Privacy Policy
Effective Date: March 1, 2026 · Last Updated: March 1, 2026
1. Introduction
This Privacy Policy explains how Cynsta Technologies s.r.o. (“Cynsta”, “we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the Dock0 platform, including the website at https://app.dock0.dev, the Dock0 CLI, the MCP proxy service, and all related APIs (collectively, the “Service”).
We are committed to protecting your privacy in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and Czech Act No. 110/2019 Coll. on Personal Data Processing.
2. Data Controller
The data controller responsible for your personal data is:
Cynsta Technologies s.r.o.
Registered office: Rybná 716/24, Staré Město, 110 00 Prague, Czech Republic
Company registration number (IČO): 23298766
Email: privacy@dock0.dev
3. What Data We Collect
3.1. Account Data
When you create an account, we collect:
- Email address
- Display name / username
- Authentication credentials (managed via GitHub OAuth or email-based auth)
- Profile information you choose to provide
3.2. Billing and Payment Data
When you make payments or receive payouts:
- Stripe customer ID and payment method metadata (we do not store full card numbers)
- Wallet transaction history (top-ups, call charges, refunds)
- Subscription plan and billing cycle
- Stripe Connect account information for Creator payouts (managed by Stripe)
- Payout history and earnings records
3.3. Deployment Data
When you create or manage Deployments:
- Deployment configuration (name, slug, pricing settings, environment variables)
- Source code repository reference (GitHub repo URL, branch)
- External origin URL (for Connect mode)
- Build logs and deployment status
3.4. Usage Data
When you use the Service:
- API call logs (deployment ID, API key ID, timestamp, latency, status, tool name)
- Rate limit and throttle metrics
- Dashboard activity and feature usage
- CLI command usage (no command arguments or secrets are transmitted)
3.5. Technical Data
Automatically collected during your use of the Service:
- IP address
- Browser type and version
- Operating system
- Device information
- Referral URL
- Pages visited and time spent
- Cookies and similar technologies (see Section 9)
3.6. Communication Data
When you contact us:
- Email correspondence
- Support ticket content
4. How We Use Your Data
We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) |
| Process payments, wallet transactions, and payouts | Performance of contract (Art. 6(1)(b)) |
| Authenticate your identity and secure your account | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (receipts, alerts, status updates) | Performance of contract (Art. 6(1)(b)) |
| Monitor service performance and prevent abuse | Legitimate interest (Art. 6(1)(f)) |
| Detect and prevent fraud | Legitimate interest (Art. 6(1)(f)) |
| Enforce our Terms and Conditions | Legitimate interest (Art. 6(1)(f)) |
| Analyze usage to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (tax, AML, regulatory) | Legal obligation (Art. 6(1)(c)) |
| Send marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
5. Who We Share Data With
We share personal data only with the following categories of recipients, and only to the extent necessary:
5.1. Payment Processors
Stripe, Inc. / Stripe Technology Europe Limited — processes all payments, wallet transactions, and Creator payouts. Stripe is an independent data controller for payment data processed through its platform. See Stripe’s Privacy Policy.
5.2. Infrastructure Providers
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase, Inc. | Database hosting (Postgres) | United States | Standard Contractual Clauses (DPA) |
| Fly.io, Inc. | Application and deployment hosting | United States / Global | GDPR DPA |
| Upstash, Inc. | Redis cache and queue | United States | Standard Contractual Clauses |
| Cloudflare, Inc. | DNS and CDN | Global | EU-US Data Privacy Framework |
| GitHub, Inc. | Source code repository integration | United States | EU-US Data Privacy Framework |
5.3. Analytics
We may use privacy-respecting analytics tools to understand how the Service is used. We do not use Google Analytics or any tool that transfers personal data to third parties for advertising purposes.
5.4. Legal and Regulatory
We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or the rights, property, or safety of others.
5.5. Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.
We do not sell your personal data. We do not share your personal data with advertisers.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.
For each transfer, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework (DPF): Where the recipient is certified under the EU-US DPF (e.g., Stripe, Cloudflare, GitHub), the transfer is covered by the European Commission’s adequacy decision of July 10, 2023.
- Standard Contractual Clauses (SCCs): Where the recipient is not DPF-certified (e.g., Supabase, Upstash), we rely on the 2021 EU Standard Contractual Clauses (Commission Decision 2021/914), supplemented by a Transfer Impact Assessment.
- Data Processing Agreements: We have executed Data Processing Agreements with all processors, as required by GDPR Article 28.
You may request a copy of the relevant transfer safeguards by contacting privacy@dock0.dev.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Billing and payment records | 10 years (Czech tax and accounting law) |
| API call logs / invocation records | 2 years |
| Build logs | 90 days |
| Support correspondence | 3 years |
| Marketing consent records | Duration of consent + 3 years |
After the retention period, data is securely deleted or anonymized.
8. Your Rights (GDPR)
Under the GDPR, you have the following rights:
8.1. Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you.
8.2. Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data.
8.3. Right to Erasure (Art. 17)
You have the right to request deletion of your personal data, subject to legal retention obligations.
8.4. Right to Restriction (Art. 18)
You have the right to request restriction of processing in certain circumstances.
8.5. Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
8.6. Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest. For direct marketing, you can object at any time.
8.7. Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
8.8. Right to Lodge a Complaint
You have the right to lodge a complaint with the Czech supervisory authority:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
Pplk. Sochora 27
170 00 Prague 7
Czech Republic
Website: https://uoou.gov.cz
Email: posta@uoou.gov.cz
How to Exercise Your Rights
Send your request to privacy@dock0.dev. We will respond within 30 days. We may request identity verification before fulfilling your request.
9. Cookies and Similar Technologies
9.1. What We Use
| Cookie / Technology | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Authentication, maintain login state | Strictly necessary | Session |
| Supabase auth token | User authentication | Strictly necessary | 7 days |
| Theme preference | Remember light/dark mode | Functional | 1 year |
| Analytics (if enabled) | Usage statistics | Performance | See provider policy |
9.2. Strictly Necessary Cookies
These are required for the Service to function and cannot be disabled. They include authentication tokens and security cookies.
9.3. Optional Cookies
We will request your consent before placing any non-essential cookies. You can manage your cookie preferences at any time through the cookie settings on our website.
9.4. How to Control Cookies
You can control cookies through your browser settings. Note that disabling strictly necessary cookies may prevent you from using the Service.
10. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS for all connections)
- Encryption at rest for database storage
- Access controls and role-based permissions
- Regular security reviews
- Secure authentication (OAuth, token-based auth)
- API key hashing (plaintext keys are never stored)
No system is completely secure. If we become aware of a data breach that poses a risk to your rights, we will notify the supervisory authority within 72 hours and notify affected individuals without undue delay, as required by GDPR Articles 33 and 34.
11. Children’s Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly. If you believe a minor has provided us with personal data, please contact privacy@dock0.dev.
12. Third-Party Links and Services
The Service may contain links to third-party websites or integrate with third-party services (GitHub, Stripe). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notification at least 30 days before they take effect. The “Last Updated” date at the top of this page indicates when the latest changes were made.
14. Contact
For questions, requests, or complaints regarding this Privacy Policy or our data practices:
Cynsta Technologies s.r.o.
Rybná 716/24, Staré Město
110 00 Prague, Czech Republic
Email: privacy@dock0.dev
This Privacy Policy was last updated on March 1, 2026.