Privacy Policy
Responsible Party
Purpose Solutions UG (haftungsbeschränkt)
Mommsenstr. 72
50935 Köln
Germany
Privacy contact:
[email protected]
Data We Process
1. Website delivery and security logs
Data: IP address, user agent, request path, timestamp, referrer
Purpose: Site delivery through our reverse-proxy/CDN layer, abuse prevention, rate limiting, and incident investigation
Legal basis: GDPR Art. 6 para. 1 lit. f (legitimate interest)
Retention: Limited to what is needed for operations and security investigations
2. Accounts and authentication
Data: Email address, password hash, session metadata (IP, user agent), login timestamps
Purpose: Account access, session management, and account security
Legal basis: GDPR Art. 6 para. 1 lit. b (contract) and lit. f (security)
Retention: While the account is active and as required for security/legal defense
3. Run execution, configuration, and deploy operations
Data: Ship metadata (org/repo/domain), execution logs, run/deployment status
Purpose: Creating and operating your repositories, runs, and deployments
Legal basis: GDPR Art. 6 para. 1 lit. b (contract)
Retention: While required to operate the service and support incidents
4. Payments and billing workflows
Data: Tier, provider transaction/order IDs, status, totals, tax values, customer name/email when returned by provider
Purpose: Checkout creation, payment confirmation, refunds, and accounting documentation
Legal basis: GDPR Art. 6 para. 1 lit. b and lit. c
Retention: Up to 10 years where required by tax and commercial law
5. Landing page waitlist signups (processor role)
Data: Visitor email address, submission timestamp, IP address (for rate limiting)
Purpose: Storing waitlist signups on behalf of the ship owner (data controller) who created the landing page
Legal basis: GDPR Art. 6 para. 1 lit. b (contract with the ship owner) and Art. 28 (processing on behalf of a controller)
Retention: While the ship exists; deleted when the ship owner deletes their ship or account
Controller: The ship owner is the data controller for waitlist data. Omaship processes this data under the terms of our Data Processing Agreement.
6. Waitlist and template onboarding
Data: Email, confirmation token state, optional explanation text, GitHub profile fields when linked
Purpose: Access control for template onboarding and optional follow-up communication
Legal basis: GDPR Art. 6 para. 1 lit. b and lit. a (where consent-based follow-up applies)
Retention: Until deletion request or when no longer needed for onboarding/support
7. API tokens and security telemetry
Data: API token name, scopes, expiry, token digest, auth failure/scope denial metadata (request path/method, IP)
Purpose: CLI access control, abuse detection, and security auditing
Legal basis: GDPR Art. 6 para. 1 lit. f (service security)
Retention: While required for security and abuse investigation
8. Product analytics (consent-based)
Data: Product events (landing/login funnel and onboarding usage), pseudonymous distinct IDs, event properties
Purpose: Improve onboarding, UX quality, and product decisions
Legal basis: GDPR Art. 6 para. 1 lit. a and TDDDG Sec. 25 para. 1
Retention: Based on analytics retention settings and deletion requests
9. Session recordings (separate consent)
Data: Clicks, scrolling, mouse movements, page interactions, form inputs (passwords and emails are automatically masked)
Purpose: Identify usability issues and improve the user experience
Legal basis: GDPR Art. 6 para. 1 lit. a (explicit consent)
Control: You can enable or disable session recordings separately in the Cookie settings
Retention: Based on analytics retention settings and deletion requests
Recipients and Processors
Cloudflare
Purpose: Reverse proxy, CDN delivery, and edge network security for public Omaship hostnames
Data shared: IP address, request metadata, hostname, browser/TLS metadata, and related security/performance telemetry needed to deliver and protect the service
Paddle (Merchant of Record)
Purpose: Hosted checkout, payment processing, taxes, invoicing, refunds
Data shared: Transaction/customer details required to process and document payments
GitHub
Purpose: OAuth onboarding and repository/run/deployment operations
Data shared: Account identifiers and repository metadata required for app operation
Resend
Purpose: Transactional and onboarding emails
Data shared: Email addresses and delivery metadata
Calendly (optional embed)
Purpose: Optional booking widget on Book a call
Data shared: Data you enter in the Calendly widget and related technical metadata
PostHog (EU endpoint by default)
Purpose: Consented product analytics and security telemetry
Data shared: Event metadata, pseudonymous IDs, and security event context for abuse detection
Region: Configured to EU endpoint by default (eu.i.posthog.com)
Google Fonts
Purpose: Web font delivery
Data shared: Browser/connection metadata needed to deliver font files
International Transfers
Some providers may process data outside the EU/EEA. Where relevant, we rely on adequacy decisions or safeguards such as Standard Contractual Clauses.
Consent Management
You can accept or decline analytics in the cookie banner. You can withdraw or change this decision at any time via the Cookie settings page.
Declining analytics does not block core product functionality.
Your Rights
Under GDPR, you have the right to:
- Access your stored personal data
- Request correction of inaccurate data
- Request deletion where legal prerequisites are met
- Request restriction of processing
- Receive your data in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time for future processing
You can also lodge a complaint with a supervisory authority.
Supervisory Authority (NRW)
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44, 40102 Düsseldorf, Germany
[email protected]
Privacy Requests
Send requests to [email protected].
Last updated: March 7, 2026