Privacy & Data Protection
How we handle personal data across the website and Upwarden Cloud, and your rights under the GDPR.
Draft — not yet legally reviewed. The technical descriptions below reflect how the site and service are built, but the legal specifics (controller identity, legal bases, processor list, retention, transfers) are placeholders to be confirmed by counsel and your DPO before launch. Not legal advice.
Last updated: 9 July 2026
1. Controller
The data controller is [legal entity], [address] — see the Impressum. Data-protection contact: [privacy@upwarden.io] / [DPO, if appointed].
2. The website
The marketing site is a static site and sets no tracking cookies. We intend to use privacy-first, cookieless analytics that do not profile individuals. Our hosting provider may process technical connection data (e.g. IP address, user agent) in server logs to deliver and secure the site. [Confirm provider + log retention.]
3. Forms (demo & Upwarden Cloud early access)
If you submit the demo/contact or early-access form, we process the details you provide (e.g. name, work email, company, message) to respond and, where relevant, to onboard you. Form submissions are handled via our forms processor [Netlify Forms]. We use this data to contact you about Upwarden and do not sell or share it.
4. Upwarden Cloud (managed service)
When you use the managed service we process account and tenant data, project metadata, and audit logs. Upwarden is a registry proxy: it sees package coordinates (names and versions) and the artifacts it serves — not your source code. Every tenant is isolated. Sub-processors may include [hosting], [authentication: Stytch], and [email]. Retention varies by plan. Self-hosting keeps all of this inside your own infrastructure with no telemetry to us.
5. Audit-log retention
Upwarden records an audit event for security- and policy-relevant actions (dependency decisions, configuration changes, authentication, and administrative actions). Under the storage-limitation principle (GDPR Art. 5(1)(e)) we retain these audit events only as long as needed, for a period that depends on your plan:
| Plan | Audit-log retention |
|---|---|
| Free | 7 days |
| Team | 30 days |
| Org | 365 days (1 year) |
| Enterprise | Retained for the life of the account (no automatic deletion) |
When your plan's retention period elapses, the corresponding audit events are permanently deleted from our systems, and deletion is irreversible. A minimum floor of 7 days applies to all plans: audit events are never deleted sooner than 7 days after they are recorded.
Exception — records of erasure. Where you exercise your right to erasure or close your account (see Your rights), the specific audit records documenting that the erasure took place are retained as our lawful record that we honoured the request, even though the underlying activity data is deleted. These records contain no package, project, or user activity content. [Retention periods and the erasure-record basis to be confirmed by counsel.]
6. Legal bases (GDPR Art. 6)
We rely on: performance of a contract (providing the service you request); legitimate interests (securing and improving the service, responding to enquiries); and consent where required (e.g. optional communications). [Confirm mapping per processing activity.]
7. International transfers
Where data is processed outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. [Confirm transfer mechanisms per processor.]
8. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict and port your personal data, and to object to certain processing. You may withdraw consent at any time, and you have the right to lodge a complaint with a supervisory authority. To exercise your rights, contact [privacy@upwarden.io].
9. Changes
We may update this policy; the "last updated" date reflects the latest revision.
See also Impressum and Terms of Service.