Privacy Policy

1. Introduction

Rollgate ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our feature flag management service.

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

Account Information

• Email address
• Name
• Profile picture (if using OAuth)
• Password (securely hashed)

Usage Data

• Feature flag evaluations (anonymized)
• API usage statistics
• Session information (IP address, user agent)

Technical Data

• Log files for debugging and security
• Performance metrics

3. How We Use Your Data

We use your information to:

• Provide and maintain the Rollgate service
• Authenticate your identity and manage your account
• Process transactions and send billing information
• Send service-related notifications
• Improve our service through analytics
• Ensure security and prevent fraud

4. Legal Basis for Processing (GDPR)

We process your data based on:

• Contract: To provide our services to you
• Legitimate Interest: To improve our service and ensure security
• Consent: For marketing communications (where applicable)
• Legal Obligation: To comply with applicable laws

5. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate data
• Right to Erasure (Art. 17): Request deletion of your data
• Right to Data Portability (Art. 20): Receive your data in a portable format
• Right to Object (Art. 21): Object to certain processing
• Right to Restrict Processing (Art. 18): Limit how we use your data

To exercise these rights, go to Settings or contact us at [email protected].

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of your personal information
• Right to Limit Use: Limit the use of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

Notice at Collection: We collect the categories of personal information described in Section 2 for the purposes described in Section 3. We do not sell your personal information.

To exercise your CCPA rights, visit our Do Not Sell My Personal Information page or contact us at [email protected].

7. Data Retention

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations.

• Account data: Retained while your account is active
• Deleted accounts: 30-day recovery period, then anonymized
• Usage statistics: Anonymized data retained for analytics
• Audit logs: Retained for 2 years for security purposes

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS) and at rest
• Secure password hashing (bcrypt)
• Regular security audits
• Access controls and authentication

9. Third-Party Services

We may use third-party services for:

• Authentication (Google, GitHub OAuth)
• Payment processing (Paddle)
• Cloud hosting (Hetzner Cloud - EU-based)

These providers have their own privacy policies and are GDPR-compliant.

10. Cookies

We use essential cookies for authentication and session management. These are strictly necessary for the service to function.

We do not use third-party tracking cookies or analytics cookies without your consent.

11. International Data Transfers

Your data is stored on servers located within the European Union (Hetzner Cloud, Germany). We do not transfer personal data outside the EEA unless necessary and with appropriate safeguards.

12. Contact Information

For privacy-related inquiries or to exercise your GDPR rights:

• Email: [email protected]
• Data Protection Officer: [email protected]