Privacy Policy

Last updated: April 9, 2026

1. Data Controller

CompactHive is operated by David Utěšil, IČO: 87793016, Prague, Czech Republic.

For any privacy-related questions or requests, contact us at [email protected].

2. Data We Collect

Account Data

  • Email address — used for authentication, notifications, and communication
  • Name — display name, provided optionally at signup
  • Company name — your organization's name
  • Password — stored as a one-way bcrypt hash. We never store or have access to your plaintext password.

Billing Data

Payment is processed by Stripe. Your card details are sent directly to Stripe and never touch our servers. We store only the card brand (e.g., Visa) and last four digits for display purposes.

Security Data

For fraud prevention and security auditing, we log:

  • IP address — recorded on login, signup, and security-relevant actions
  • User agent — browser/client information
  • Action timestamps — when you log in, enable services, etc.

Customer Workloads

Whatever you deploy in your Kubernetes namespace (application code, databases, files, configurations) is stored on our infrastructure. We do not inspect, analyze, or access this data except as described in section 4.

3. How We Use Your Data

  • Authentication and authorization — to verify your identity and manage access
  • Service delivery — to provision and operate your infrastructure
  • Billing — to process payments and generate invoices
  • Communication — to send service notifications (provisioning complete, deploy failures, trial reminders)
  • Security — to detect and prevent fraud, abuse, and unauthorized access

We do not use your data for advertising, profiling, behavioral tracking, or selling to third parties.

4. When We Access Your Workloads

We access customer workloads only when strictly necessary:

  • Troubleshooting infrastructure issues affecting your environment
  • Responding to security incidents
  • Complying with a valid legal obligation (e.g., court order)

We will notify you when we access your workloads, unless prohibited by law.

You can export your workloads at any time using standard tools (kubectl, pg_dump, etc.) via the portal or direct cluster access.

5. Our Role as Data Processor

For personal data that you or your end users store in applications you deploy on CompactHive, we act as a data processor on your behalf. You remain the data controller for that data. A Data Processing Agreement (DPA) is available at compacthive.io/dpa.

6. Third-Party Processors

We share data with the following service providers, solely for the purposes described:

ProviderPurposeData Shared
StripePayment processingCard details (direct to Stripe), email, billing info
ResendTransactional emailEmail address, name (for email personalization)
CloudflareDNS, TLS termination, reverse proxy, email routingDomain routing data, IP addresses, request metadata
HetznerInfrastructure hosting, encrypted backup storageCustomer workloads, encrypted backup archives
Oracle CloudNetwork gateway infrastructureRequest routing metadata, IP addresses

For the full list of sub-processors with locations and safeguards, see our Sub-processors page. We do not use any analytics, advertising, or tracking services.

7. Data Retention

  • Active account: all data retained while your account exists
  • After account deletion: all customer data (workloads, account information) is deleted from live systems within 30 days. Data may persist in encrypted backups for up to 30 additional days, after which backups are automatically rotated.
  • Accounting records: invoices and transaction records are retained as required by Czech law (typically 5–10 years), even after account deletion.
  • Security audit logs: retained for up to 30 days after account deletion for security and abuse prevention purposes, then permanently purged

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your account and all associated data
  • Restriction — request that we limit processing of your personal data in certain circumstances
  • Data portability — receive your personal data in a structured, machine-readable format
  • Objection — object to specific processing of your data
  • Complaint — lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů, uoou.cz)

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Cookies

CompactHive uses a single, strictly necessary session cookie (ch-app-session) to maintain your authenticated session. This cookie:

  • Is set only after you log in
  • Contains a signed session token with your email and display name for authentication purposes
  • Expires after 24 hours
  • Is marked HttpOnly and SameSite=Lax (cannot be read by JavaScript or sent cross-site)

We do not use analytics cookies, tracking cookies, advertising cookies, or any third-party cookies. No cookie consent banner is required as session cookies are exempt under the ePrivacy Directive.

10. Security Measures

  • Passwords are hashed with bcrypt (never stored in plaintext)
  • All external traffic is encrypted via TLS. Internal traffic is encrypted via WireGuard mesh.
  • Authentication endpoints are protected by rate limiting and account lockout
  • Security-relevant events are logged and monitored
  • Infrastructure is hosted in the Czech Republic
  • Tenant environments are isolated via Kubernetes namespaces with resource quotas

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Questions about this policy? Contact us at [email protected].