Privacy Policy

This Privacy Policy describes how Sidequest Labs ("Ancla," "we," "us," or "our") collects, uses, stores, and protects information when you use the Ancla platform and related services (the "Service"). This Policy applies to all visitors, users, and customers of the Service.

Ancla acts as a data controller for personal data we collect directly from you (account information, usage data, technical data) as described in this Policy. When you deploy applications that process personal data of your own users, Ancla acts as a data processor on your behalf, governed by our Data Processing Agreement.

Our Data Protection Officer can be reached at dpo@ancla.dev.

Account information. When you create an account, we collect your name, email address, and authentication credentials (hashed passwords or OAuth tokens). If you sign in via a third-party provider (GitHub, Google, GitLab, or other supported providers), we receive the profile information authorized by that provider, which typically includes your name, email, avatar, and provider-specific user identifier.

Billing information. If you subscribe to a paid plan, we collect billing details such as your company name, billing address, and payment method. Payment card details are processed and stored exclusively by our PCI-compliant payment processor; we do not store full card numbers on our systems.

Usage data. We collect information about how you interact with the Service, including deployment events, build logs, API requests, CLI commands, feature usage, and administrative actions. This data helps us provide the Service, diagnose issues, enforce our Terms, and improve the platform.

Technical data. We automatically collect IP addresses, browser type and version, operating system, device identifiers, referring URLs, pages visited, and timestamps when you access the Service.

Your Content. We process the application code, container images, configuration files, environment variables, database connection strings, and other data you deploy to or store on the Service. Environment variables and secrets are encrypted at rest and in transit and are only decrypted at runtime within your application containers. We do not access, review, or use Your Content except as strictly necessary to provide the Service, comply with applicable law, or respond to a support request you initiate.

We process your personal data under the following legal bases, as applicable under the EU General Data Protection Regulation (GDPR) and equivalent laws:

Performance of a contract (Art. 6(1)(b) GDPR). Processing necessary to provide the Service, manage your account, process deployments, and fulfill our contractual obligations under the Terms of Service.

Legitimate interests (Art. 6(1)(f) GDPR). Processing necessary for our legitimate interests, including: operating and improving the Service; detecting and preventing fraud, abuse, and security incidents; understanding usage patterns; and communicating service updates. We balance these interests against your rights and freedoms and do not process where your interests override ours.

Legal obligation (Art. 6(1)(c) GDPR). Processing necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

Consent (Art. 6(1)(a) GDPR). Where we rely on consent (e.g., for optional marketing communications or non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.

We use your information to: (a) provide, operate, maintain, and improve the Service; (b) process your deployments, builds, and infrastructure management; (c) authenticate your identity and manage account access; (d) communicate with you about your account, including transactional emails, service updates, security alerts, and billing notices; (e) detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents; (f) comply with applicable laws and respond to legal processes; and (g) enforce our Terms of Service and protect our rights.

We do not sell, rent, or trade your personal information to third parties. We do not use Your Content to train machine learning models, for advertising purposes, or for any purpose other than providing the Service as described in these Terms.

Storage. Your data is stored on infrastructure we manage. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Environment variables and secrets use additional application-layer encryption and are decrypted only at runtime within isolated application containers.

Security measures. We implement technical and organizational measures appropriate to the risk, including: role-based access controls with least-privilege principles; multi-factor authentication for infrastructure access; regular vulnerability assessments and penetration testing; audit logging of administrative and system access; incident detection, response, and recovery procedures; and employee security training. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Retention. We retain your personal data for as long as necessary to fulfill the purposes described in this Policy:

(a) Account data is retained while your account is active and for thirty (30) days after account deletion to support data export. (b) Billing records are retained for seven (7) years as required by tax and accounting regulations. (c) Usage and technical logs are retained for ninety (90) days for operational purposes, unless longer retention is required for security investigations. (d) Your Content (deployed applications, images, configurations) is deleted within thirty (30) days of account termination, with backup copies destroyed within ninety (90) days. (e) Support communications are retained for three (3) years from the date of last interaction.

We share your information only in the following circumstances:

Service providers. We engage trusted third-party service providers who process data on our behalf to operate the Service, including cloud infrastructure providers, payment processors, email delivery services, and monitoring tools. All service providers are bound by data processing agreements with obligations no less protective than those described in our DPA. A list of current sub-processors is available upon request.

Legal requirements. We may disclose your information to law enforcement, regulatory authorities, or government agencies when required by applicable law, regulation, court order, or governmental request. Where legally permitted, we will notify you of such requests before disclosing your information.

Business transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any such change in ownership and of any choices you may have regarding your information.

With your consent. We may share your information with third parties when you have explicitly consented to or directed such sharing.

Essential cookies. We use strictly necessary cookies to maintain your authenticated session, preserve your preferences (such as theme selection), and enable core Service functionality. These cookies cannot be disabled without breaking the Service.

Analytics. We use privacy-respecting, cookieless analytics (Fathom Analytics) to understand aggregate usage patterns such as page views and feature adoption. This analytics service does not use cookies, does not track users across sites, and does not collect personal identifiers. It is compliant with GDPR, ePrivacy, PECR, and CCPA without requiring consent banners.

We do not use third-party advertising trackers, retargeting pixels, or share browsing data with advertisers. We do not engage in cross-site tracking.

Depending on your jurisdiction, you have the following rights regarding your personal data. We honor these rights regardless of where you are located, to the extent technically feasible:

Under the GDPR (EU/EEA/UK): (a) Right of access (Art. 15) — obtain a copy of your personal data; (b) Right to rectification (Art. 16) — correct inaccurate or incomplete data; (c) Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations; (d) Right to restrict processing (Art. 18) — limit how we process your data in certain circumstances; (e) Right to data portability (Art. 20) — receive your data in a structured, machine-readable format; (f) Right to object (Art. 21) — object to processing based on legitimate interests, including profiling; (g) Right to withdraw consent (Art. 7(3)) — withdraw consent at any time for consent-based processing; (h) Right to lodge a complaint — file a complaint with your local supervisory authority.

Under the CCPA/CPRA (California): (a) Right to know what personal information we collect, use, disclose, and sell; (b) Right to delete your personal information; (c) Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information; (d) Right to non-discrimination for exercising your privacy rights; (e) Right to correct inaccurate personal information; (f) Right to limit the use of sensitive personal information.

To exercise any of these rights, contact us at privacy@ancla.dev. We will verify your identity before processing your request and respond within thirty (30) days (or within the timeframe required by applicable law). If we need additional time, we will inform you of the reason and extension period.

Your data may be processed in countries other than your country of residence, including the United States. When we transfer personal data outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

(a) EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914); (b) the UK International Data Transfer Addendum; (c) the Swiss-U.S. Data Privacy Framework, where applicable; or (d) other transfer mechanisms recognized under applicable data protection law.

You may request a copy of the relevant transfer safeguards by contacting privacy@ancla.dev.

We do not engage in solely automated decision-making or profiling that produces legal or similarly significant effects on you. Automated systems used within the Service (e.g., build optimization, resource scaling, abuse detection) do not make decisions affecting your legal rights and are subject to human oversight.

The Service is not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal information from children under 18 (or under 16 in the EEA, as applicable). If we become aware that a child has provided us with personal information, we will promptly take steps to delete it. If you believe we have inadvertently collected such information, please contact us at privacy@ancla.dev.

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. We will provide at least thirty (30) days' prior notice of material changes via email to the address associated with your account or through a prominent notice within the Service.

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy. If you do not agree to the changes, you must stop using the Service before the updated Policy takes effect.

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

General inquiries: privacy@ancla.dev
Data Protection Officer: dpo@ancla.dev
Security matters: security@ancla.dev

If you are located in the EU/EEA or UK and wish to contact a local representative, please reach out to dpo@ancla.dev for current representative contact details.