Privacy Policy

Version: draft-2026-05-27

1. Data controller

The data controller for personal data processed in connection with Server Manager is Igor Cardines, Italian sole trader (libero professionista). Contact: igor.cardines@gmail.com.

As a sole trader, we do not have a formally designated Data Protection Officer (DPO); please direct all data-protection inquiries to the contact email above.

2. What personal data we collect

For a plain-English breakdown with examples, see the help article What Server Manager stores about you. The formal categories of data we process:

• Account information: email address, name (if provided via Google OAuth), authentication provider used, account created date, role (user / admin).
• Saved server profiles (opt-in): server alias, host/IP, port, username, and an encrypted credential blob (AES-256-GCM, key derived from a passphrase only you know via scrypt; we never see your passphrase or the plaintext credentials in storage).
• Active session data: SSH credentials necessary to operate your session, held only in process memory while the session is open. Never written to disk. Discarded when the session ends.
• Server connection records: IP/hostname you connect to plus claim timestamps. Used for the one-active-user-per-host check and free-tier abuse prevention.
• Billing data: Stripe customer ID, optional saved-payment-method ID, pass start/end dates, cumulative LLM cost on the current pass, billing-address details you provide at checkout. Card numbers and similar sensitive data are handled by Stripe directly and never reach our servers.
• Per-purchase consent records: timestamp, IP address, user-agent, version of these Terms and Privacy Policy accepted at each purchase. Required as the audit trail for the Art. 16(m) right-of-withdrawal waiver.
• Usage logs: per-LLM-call token counts, model name, calculated cost in EUR, session ID. Does not include chat content.
• Free-tier anti-abuse records: grant date and optional revocation date, plus list of VPS hosts observed under the grant (within a 90-day window).
• File snapshots (Undo): command text, file paths, file contents (base64) for files Faro modifies; captured for the Undo feature, auto-deleted 30 days after capture.

3. Data we do NOT collect

• SSH passwords or private keys in plaintext (in storage)
• Your encryption passphrase (for saved server profiles)
• Card numbers, CVVs, or expiry dates (Stripe handles these)
• Persistent chat history past your session (chat is RAM-only by design)
• IP address logs for analytics or fingerprinting (only captured per-purchase as a consent audit trail)
• Analytics or marketing cookies (only the auth session cookie is used)

4. Lawful basis for processing

We process your personal data under the following GDPR Art. 6 bases:

• Contract (Art. 6(1)(b)): account creation, authentication, processing your purchases, operating the agent against your server, billing, customer support.
• Legitimate interests (Art. 6(1)(f)): abuse prevention (free-tier anti-fraud, rate-limiting), security monitoring, service stability. Where we rely on legitimate interests, we've assessed that our interests do not override your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): retention of invoicing records required by Italian tax law; responding to lawful requests from authorities.
• Consent (Art. 6(1)(a)): the Art. 16(m) right-of-withdrawal waiver at purchase; saving a card for auto-refill.

5. Purposes of processing

• Providing the service — running agent commands you approve against your server, rendering the UI, managing your sessions
• Billing — processing payments via Stripe, generating receipts, tax compliance
• Abuse prevention — detecting attempts to defeat the free-tier limit, suspending accounts in violation of acceptable use
• Service operation — diagnosing errors, security monitoring, capacity planning (aggregate non-identifying metrics only)
• Communications — authentication emails, service-critical notices (TOS changes, security issues), responses to your support requests

We do not use your data for advertising, marketing email lists, profiling for ad targeting, or sale to third parties.

6. Third-party processors (sub-processors)

We rely on the following sub-processors to operate Server Manager. Each has its own privacy policy and processes only the data necessary for the function described.

• Stripe (Ireland EU entity for European customers; United States transfers covered by Standard Contractual Clauses): handles all payment processing. Receives your card details, billing address, payment-history data. We see only opaque IDs.
• OpenAI (United States, SCCs): receives the content of your chat messages plus relevant server context (file contents Faro reads, command outputs) for the purpose of generating Faro's responses. Per OpenAI's API terms, your data is not used to train their models; they retain operational logs for up to 30 days.
• Resend (United States, SCCs): sends transactional emails (authentication links, support replies).
• Neon (EU region, PostgreSQL hosting): stores our database.
• Application hosting provider: runs our application servers. Sees only the data necessary to handle requests in transit.

We add or change sub-processors only as needed for service operation. Material changes will be reflected in this policy with notice.

7. International data transfers

Some of our sub-processors (Stripe US ops, OpenAI, Resend) are located in the United States. These transfers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission, as a valid GDPR Chapter V transfer mechanism following the Schrems II ruling.

8. Retention periods

• Chat content: in-memory only; lost when your session ends. No persistent storage.
• Account record: for the lifetime of your account. On deletion: soft-deleted for 30 days, hard-deleted after.
• Billing records and consent audit trail: retained for 10 years to comply with Italian tax law (conservazione delle scritture contabili), in minimized form (transaction date, amount, invoice ID, accepted-TOS version).
• Usage logs: retained for 12 months for abuse detection and aggregate reporting; deleted thereafter.
• File snapshots (Undo): 30 days from capture, then auto-deleted by a scheduled job.
• Free-tier abuse records (observed VPS hosts): 90 days from observation; used only for cross-account matching during this window.
• Authentication tokens and session cookies: session-cookie lifetime, typically 30 days unless you sign out earlier.

9. Your GDPR rights

As an EU data subject, you have the rights described in GDPR Chapter III. For the practical "how to exercise each one" version, see the help article Your GDPR rights & data export. In summary:

• Right of access (Art. 15) — receive a copy of your data
• Right of rectification (Art. 16) — correct inaccurate data
• Right of erasure (Art. 17) — delete your data; one-click via the Account page
• Right to data portability (Art. 20) — receive your data in a machine-readable format
• Right to object (Art. 21) — to processing based on legitimate interests
• Right of restriction (Art. 18) — pause processing during dispute review

You also have the right to lodge a complaint with a supervisory authority. The lead authority for Server Manager is the Italian Garante per la protezione dei dati personali; you may also contact your national data protection authority.

To exercise any of these rights, email igor.cardines@gmail.com from the email address registered to your account. We respond within 30 days as required by GDPR.

10. Cookies

We use only essential cookies — specifically the authentication session cookie that keeps you logged in. We do not set analytics cookies, advertising cookies, social-media tracking pixels, or third-party trackers. No cookie banner is required under EU/Italian guidance because no consent-requiring cookies are used.

11. Minimum age

Server Manager is a paid service requiring a binding contract and is not directed at minors. You must be at least 18 years old to create an account. If we become aware that we have collected personal data from someone under 18, we will delete it promptly.

12. Security

We apply appropriate technical and organizational measures to protect your data, including:

• TLS encryption for all data in transit
• Encryption at rest of saved-server credentials using AES-256-GCM with passphrase-derived keys (scrypt KDF)
• SSH credentials held only in process memory for active sessions; never written to persistent storage
• Card details handled by Stripe under PCI DSS Level 1 certification; we never see them
• Minimum-necessary access control on internal systems
• Regular dependency-update review for known vulnerabilities

No system is perfectly secure. In the event of a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the Garante within 72 hours and the affected users without undue delay, as required by GDPR Art. 33 and 34.

13. Changes to this policy

We may update this policy as our practices change. Material changes (new sub-processors, expanded data collection, new purposes) will be announced with at least 30 days' notice via email and an in-app banner. The version stamp at the top of this page reflects the current revision.

Contact

Privacy and data-protection inquiries: igor.cardines@gmail.com. Postal correspondence (if needed for formal requests) on request.