Privacy Policy

Last updated: June 12, 2026

This policy explains what personal data ichibase (“we”) processes, why, and your rights. It covers data about account holders. Where you use ichibase to build an application, the data of your application’s end users is processed by us on your behalf — see “Customer end-user data” below.

Data we process (account holders)

• Account: email, name, and — if you sign in with Google/GitHub — your basic OAuth profile.
• Project metadata: project names, plan, configuration, usage/metering, and audit logs of actions you take.
• Payments: handled by Paddle (our Merchant of Record). We receive billing status and invoices — we never see or store your full card details.
• Technical/security: IP address and request logs, used for security (e.g. abuse/rate-limit banning) and operating the Service.
• Cookies: a single strictly-necessary session cookie to keep you logged in. We use no advertising or third-party tracking cookies.

Why we process it (legal bases)

• To provide the Service and your account — performance of our contract with you.
• To secure the Service and prevent abuse — our legitimate interests.
• To bill paid plans and meet tax/accounting duties — contract and legal obligation.

Customer end-user data (we act as processor)

When you build an app on ichibase, you are the data controller for your end users’ data; we are your processor and only process it to provide the Service per these terms and your instructions. You’re responsible for your own privacy notice and lawful basis toward your users. Contact us for a Data Processing Agreement.

Sub-processors

We rely on these providers to run the Service:

• Hetzner (Germany, EU) — server hosting / compute.
• Cloudflare — DNS, CDN, object storage (R2), and edge security.
• Paddle — payments / Merchant of Record.
• Resend — transactional email (verification, alerts, lifecycle notices).
• Vercel — hosting for this dashboard.

Where data is stored

The control plane and free-tier data are hosted in the EU (Germany). Paid projects run in the region you choose. Some sub-processors are based outside the EU; where that involves an international transfer, it’s covered by appropriate safeguards (e.g. Standard Contractual Clauses).

Retention

• Account & project metadata: kept while your account is active.
• Backups (paid projects + our control database): rolling, typically 7 days.
• Free projects are not backed up and are deleted after 7 days of inactivity (see Terms). Deletion is final.
• On account deletion, we remove your data within a reasonable period, except where we must retain limited records (e.g. invoices) by law.

Your rights

Subject to applicable law (including the GDPR), you may request access, correction, deletion, a portable copy, restriction of, or objection to our processing of your personal data, and you may withdraw consent where processing relies on it. You can also lodge a complaint with your local data-protection authority. To exercise any right, contact us below.

Security

We encrypt secrets at rest, use TLS in transit, scope credentials tightly, and restrict administrative access. No system is perfectly secure, but we work to protect your data.

Cookies

We use only a strictly-necessary session cookie to keep you signed in — no analytics, advertising, or cross-site tracking cookies. Because it’s essential to the Service, no consent banner is required. If we add analytics later, we’ll update this policy and ask for consent where needed.

Changes & contact

We may update this policy; we’ll revise the “last updated” date and, for material changes, give notice. Questions or requests: support@ichibase.com.