Privacy Policy

Last Updated: February 2026

1. Introduction and Scope

1.1 This Privacy Policy applies to smll.io (“we,” “us,” or “our”) and describes how we collect, use, disclose and protect your personal data when you use our development and testing services (“Services”). This policy applies to all users of our Services and visitors to our website.

1.2 This Privacy Policy should be read alongside our Terms of Service. Where you use our Services to process personal data, you should refer to Section 2 of this policy regarding our respective roles as data controller and processor.

1.3 This Privacy Policy reflects our commitment to protecting your personal data in accordance with applicable data protection laws and regulations worldwide. If you are located in the United Kingdom (UK), European Economic Area (EEA), or California, you may have additional rights, which are detailed in Section 5 of this policy.

2. Personal Data We Collect

2.1 Account Information — When you create an account, we collect information necessary to provide our Services, including your name, email address, and authentication credentials. This information is processed by Supabase, our authentication provider, and stored in the United Kingdom.

2.2 Payment Information — To process payments and manage credits, we collect payment details through Stripe, our payment processor. We do not store complete payment card information on our servers.

2.3 Service Usage Data — We collect information about how you use our Services, including database usage patterns, resource consumption, performance metrics, and service interaction data.

2.4 Technical Data — We automatically collect certain technical information when you use our Services, including IP address, browser type, device information, and log data. This information is processed through Cloudflare for security purposes, through our monitoring systems hosted on Hetzner servers, and through Sentry for error logging and application monitoring.

2.5 Communications Data — We collect and store communications with you regarding service provision, technical support, and account management.

2.6 Legal Basis for Processing — We process your personal data on the following legal bases:

  • To perform our contract with you for the Services;
  • For our legitimate interests in operating and improving our Services;
  • To comply with our legal obligations;
  • With your consent, where specifically required.

2.7 Use of Personal Data — We use the collected personal data to:

  • Provide and maintain our Services;
  • Process payments and manage credits;
  • Ensure service security and prevent fraud;
  • Communicate about service updates and issues;
  • Improve and optimise our Services;
  • Comply with legal obligations.

2.8 Monitoring and Performance Data — We collect system performance data and maintain logs through Sentry. This includes database metrics, resource allocation data, system identifiers, and technical information about service operations.

2.9 Security Data — Through Cloudflare's web application firewall (WAF), we collect and process security-related data including traffic patterns and potential security threats.

2.10 Backup Data — Where you opt to use our backup services, we collect and store backup copies of your database content. This data is fully encrypted both in transit and at rest.

2.11 Infrastructure and Data Processing — Our core services operate through Hetzner, with servers located in Germany, Finland, United States, and Singapore.

3. Data Retention

3.1 Account Information — Account data is retained for as long as you maintain an active account. After account closure, we retain limited account information for 12 months.

3.2 Payment Information — Payment records are retained for 7 years to comply with accounting and tax requirements.

3.3 Service Usage Data — Service usage data is retained for 12 months. Historical usage data is then anonymised.

3.4 Technical Data — Technical data, including IP addresses and log data, is retained for 6 months.

3.5 Communications Data — Service-related communications are retained for the duration of your account plus 12 months.

3.6 Monitoring and Performance Data — System performance data and metrics are retained for 12 months in detailed form.

3.7 Security Data — Security-related data processed through Cloudflare's WAF is retained according to Cloudflare's retention policies. Our internal security logs are retained for 6 months.

3.8 Backup Data — Where you opt into our backup service, database backups are retained for 30 days on a rolling basis. Upon account termination, backups are deleted within 30 days.

3.9 System Logs — System logs containing technical operations data are retained for 6 months.

3.10 Early Deletion — You may request earlier deletion of your data, subject to our legal obligations and technical requirements.

4. Cookie Policy

4.1 Essential Service Cookies — We use strictly necessary cookies that are essential for the operation of our Services.

4.2 Analytics Cookies — We use analytics tools to understand how users interact with our Services. You can control analytics cookies through the cookie banner.

4.3 Performance Monitoring — Our internal monitoring systems may use cookies to maintain service performance and reliability.

4.4 Security Cookies — Cloudflare places cookies for security purposes through our web application firewall (WAF).

4.5 Third-Party Cookies — Besides analytics and Cloudflare, we do not allow any third-party cookies on our Services.

4.6 Cookie Control — While essential service and security cookies cannot be disabled, you can control analytics cookies through the cookie banner or your browser settings.

4.7 Cookie Retention — Session cookies are deleted when you close your browser. Persistent cookies:

  • Essential service cookies last the duration of your session;
  • Analytics cookies last 12 months maximum;
  • Security cookies follow Cloudflare's standard retention;
  • Performance cookies last 30 days maximum.

5. Data Subject Rights

5.1 Processing Roles — We process personal data as a controller for account management, billing, and service operations; and as a processor for data you store in your databases.

5.2 UK and EEA Rights — If you are located in the UK or European Economic Area, you have rights to access, correct, request deletion, restrict processing, object to processing, data portability, and withdraw consent.

5.3 California Rights — If you are a California resident, you have rights under the CCPA including right to know, right to delete, right to opt-out, and right to non-discrimination.

5.4 Account Data Access — You can access and modify account data through our self-service tools. Response times:

  • Access requests: 30 days;
  • Correction requests: 15 days;
  • Deletion requests: 30 days;
  • Restriction requests: 7 days;
  • Portability requests: 30 days.

5.5 Database Content — For data stored in your databases, you are the controller responsible for data subject rights.

5.6 Request Process — Requests must be submitted through account settings or to contact@smll.io. All requests require verification of identity.

6. Security Measures

6.1 Technical Safeguards — We implement appropriate technical measures including encryption in transit and at rest, access controls, firewalls, and regular security updates.

6.2 Infrastructure Security — Our hosting provider, Hetzner, maintains physical and environmental security measures. We use Cloudflare's WAF for protection.

6.3 Access Controls — We maintain strict access controls with need-to-know basis, multi-factor authentication, and regular review.

6.4 Data Security — Your database content is encrypted using industry-standard protocols. Backups are also encrypted.

6.5 Security Monitoring — We continuously monitor our systems for potential security threats.

6.6 Security Incidents — In the event of a security incident, we will notify you without undue delay and within 72 hours.

7. Children's Privacy

7.1 Our Services are for users who are 18 years or older. We do not knowingly collect personal data from individuals under 18.

8. Automated Processing and Decision Making

8.1 Our service employs automated systems for credit management, service recovery, security monitoring, and resource allocation.

8.2 When account credits fall below zero, our system will automatically delete the associated databases.

8.3 Our systems automatically monitor application performance and log errors through Sentry.

8.4 Our system automatically performs recovery actions to maintain service availability.

8.5 Our systems automatically monitor for and respond to security threats.

8.6 Our service uses automated systems to allocate computing resources using anonymous technical identifiers.

8.7 You have the right to receive information about automated decisions, contest them, request human review, and receive notice before significant automated actions.

9. Changes to Privacy Policy

9.1 We reserve the right to update this Privacy Policy. We will notify you of material changes through email notification, notice on our website, or direct communication.

9.2 Your continued use after changes constitutes acceptance of the updated Privacy Policy.

10. Contact Information

10.1 For questions about this Privacy Policy or to exercise your data protection rights, please contact us at contact@smll.io.

Privacy Policy | SMLL.io