Privacy Policy

This Privacy Policy explains how WhiteCloud Project S.R.L. ("Company", "we", "us", "our"), operating the Orkestr platform ("Platform", "Service") at orkestr.eu, collects, uses, stores, and shares your personal data when you visit our website, create an account, or use our services.

We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Romanian data protection law.

Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

The data controller for the personal data processed through the Platform is:

Company: WhiteCloud Project S.R.L.
Country: Romania
Email: privacy@orkestr.eu

If you have any questions or concerns about how we process your personal data, or if you wish to exercise your rights under the GDPR, please contact us at the address above.

3.1 Account Data

When you create an account or connect a Git provider (GitHub, GitLab, Bitbucket, Codeberg, or any provider we may support in the future) via OAuth, we collect: your provider username and user ID; your email address (as provided by the provider); your display name and avatar URL (as provided by the provider); and your OAuth access token (encrypted at rest, used solely to access your repositories on your behalf).

3.2 Project and Deployment Data

When you create projects and deploy applications, we collect: repository URLs and branch names; project names and configuration settings; environment variable names and values (values are encrypted at rest using AES-256 and are never returned in plaintext via API responses); deployment logs (build output, runtime logs); container resource usage metrics (CPU, memory, network I/O); and custom domain names you configure.

3.3 Billing Data

If you subscribe to a paid plan, billing is processed by Mollie B.V. (Netherlands). We do not store your full credit card number, CVV, or bank account details. We receive from Mollie: a truncated card identifier (last four digits and card brand); billing email and billing address; payment history and invoice records; and your Mollie Customer ID.

3.4 Usage and Analytics Data

We collect information about how you interact with the Platform, including: pages visited, features used, and actions taken within the dashboard; deployment frequency and patterns; API requests and error rates; and browser type, operating system, screen resolution, and language preference.

3.5 Communication Data

When you contact us for support or other enquiries, we collect: your email address and name; the content of your messages; and any attachments you provide.

3.6 Technical and Security Data

We automatically collect certain technical data for security and operational purposes: IP addresses (for authentication, abuse prevention, and logging); timestamps of account activity; session identifiers; and server access logs.

3.7 Data We Do Not Collect

We do not intentionally collect any special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation). If you inadvertently include such data in your applications or communications, we will delete it upon becoming aware of it and upon your request.

We process your personal data for the following purposes and legal bases under Article 6 GDPR:

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 9).

We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:

5.1 Infrastructure Providers

Hetzner Online GmbH (Germany/Finland) -- server hosting and compute. Your application containers, deployment data, and associated metadata are stored on Hetzner infrastructure within the EU.

5.2 CDN and DNS Provider

Bunny CDN d.o.o. (Slovenia, EU) -- DNS and content delivery. Bunny CDN processes request metadata (IP addresses, request headers) at their global edge. As an EU-based company, Bunny CDN processes data within the EEA by default.

5.3 Payment Processor

Mollie B.V. (Netherlands, EU) -- payment processing. Mollie processes billing data under their own privacy policy and acts as an independent data controller for payment data. As an EU-based company, Mollie processes all payment data within the EEA.

5.4 Source Code Hosting

Git hosting providers (GitHub, GitLab, Bitbucket, Codeberg, and any additional providers we may integrate) -- repository access. We access your repositories via OAuth tokens you provide. We do not share additional data with these providers beyond what is necessary for repository cloning during deployments.

We do not store your source code. During deployments, your repository is cloned into a temporary directory solely for the purpose of building a Docker image. Once the build completes -- whether it succeeds or fails -- the source code is immediately and automatically deleted. Only the compiled Docker image is retained on our infrastructure for the purpose of running your application.

When you delete a project, all associated resources are permanently removed: running containers are destroyed, all Docker images are deleted from the registry, and deployment history, environment configurations, and environment variables are erased. This action is immediate and irreversible.

When you delete an add-on (managed database or cache), the container and its data volume are permanently destroyed. All associated backups are also deleted. This action is irreversible and results in complete loss of the add-on's data.

5.5 Email and Communications

Resend, Inc. (USA) -- transactional email delivery (deployment notifications, account alerts, billing receipts). Resend processes recipient email addresses and message content on our behalf. Resend operates under Standard Contractual Clauses (SCCs) for data transfers outside the EEA.

5.6 Legal and Regulatory

We may disclose personal data to law enforcement authorities, regulators, or courts where required by applicable law, legal process, or government request. We will notify you of such disclosures unless prohibited by law.

5.7 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

5.8 Sub-Processor List

The following is our current list of sub-processors. We will update this list when sub-processors are added or removed and notify paid-plan users by email at least 14 days in advance.

Your primary application data is hosted within the European Economic Area (EEA) on Hetzner infrastructure in Germany and Finland. Our primary sub-processors (Bunny CDN, Mollie) are EU-based companies. However, certain sub-processors (Resend) may process limited data outside the EEA.

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs) adopted by the European Commission; adequacy decisions by the European Commission; the EU-US Data Privacy Framework where applicable; or your explicit consent where no other mechanism is available.

You may request information about the specific safeguards applied to any international transfer by contacting privacy@orkestr.eu.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of sensitive data at rest (environment variables, OAuth tokens, database credentials)
• Encryption of data in transit (TLS/HTTPS for all connections)
• Container isolation between users (separate Docker containers with resource limits)
• Access controls and authentication for all administrative systems
• Regular security updates and patching of infrastructure
• Monitoring for anomalous activity and potential security incidents
• Automated abuse detection systems (CPU anomaly detection, network traffic monitoring, dependency scanning)

While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and for the security of your own applications.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following table summarises our retention periods:

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymised. You may request earlier deletion of your data by exercising your right to erasure (see Section 9), subject to legal retention requirements.

As a data subject under the GDPR, you have the following rights. You may exercise these rights by contacting us at privacy@orkestr.eu.

We will respond to requests within 30 days. This period may be extended by a further 60 days for complex or numerous requests, in which case we will inform you of the extension and the reasons for it.

You may delete your account at any time through the Platform dashboard or by emailing support@orkestr.eu. Upon account deletion:

• All active deployments will be stopped and containers destroyed within 24 hours
• Your project data, deployment logs, environment variables, and container images will be permanently deleted within 30 days
• Your account data (username, email, OAuth tokens) will be deleted within 30 days
• Billing records will be retained for 7 years as required by Romanian tax law
• Server and security logs containing your IP address will be retained for up to 90 days
• Anonymised and aggregated analytics data (which cannot identify you) may be retained indefinitely

11.1 Essential Cookies

We use strictly necessary cookies for authentication and session management. These cookies are required for the Platform to function and cannot be disabled.

11.2 Analytics

We use Umami, a privacy-focused, open-source analytics tool that is self-hosted on our EU infrastructure (Hetzner, Falkenstein, Germany). Umami does not use cookies, does not collect personal data, and does not track users across websites. All analytics data is anonymised and aggregated. No data is shared with third parties.

11.3 No Third-Party Advertising

We do not use advertising cookies. We do not display third-party advertisements on the Platform. We do not share your data with advertising networks or data brokers.

12.1 Your Role as Data Controller

When you use Orkestr to host applications that process personal data of your own end users, you act as the data controller for that data. We act as the data processor, processing such data solely on your instructions and for the purpose of providing the Service.

12.2 Data Processing Agreement

A Data Processing Agreement ("DPA") is available for users on paid plans and will be provided as a standard addendum to the Terms of Service. If you require a DPA, please contact legal@orkestr.eu.

12.3 Your Responsibilities

As the data controller for your end-user data, you are responsible for: ensuring a lawful basis for processing; providing appropriate privacy notices to your end users; responding to data subject requests concerning your end users' data; and conducting data protection impact assessments where required.

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@orkestr.eu.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the competent supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR; (b) notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms; (c) document the breach, its effects, and the remedial actions taken.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a revised effective date, sending an email to the address associated with your account, and displaying a prominent notice on the Platform dashboard. We will provide at least 14 days' notice before material changes take effect.

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

Data Controller: WhiteCloud Project S.R.L.
Email: privacy@orkestr.eu
General: legal@orkestr.eu
Web: https://orkestr.eu

For complaints or enquiries to the Romanian supervisory authority:

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
Blvd. G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
www.dataprotection.ro