Privacy Policy.
This Privacy Policy explains how Hackerman AB ("Hackerman", "we", "us"), a Swedish limited company (org. nr. 559079-1918) with its registered office in Gothenburg, Sweden, collects, processes, and protects personal data when you use the Codebahn service ("Service").
1. Who we are
Hackerman AB is the data controller for the personal data described in this policy. For Customer Data hosted on the Service (repository content, issues, CI artifacts), we act as a data processor on behalf of the organisation that owns the data.
Contact: privacy@codebahn.net (data protection) · legal@codebahn.net (general)
We are not required to appoint a Data Protection Officer under GDPR Article 37. Our core activity is hosting code, not large-scale monitoring of individuals. If this changes, we will appoint one and update this policy.
2. What we collect and why
2.1. Account data
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Authentication, notifications, billing | Contract performance (Art. 6(1)(b)) |
| Display name, username | Identification within the Service | Contract performance |
| SSH public keys | Git authentication | Contract performance |
| Password (hashed) | Authentication | Contract performance |
| Avatar (optional) | Display within the Service | Consent (optional upload) |
2.2. Billing data
| Data | Purpose | Legal basis |
|---|---|---|
| Organisation name | Invoicing | Contract performance |
| Billing email | Payment receipts and notices | Contract performance |
| VAT number (optional) | Tax compliance | Legal obligation (Art. 6(1)(c)) |
| Country code | VAT determination, jurisdiction | Legal obligation |
| Payment method details | Processed by Mollie, not stored by us | Contract performance |
We do not store credit card numbers, bank account details, or other payment instrument data. Payment processing is handled entirely by Mollie B.V. (Amsterdam, Netherlands). Mollie's privacy policy applies to payment data they process.
2.3. Customer Data (processor role)
| Data | Purpose | Legal basis |
|---|---|---|
| Repository content (code, commits, branches, tags) | Hosting the Service | Contract performance |
| Issues, pull requests, comments | Hosting the Service | Contract performance |
| CI workflow definitions and logs | Running CI builds | Contract performance |
| Container and package registry content | Hosting the Service | Contract performance |
| Uploaded attachments | Hosting the Service | Contract performance |
For Customer Data, the organisation owner is the data controller. We process this data solely to provide the Service. We do not access, sell, analyse, or use Customer Data for any purpose other than operating the Service.
2.4. Usage and operational data
| Data | Purpose | Legal basis |
|---|---|---|
| IP addresses (in server logs) | Security, abuse prevention, debugging | Legitimate interest (Art. 6(1)(f)) |
| Request timestamps and paths | Operations, debugging | Legitimate interest |
| Compute-minute consumption | Billing, quota enforcement | Contract performance |
| Storage usage | Billing, quota enforcement | Contract performance |
| Error logs | Debugging, service reliability | Legitimate interest |
Server logs containing IP addresses are retained for 30 days, then deleted.
2.5. Analytics
We use a self-hosted instance of Plausible Analytics on our own infrastructure for our public website (codebahn.net). Plausible is privacy-focused: no cookies, no personal data collection, no tracking across sites. Analytics data does not leave our servers.
We do not use analytics within the application (the dashboard, Git interface, or API).
We do not use Google Analytics, Facebook Pixel, or any third-party tracking tool.
3. What we do not do
- We do not sell personal data.
- We do not use personal data for advertising or profiling.
- We do not train machine learning models on Customer Data or personal data.
- We do not use tracking cookies. The Service uses a single session cookie for authentication. No third-party cookies are set.
- We do not use US-incorporated sub-processors anywhere in the data path.
4. Where data is stored
All data is stored on infrastructure operated by Scaleway (Iliad Group), an EU-incorporated provider:
| Purpose | Region |
|---|---|
| Primary infrastructure | Scaleway fr-par (Paris, France) |
| Backups | Scaleway pl-waw (Warsaw, Poland) |
Data never leaves the European Union.
The full list of sub-processors is published at docs.codebahn.net/reference/subprocessors and is kept current.
5. Who has access to data
- Hackerman AB employees. Administrative access for infrastructure operations, debugging, and responding to support requests. We do not access the content of repositories unless required for a specific support request, security incident, or abuse investigation.
- Scaleway. Infrastructure provider. They operate the physical servers and storage. Their access is governed by their DPA and applicable EU data protection law.
- Mollie. Payment processor. They process payment data only. They do not have access to Customer Data or account data beyond what is needed for payment processing.
We do not share data with any other third party unless required by law (see section 8).
6. Data retention
| Data | Retention |
|---|---|
| Active account data | Retained while the account exists |
| Customer Data (active subscription) | Retained while the subscription is active |
| Customer Data (after cancellation) | 30 days read-only, then deleted within 90 days |
| Backups containing Customer Data | Rotated out within 90 days of deletion |
| Server logs (IP addresses) | 30 days |
| Billing records | 7 years (Swedish Bokforingslag, BFL) |
| Analytics data (Plausible) | Aggregated, no personal data retained |
| Personal accounts (no subscription) | Until you delete the account or 12 months of inactivity |
Billing records include organisation name, billing email, VAT number, country code, invoice amounts, and payment dates. These are retained for 7 years as required by Swedish bookkeeping law (BFL 7:2), even if you request deletion of your account. We will inform you of this retention if you make a deletion request.
7. Your rights under GDPR
As a data subject, you have the following rights:
- Access (Art. 15). Request a copy of your personal data.
- Rectification (Art. 16). Correct inaccurate personal data.
- Erasure (Art. 17). Request deletion of your personal data, subject to legal retention requirements (see section 6).
- Restriction (Art. 18). Request restriction of processing in certain circumstances.
- Portability (Art. 20). Receive your personal data in a structured, machine-readable format. For Customer Data, Forgejo's standard export functionality provides this.
- Objection (Art. 21). Object to processing based on legitimate interest.
To exercise any of these rights, email privacy@codebahn.net. We will respond within 30 days.
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or your local supervisory authority.
8. Law enforcement and legal requests
We will comply with lawful requests from Swedish and EU authorities.
We will notify you of a request for your data unless prohibited by law. If we receive a request from a non-EU authority, we will assess it under GDPR Chapter V and only comply if there is a legal basis under EU law (e.g. an international agreement or MLAT).
We do not have a "backdoor" or bulk access mechanism. Any request must be for specific, identified data.
9. Data Processing Agreement
For organisations that require a DPA under GDPR Article 28, our Data Processing Agreement is published and applies automatically to all customers. It covers our obligations as a data processor for Customer Data, including: processing instructions, confidentiality, security measures, sub-processor management, data subject rights assistance, breach notification, and audit rights.
10. Security measures
We implement the following technical and organisational measures:
- Encryption in transit (TLS 1.3 for all connections).
- Encryption at rest (Scaleway managed encryption for block and object storage, managed PostgreSQL encryption).
- Daily encrypted backups stored in a separate EU region.
- SSH key authentication for Git operations.
- Hashed passwords (bcrypt) for web authentication.
- CI builds run in isolated containers with no persistent state.
- Access to production infrastructure is restricted to Hackerman AB employees via SSH key authentication and IP allowlisting.
- No shared credentials. Individual access keys with audit logging.
We do not currently hold ISO 27001 or SOC 2 certification. If your procurement process requires these, we are not your vendor yet. We will update this section if that changes.
11. Children
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@codebahn.net and we will delete it.
12. Changes to this policy
We may update this policy from time to time. We will notify you of material changes at least 30 days before they take effect, by email. The updated policy will be posted at codebahn.net/privacy with the revision date.
Hackerman AB
Drakenbergsgatan 33, 412 69 Gothenburg, Sweden
Org. nr: 559079-1918
privacy@codebahn.net · legal@codebahn.net · security@codebahn.net