ServerVault
Sign in Get started

Privacy Policy

Last updated: May 28, 2026

This Policy covers users worldwide. EU/EEA users: see sections 3, 7, and 12 for GDPR-specific information. California residents: see section 13 for CCPA/CPRA rights. Other US state residents: see section 14.

1. Introduction & Data Controller

This Privacy Policy explains how ServerVault ("we," "us," or "our") collects, uses, stores, and shares your personal data when you use our server management platform at servervault.dev (the "Service"). ServerVault acts as the data controller for account and billing information and as a data processor for any personal data you store on servers connected to the Service.

For data protection enquiries, contact us via the contact page. EU/EEA users may also contact their national supervisory authority.

2. Information We Collect

We collect the following categories of personal data:

  • Account data: name, email address, and hashed password (bcrypt) provided at registration.
  • Server & infrastructure data: IP addresses, hostnames, SSH public keys, and configuration details for servers you add to the Service.
  • Git provider tokens: OAuth access tokens for GitHub, GitLab, or Bitbucket when you connect a repository — stored encrypted (AES-256-GCM) and scoped to repository listing and webhook management only.
  • Operational data: deploy logs, server metrics (CPU, RAM, disk), application configurations, and database credential references (passwords stored encrypted).
  • Billing data: subscription plan, billing cycle, and payment history. Card numbers and banking details are processed and stored exclusively by Stripe — we never receive or store full card numbers.
  • Communication data: messages you send via our contact form or live chat widget, including name, email, and message content.
  • Technical data: IP address, browser type, and session identifiers collected automatically when you access the Service.

3. Lawful Bases for Processing (GDPR — EU/EEA Users)

Under the GDPR, we rely on the following lawful bases for processing your personal data:

  • Contract performance (Art. 6(1)(b)): Processing your account data, server data, and billing information is necessary to provide the Service you have contracted for.
  • Legitimate interests (Art. 6(1)(f)): We process technical and operational data to ensure security, prevent fraud, diagnose issues, and improve the Service. Our interests are balanced against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): We retain certain billing and transaction records to comply with applicable tax and financial reporting laws.
  • Consent (Art. 6(1)(a)): Where we send optional marketing communications or use non-essential cookies, we rely on your consent. You may withdraw consent at any time without affecting prior processing.

4. How We Use Your Information

  • To create and manage your account and authenticate your sessions.
  • To connect to and manage the servers you register, including running commands via the agent protocol.
  • To process payments, issue invoices, and manage subscription renewals via Stripe.
  • To send transactional emails: account verification, password resets, billing receipts, and trial expiry reminders.
  • To display server metrics, deploy logs, and application status within the dashboard.
  • To respond to support requests and live chat messages.
  • To detect, prevent, and investigate security incidents, fraud, and abuse.
  • To comply with applicable legal obligations.
  • We do not use your data for advertising, profiling for marketing purposes, or automated individual decision-making with legal or similarly significant effects.

5. Git Provider Integrations

When you connect GitHub, GitLab, or Bitbucket via OAuth, we request the minimum permissions necessary to list your repositories and register push webhooks for automated deployments. Access tokens are stored encrypted (AES-256-GCM) and are never shared with third parties beyond what is required for the integration to function. You may disconnect any integration at any time from your account settings, which immediately revokes and deletes our stored token. Disconnecting will disable auto-deploy functionality for affected applications.

6. Data Sharing & Sub-Processors

We do not sell, rent, or trade your personal data. We share data only with the following categories of third parties, each bound by appropriate data processing agreements:

  • Stripe, Inc. (payment processing) — processes billing and subscription data. Stripe is certified PCI DSS Level 1. Data may be processed in the USA under Standard Contractual Clauses.
  • Cloud infrastructure providers — host the ServerVault application and database. Data is processed under data processing agreements with EU Standard Contractual Clauses or equivalent safeguards where applicable.
  • Transactional email providers — used to deliver account and billing emails. Only your email address and relevant message content are shared.
  • Git providers (GitHub/GitLab/Bitbucket) — data is shared only to the extent you authorize via OAuth.
  • Law enforcement / legal process: We may disclose personal data if required by a valid court order, subpoena, or applicable law, or where necessary to protect our legal rights or prevent harm.

7. International Data Transfers

ServerVault operates globally. If you are located in the European Union or European Economic Area, your personal data may be transferred to and processed in countries outside the EEA, including the United States. Where such transfers occur, we ensure an adequate level of protection by relying on:

  • European Commission adequacy decisions where applicable.
  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third countries.
  • Binding Corporate Rules or other approved transfer mechanisms where SCCs are not available.
  • You may request a copy of the relevant transfer safeguards by contacting us.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law:

  • Account data: retained for the lifetime of your account plus 90 days after deletion to allow recovery.
  • Server metrics & deploy logs: retained for 90 days, then automatically deleted.
  • Billing records & invoices: retained for 7 years to comply with tax and accounting obligations.
  • Support & chat messages: retained for 2 years.
  • Security & access logs: retained for 12 months.
  • Following account deletion, all remaining personal data is purged within 90 days except where retention is required by law.

9. Cookies & Tracking

We use only the cookies strictly necessary to operate the Service:

  • Session cookie (servervault_session): authenticates your logged-in session. Duration: browser session.
  • CSRF token cookie (XSRF-TOKEN): protects form submissions from cross-site request forgery. Duration: browser session.
  • Language preference cookie: stores your selected language. Duration: 1 year.
  • We do not use third-party analytics cookies, advertising cookies, or tracking pixels. No data is sent to Google Analytics, Meta, or similar platforms.
  • Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive. If we introduce non-essential cookies in the future, we will update this Policy and seek your consent.

10. Security

We implement appropriate technical and organizational security measures, including:

  • Encrypted connections (TLS 1.2+) for all data in transit.
  • AES-256-GCM encryption for sensitive stored credentials (OAuth tokens, database passwords, agent keys).
  • Bcrypt hashing with per-user salts for account passwords.
  • Agent tokens stored as cryptographic hashes — never in plaintext.
  • Access controls limiting employee access to personal data on a need-to-know basis.
  • In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR (Art. 33), and affected users without undue delay where required (Art. 34).

11. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in certain EU member states). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child below the applicable minimum age, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us immediately.

12. GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation. To exercise any right, contact us via the contact page with the subject "GDPR Request." We will respond within 30 days (extendable to 60 days for complex requests with notice):

  • Right of Access (Art. 15): Obtain a copy of the personal data we hold about you and information about how it is processed.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data. Most account data can be updated directly in your profile settings.
  • Right to Erasure (Art. 17): Request deletion of your personal data where it is no longer necessary for the original purpose, you withdraw consent, or you object to processing. Subject to legal retention obligations.
  • Right to Restriction of Processing (Art. 18): Request that we limit processing of your data in certain circumstances (e.g., while accuracy is contested).
  • Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and have it transmitted to another controller where technically feasible.
  • Right to Object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects.
  • Right to lodge a complaint: You have the right to lodge a complaint with your national data protection supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany, or the authority in your EU member state).

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights. To submit a verifiable consumer request, contact us via the contact page with the subject "CCPA Request." We will respond within 45 days (extendable to 90 days with notice):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you in the past 12 months, the purposes of collection, and the categories of third parties with whom it was shared.
  • Right to Delete: Request deletion of personal information we have collected, subject to exceptions (e.g., legal obligations, security).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information with third parties for cross-context behavioral advertising purposes. No opt-out is required.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information (as defined under CPRA) for purposes beyond those necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.
  • Shine the Light (Cal. Civ. Code § 1798.83): California residents may request information about disclosures of personal information to third parties for their direct marketing purposes in the preceding calendar year. We do not disclose personal information for third-party direct marketing.
  • Authorized agents may submit requests on your behalf with written proof of authorization and identity verification.

14. Other US State Privacy Rights

Residents of certain US states have additional privacy rights under state law. We extend the following rights to residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws, to the extent required:

  • Right to access personal data we process about you.
  • Right to correct inaccuracies in your personal data.
  • Right to delete personal data provided by or obtained about you.
  • Right to data portability — obtain a copy of your data in a portable format.
  • Right to opt out of targeted advertising, sale of personal data, and profiling for decisions with significant effects. We do not engage in any of these activities.
  • To exercise these rights, contact us via the contact page. We will respond within the timeframe required by applicable state law.

15. Marketing Communications

We send transactional emails (account verification, password resets, billing receipts, trial expiry notices) as necessary to provide the Service — these are not marketing and do not require opt-in. If we introduce optional marketing emails in the future, we will obtain your prior consent where required by law (including GDPR and CAN-SPAM). You may unsubscribe from any marketing email at any time via the unsubscribe link in the email.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or a prominent in-app notice at least 30 days before the changes take effect. The updated Policy will display the revised "Last updated" date at the top. For EU/EEA users, where changes involve a new lawful basis or new purposes for processing, we will seek fresh consent where required.

17. Contact & Data Requests

For privacy questions, data subject requests, or complaints, contact us via the contact page with the relevant subject line (e.g., "GDPR Request," "CCPA Request," or "Privacy Question"). We will acknowledge receipt within 5 business days and respond within the applicable statutory deadline.

SV

ServerVault Support

👋

Hi there!

Ask us anything — we're here to help.

So we can follow up if you close this window.

S
Reconnecting…
Chat with us