legitimate interests in operating and improving our Services c) To comply with our legal obligations d) With your consent, where specifically required

2.7 Use of Personal Data a) We use the collected personal data to: b) Provide and maintain our Services c) Process payments and manage credits d) Ensure service security and prevent fraud e) Communicate about service updates and issues f) Improve and optimise our Services g) Comply with legal obligations

2.8 Monitoring and Performance Data We collect system performance data and maintain logs through Sentry. This includes database metrics, resource allocation data, system identifiers, and technical information about service operations and automated processes. This data is used to troubleshoot technical issues, monitor service health, analyse system performance, detect anomalies, improve service reliability, and make infrastructure decisions. While these systems contain technical identifiers, they are designed to minimise personal data collection and are retained only as long as necessary for operational purposes. No personal data is used in these automated performance decisions.

2.9 Security Data Through Cloudflare's web application firewall (WAF), we collect and process security-related data including traffic patterns and potential security threats. This data is encrypted and used to detect and prevent security breaches, protect against unauthorised access, enforce rate limits, identify suspicious behaviour patterns, and maintain service security. Cloudflare cannot access the content of your data traffic, only metadata necessary for security purposes.

2.10 Backup Data Where you opt to use our backup services through Wasabi S3, we collect and store backup copies of your database content. This data is fully encrypted both in transit and at rest and is used solely to provide disaster recovery capabilities, ensure service continuity, enable data restoration if required, and maintain redundancy across geographical locations. Backup data is processed only for these specified purposes and is not used for any other reason.

2.11 Infrastructure and Data Processing

2.11.1 Primary Infrastructure Our core services operate through Hetzner, with servers located in Germany, Finland (Helsinki), United States (Texas), and Singapore. Your database content may be transferred between these locations for backup purposes, service replication, and maintaining service availability. 2.11.2 Data Processing Locations and Purposes: a) Authentication Data: Processed by Supabase (US company) and stored in the United Kingdom b) Payment Processing: Handled by Stripe in the United States c) Analytics: Processed by Google Analytics in the United States d) Application Monitoring: Managed by Sentry in the United States e) Security Services: Delivered through Cloudflare's global network f) Backup Storage: Provided by Wasabi S3 2.11.3 Data Storage and Transfers: All data is stored with encryption at rest. Data transfers between locations are conducted with full encryption in transit. Each service provider implements appropriate security measures for their respective storage and processing activities. 2.11.4 Infrastructure Changes We may expand our infrastructure to include additional operators and locations to improve service delivery. We will notify you of significant changes to our infrastructure that affect your data storage location.

3. Data Retention

3.1 Account Information Account data is retained for as long as you maintain an active account with us. After account closure, we retain limited account information for 12 months to comply with legal obligations and handle any post-termination queries.

3.2 Payment Information Payment records are retained for 7 years to comply with accounting and tax requirements. Detailed payment information is held by Stripe, our payment processor, according to their retention policies.

3.3 Service Usage Data Service usage data is retained for 12 months to maintain service functionality, analyse patterns, and improve our Services. Historical usage data is then anonymised for analytical purposes.

3.4 Technical Data Technical data, including IP addresses and log data, is retained for 6 months. This data is necessary for security purposes, maintaining service functionality, and detecting patterns of misuse.

3.5 Communications Data Service-related communications are retained for the duration of your account plus 12 months. Support communications are retained for 24 months after resolution of the support issue.

3.6 Monitoring and Performance Data System performance data and metrics are retained for 12 months in detailed form, after which they are aggregated and anonymised for long-term performance analysis.

3.7 Security Data Security-related data processed through Cloudflare's WAF is retained according to Cloudflare's retention policies. Our internal security logs are retained for 6 months.

3.8 Backup Data Where you opt into our backup service, database backups are retained for 30 days on a rolling basis. Upon account termination, backups are deleted within 30 days.

3.9 System Logs System logs containing technical operations data are retained for 6 months for operational and security purposes. After this period, they are permanently deleted.

3.10 Early Deletion You may request earlier deletion of your data, subject to our legal obligations and technical requirements. Some data may need to be retained to comply with legal requirements or maintain service integrity.

4. Cookie Policy

4.1 Essential Service Cookies We use strictly necessary cookies that are essential for the operation of our Services. These cookies enable basic functions like secure authentication, service preferences, and maintaining user sessions. You cannot opt out of these cookies as they are necessary for the Services to function.

4.2 Analytics Cookies We use Google Analytics to understand how users interact with our Services. These cookies collect aggregated data about service usage patterns. The information collected includes pages visited, time spent on pages, and service interaction data. This data helps us improve our Services and user experience.

4.3 Performance Monitoring Our internal monitoring systems may use cookies to maintain service performance and reliability. These cookies collect technical data about service operation and do not collect personal information beyond technical identifiers.

4.4 Security Cookies Cloudflare places cookies for security purposes through our web application firewall (WAF). These cookies help protect our Services from security threats and maintain service integrity. They process encrypted traffic data and are essential for service security.

4.5 Third-Party Cookies Besides Google Analytics and Cloudflare, we do not allow any third-party cookies on our Services. We regularly review our cookie usage to ensure compliance with this policy.

4.6 Cookie Control While essential service and security cookies cannot be disabled, you can control analytics cookies through your browser settings. Disabling analytics cookies will not affect your ability to use our Services.

4.7 Cookie Retention Session cookies are deleted when you close your browser. Persistent cookies remain on your device for different periods as follows: Essential service cookies: Duration of your session Analytics cookies: 12 months maximum Security cookies: According to Cloudflare's standard retention Performance cookies: 30 days maximum

5. Data Subject Rights

5.1 Processing Roles We process personal data in two distinct ways as a controller for account management, billing, and service operations; and as a processor for data, you store in your databases. Your rights and how to exercise them depend on both the type of data and your location.

5.2 UK and EEA Rights If you are located in the UK or European Economic Area, for personal data we control, you have rights to access your data, correct inaccurate data, request deletion, restrict processing, object to processing, data portability, and withdraw consent where applicable.

5.3 California Rights If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) including right to know what personal information we collect, right to delete personal information, right to opt-out of the sale of personal information (though we do not sell personal information), and right to non-discrimination.

You can access and modify account data through our self-service tools. For data we control, we will respond to requests within the following timeframes: Access requests: 30 days (may be extended by 60 days if complex) Correction requests: 15 days Deletion requests: 30 days Restriction requests: 7 days Portability requests: 30 days

5.5 Database Content For data stored in your databases, you are the controller responsible for data subject rights. We will provide limited technical assistance within 14 days of your request. We act only on your documented instructions and maintain appropriate security measures.

5.6 Request Process Requests must be submitted through appropriate channels based on data type. For account data, submit requests through account settings or to contact@smll.io. All requests require verification of identity.

5.7 Verification Requirements We verify requests through account authentication, registered email verification, or additional documentation where required. Third-party requests must include written authorisation from the data subject.

5.8 Response Times We will acknowledge receipt within 3 business days and provide a substantive response within timeframes required by applicable law. Complex requests may require an extension, which we will notify you about within the initial response period.

5.9 Limitations We may decline requests that would violate others' privacy, are technically impractical, require disproportionate effort, or conflict with legal obligations. We will explain any inability to fulfill requests.

5.10 Complaints You may submit complaints to contact@smll.io. UK residents may contact the Information Commissioner's Office, EEA residents may contact their local supervisory authority, and California residents may contact the California Attorney General's Office.

6. Security Measures

6.1 Technical Safeguards We implement appropriate technical measures to protect your data, including encryption in transit and at rest, access controls, firewalls, and regular security updates. All data transfers between servers are encrypted, and we use industry-standard protocols for secure communication.

6.2 Infrastructure Security Our hosting provider, Hetzner, maintains physical and environmental security measures at their data centres. Access to our infrastructure is strictly controlled and monitored. We use Cloudflare's web application firewall (WAF) to protect against security threats and unauthorised access.

6.3 Access Controls We maintain strict access controls for our systems and data. Employee access is granted on a need-to-know basis, requires multi-factor authentication, and is regularly reviewed. All access attempts are logged and monitored for suspicious activity.

6.4 Data Security Your database content is encrypted using industry-standard encryption protocols. Backups, where opted for, are also encrypted. Authentication data is processed securely through Supabase, and payment information is handled securely by Stripe.

6.5 Security Monitoring We continuously monitor our systems for potential security threats. This includes automated threat detection, system logging, and regular security assessments. Our monitoring systems use anonymised identifiers to protect privacy while maintaining security.

6.6 Security Incidents In the event of a security incident affecting your data, we will notify you without undue delay and within 72 hours of becoming aware of the breach. We maintain an incident response plan and will provide information about affected data and measures taken.

6.7 Service Provider Security We ensure our service providers maintain appropriate security measures through contractual obligations and regular assessment. This includes our sub processors Supabase, Stripe, Hetzner, Cloudflare, Sentry, and Wasabi S3.

6.8 Security Updates We regularly update our systems and software to address security vulnerabilities. These updates may occasionally require brief service interruptions, which we will notify you about in advance where possible.

7. Children's Privacy

7.1 Our Services are for users who are 18 years or older, or of legal age in their jurisdiction. We do not knowingly collect personal data from individuals under 18 years of age.

7.2 If we discover we have collected personal data from an individual under 18, we will take steps to delete this information. If you believe we may have collected data from someone under 18, please contact us at contact@smll.io.

7.3 If you use our Services to process personal data, you must ensure you have appropriate legal basis to do so, including any necessary parental consent for processing children's data.

8. Automated Processing and Decision Making

8.1 Types of Automated Processing Our service employs automated systems for credit management, service recovery, security monitoring, and resource allocation. These systems make automated decisions that may affect your service availability and database operations.

8.2 Credit-Related Actions When account credits fall below zero, our system will automatically delete the associated databases. This is an automated process.

8.3 Service Monitoring Our systems automatically monitor application performance and log errors through Sentry. This automated monitoring captures technical error data and system diagnostics to maintain service reliability. This monitoring uses technical identifiers and is focused on service operation rather than user activity.

8.4 Service Recovery Our system automatically performs the following actions to maintain service availability: a) Recovers databases if they go offline b) Moves databases to new servers when necessary c) Transfers databases between regions if service disruption is detected d) hese automated recovery processes ensure continuous service availability.

8.5 Security and Access Our systems automatically monitor for and respond to security threats. This may result in automated account restrictions where fraud, malicious use, or compromised account access is detected. These security measures are implemented using encrypted traffic data and predetermined security rules.

8.6 Resource Allocation Our service uses automated systems to allocate computing resources. This allocation is performed using anonymous technical identifiers, ensuring non-biased distribution of resources without reference to user identity. The underlying software uses identifiers that only we and the user can link back to the specific user.

8.7 Your Rights: You have the right to: a) Receive information about automated decisions affecting your account b) Contest automated decisions c) Request human review of automated decisions d) Receive notice before significant automated actions

9. Changes to Privacy Policy

9.1 We reserve the right to update this Privacy Policy to reflect changes in our practices, technology, legal requirements, and other factors. We will post the updated Privacy Policy at https://smll.io/privacy.

9.2 We will notify you of material changes to this Privacy Policy through: - Email notification to your registered email address - Notice on our website or service dashboard - Direct communication for significant changes

9.3 Your continued use of our Services after changes to this Privacy Policy becomes effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you should stop using our Services and contact us to close your account.

10. Contact Information

10.1 For questions about this Privacy Policy or our data practices, for matters relating to your personal data or to exercise your data protection rights, please contact our team at contact@smll.io.

10.2 For technical support, please use our support system within your workspace.