Privacy Policy
Last updated: May 9, 2026
1. Introduction
This Privacy Policy explains how BinDist ("we", "us", "our") collects, uses, and protects your personal data when you use the hosted BinDist service ("the Service").
This policy applies only to the hosted Service operated by BinDist. If you deploy BinDist on your own infrastructure under the open-source license, you are the data controller for that deployment and this policy does not apply; you are responsible for your own privacy practices.
Data Controller: BinDist Netherlands KVK: [KVK number — pending registration] Email: privacy at bindist.eu
2. Data We Collect
2.1 Account Information
- Tenant/company name
- Email address
- API keys (stored as SHA-256 hashes only - we never store plaintext keys)
2.2 Application Data
- Application names and descriptions
- Version information and release notes
- Uploaded binary files and their metadata (file size, checksums)
2.3 Activity Logs
We automatically collect the following when you use our API:
- Timestamp of requests
- IP address
- User agent (browser/client information)
- Application and version accessed
- Customer ID
Activity logs are retained for 90 days and automatically deleted after this period.
2.4 Payment Information
Payment card details are processed by our payment provider Adyen and are never stored on our servers. We only receive confirmation of payment status and a secure token for recurring billing.
3. How We Use Your Data
We process your data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service | Contract performance |
| Account authentication | Contract performance |
| Activity logging for security and debugging | Legitimate interest |
| Fraud prevention | Legitimate interest |
| Payment processing | Contract performance |
| Service communications | Contract performance |
4. Data Storage & Security
4.1 Location
All data is stored in Scaleway fr-par (Paris, France), within the European Economic Area (EEA).
4.2 Security Measures
- Encryption in transit: All API and website traffic uses HTTPS/TLS encryption
- Encryption at rest: Application data, backups, and database contents are encrypted at rest by the underlying Scaleway services (see Scaleway's security documentation for details)
- API key security: Keys are hashed with SHA-256 before storage
- File integrity: SHA-256 checksums for all uploaded files
- Tenant isolation: Separate database schemas/tables and storage buckets per tenant
- Public access: Application data and backup buckets are private; only the marketing/documentation website bucket is publicly readable
4.3 Backups
- Weekly backups of tenant data are retained for up to 365 days; backups older than 90 days are moved to cold storage (Glacier) before deletion at 365 days.
- After account cancellation: Tenant data and backups are retained for 14 days, then permanently deleted together with the tenant's infrastructure.
5. Cookies & Local Storage
BinDist uses minimal client-side storage:
| Storage Type | Purpose | Duration |
|---|---|---|
| sessionStorage | API key for current session | Until tab closed |
| localStorage | Theme preference (light/dark) | Persistent |
We do not use:
- Analytics or tracking cookies
- Advertising or marketing cookies
- Social media tracking pixels
- Third-party cookies for profiling
The only third-party script is the Adyen payment SDK (on signup page only), which may set strictly necessary cookies for fraud prevention.
No cookie consent banner is required as all storage is strictly necessary for the service to function (ePrivacy Directive).
6. Third-Party Services
We use the following third-party services (sub-processors) that may process your data:
| Service | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Scaleway SAS | Infrastructure hosting: serverless functions, PostgreSQL, object storage, CDN, messaging, and transactional email | France (EU) | Scaleway Privacy |
| Adyen N.V. | Payment processing and card tokenisation | Netherlands (EU) | Adyen Privacy |
No data is transferred outside the EU/EEA.
7. Data Retention
We apply different retention periods depending on the type of data and the stage of your account.
7.1 While your account is active
| Data Type | Retention | Deletion mechanism |
|---|---|---|
| Account information (tenant name, admin email, hashed API keys) | For as long as your account exists | See §7.2 for what happens after cancellation |
| Application metadata and uploaded binaries | Until you delete them | Deleted immediately on your request; anything remaining is deleted after cancellation (§7.2) |
| Activity logs (download/upload records, IP, user agent, timestamp) | 90 days | Automatic TTL |
| Audit events (security, admin, and payment events for your tenant) | 730 days (2 years) | Automatic TTL |
| Backups | Up to 365 days (moved to cold storage after 90 days) | Automatic lifecycle policy on backup bucket — see also §4.3 |
7.2 After you cancel your subscription
| Period | What happens |
|---|---|
| Day 0 – Day 14 | Your tenant is archived. Application data, database, backups, and audit events remain available so you can reactivate or request an export. |
| Day 14 | Your tenant is permanently destroyed. Per-tenant database tables, application data, and backup buckets are deleted. |
| Day 14 – Day 180 | Minimal contact information (admin email, display name, billing reference) is retained as a skeleton record under legitimate interest (GDPR Art. 6(1)(f)), for dunning, debt recovery, and short-term follow-up. |
| Day 180 onwards | Contact information is scrubbed. A non-identifying tombstone (tenant ID, status, lifecycle dates) remains for audit continuity. |
You may object to the Day 14 – Day 180 retention at any time under GDPR Art. 21; we will weigh your objection against our legitimate interest.
7.3 Data retained for legal reasons
Where Dutch fiscal and accounting law requires us to keep records for longer (Article 52 of the Algemene wet inzake rijksbelastingen), we retain only the minimum financial and administrative information needed — typically 7 years. This obligation does not extend to your application data.
Legal basis: legal obligation (GDPR Art. 6(1)(c)).
7.4 Sub-processor retention
Payment card tokens and transaction records are held by our payment provider Adyen under Adyen's retention policy. We do not control the retention of data held by Adyen.
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (available via API and website dashboard)
- Rectification of inaccurate data (via account settings)
- Erasure ("right to be forgotten") - request account deletion
- Data portability - export your data using our backup feature
- Restriction of processing - contact us
- Object to processing - contact us
- Withdraw consent - where processing is based on consent
To exercise these rights, contact us at privacy at bindist.eu.
9. Automated Decision-Making
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (GDPR Article 22).
The Service performs one automated comparison: when a new application version is uploaded, the uploader's IP address is compared to the previous upload's IP address. If they differ, an informational email is sent to the tenant admin. This feature ("IP Change Alerts") is opt-in, can be toggled at any time from the account settings, and is purely a notification — it does not restrict, block, or otherwise affect access.
10. Children's Data
BinDist is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.
11. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Dutch Data Protection Authority within 72 hours
- Notify affected users without undue delay if the breach poses a high risk
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Email notification to account holders
- Notice on our website
Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. For BinDist, this is:
Dutch Data Protection Authority (Autoriteit Persoonsgegevens) Website: https://autoriteitpersoonsgegevens.nl
You may also contact the data protection authority in your country of residence.
14. Contact Us
For privacy-related questions or to exercise your rights:
Email: privacy at bindist.eu