Privacy — dbcrate

Effective. 12 May 2026.
Form. This notice is written to be read by people, in the order in which they tend to want to know things. The structural clauses are at the end, where they belong.

❦1. The shape of the promise❦

Most privacy notices read like a confession dressed as a disclosure. This one is set up the other way around: we begin with what we have built the product so that we cannot see, and only then describe what we hold.

The defining facts are these:

Backup contents do not pass through us. They flow from your agent to the storage destination you nominate, encrypted on the host before they leave it. Our infrastructure is not on the data path.
We cannot read your backups with our infrastructure alone. Each backup is encrypted to your organisation’s age public key. Decryption requires your organisation’s private key, which we hold only in an envelope-encrypted form that requires our master key (kept in a SOPS-encrypted env file, decrypted at deploy time) to unwrap. The unwrap path is logged in an append-only audit table and is taken only for operations that you initiated.
You can leave with your data and your keys. You can download a recovery copy of your organisation’s private key in standard age format, at any time, and decrypt your backups using off-the-shelf tools, with no dbcrate software anywhere in the chain.

Everything below is consistent with those facts. If you find a clause that contradicts one of them, that is a defect; write to us and we will fix it.

❦2. Who this notice covers❦

This notice applies to information collected when you visit dbcrate.com, when you use the dbcrate dashboard, when one of your agents talks to our control plane, and when you correspond with us by email or otherwise. It does not cover third-party sites that we link to, or the inside of your own storage bucket.

For privacy purposes:

We are the controller of information about you as a user of the website and dashboard (your account, your contact details, your billing data).
We are a processor of the configuration and metadata you put into the dashboard about your own systems — we process it on your instructions, to provide the service.

If you are an end user of one of our customers (a colleague at a company that uses dbcrate) and you are looking for information about how your employer handles your data, you want their privacy notice, not ours.

❦3. What we collect, and why❦

We collect a small number of categories of information, each for a stated purpose. We do not collect things we do not use.

Account and contact information. Your name, email address, password hash, organisation name, and any team-membership relationships you create in the dashboard. We use it to authenticate you, to send you transactional email about the service (a backup failed, a renewal is upcoming, a security event affects you), and, if you opt in, occasional product email. Legal basis where you are in a jurisdiction that asks for one: performance of our contract with you (the Terms above), and consent for non-transactional marketing.

Billing information. When billing is enabled, we collect your billing address, indirect-tax identifiers, and a tokenised reference to the payment instrument you provided to our payments processor (Stripe). We do not hold your full card number. Stripe holds the payment-method record; we hold a reference and a record of the charges and refunds against your account. Legal basis: performance of contract; meeting our tax and accounting obligations.

Configuration you give us about your systems. Database connection details (host, port, database name, username, and a password that we store envelope-encrypted at rest), storage destination details (endpoint, bucket name, key prefix, credentials envelope-encrypted at rest), schedules, retention rules, and alert routing. We use this to operate the service on your instructions. Legal basis: performance of contract.

Backup metadata, not backup contents. For each backup the agent reports completing, we keep: the database it came from, the agent that produced it, the start and end timestamps, the encrypted size, the SHA-256 of the ciphertext, the storage key it landed at, and the success/failure outcome. We do not keep, and the protocol does not transmit, anything about the contents of the backup — not row counts, not schema names, not table names. Legal basis: performance of contract.

Agent telemetry. Heartbeats (one every 30 seconds), agent version, operating system family and architecture, and the structured error events that occur when something goes wrong. The heartbeat and error payloads do not include backup data, database contents, or unredacted credentials. We use telemetry to operate the service and to know when an agent has gone quiet. Legal basis: performance of contract; our legitimate interest in keeping the service running.

Audit log. Every consequential action against the control plane — logins, configuration changes, credential decryption events, restore initiations, retention deletions, agent enrollments and revocations — is recorded in an append-only audit table, with the actor, the action, and structured details (sensitive fields redacted on write). We keep this for a rolling 24 months, longer where law or the service’s own integrity requires it. Legal basis: performance of contract; our legitimate interest in detecting and investigating abuse; legal obligation where one applies.

Logs and operational data. Web-server and application logs that record requests to our APIs: source IP, timestamp, request path, response status, request ID, user-agent. They do not contain request or response bodies. We use them for debugging, abuse prevention, and capacity planning. Logs are retained for 90 days, then deleted.

Communications. When you write to us, we keep the message and our reply. We use it to help you and to remember the conversation.

Cookies on the marketing site. The public marketing site at dbcrate.com does not set advertising cookies and does not embed third-party analytics scripts. The dashboard sets a session cookie when you sign in, and a CSRF cookie to defend forms against cross-site request forgery. That is the entire cookie story. If we ever add product analytics, we will say so here, name the provider, and let you opt out.

❦4. What we explicitly do not collect❦

Some absences are worth stating in writing:

We do not see the contents of your databases. They never leave the agent host in plaintext.
We do not store decrypted backup files. The control plane has no path that writes plaintext backup bytes to disk; the architecture forbids it. There is one narrow exception in the future verified-restore flow, where, only when you ask us to, an ephemeral verifier host downloads the backup, decrypts it inside that machine’s memory, restores it into a clean Postgres on that machine, runs your validation queries, records the result, and tears the host down. The bytes are not durable, are not copied anywhere else, and are not seen by a human.
We do not embed third-party advertising, retargeting, or behavioural-analytics scripts on the marketing site or the dashboard.
We do not sell your data, your usage information, or your metadata to anyone, ever. We did not put the words “we do not sell your data” in this document to deflect attention. We mean it as the literal fact about how we run the company.

❦5. Who else sees the information❦

We use a small number of third-party providers to run the service. Each one handles a specific category of information, under a contract that requires them to treat it as confidential and to process it only as instructed.

Provider	What they do for us	What they see
Hetzner Online GmbH	Hosting for the control plane and its database. Servers physically located in the EU.	Encrypted data at rest, traffic to the control plane, operational logs.
Cloudflare, Inc.	DNS, edge TLS termination, basic DDoS protection for the marketing site and dashboard.	Request metadata (IP, path, status). Backup ciphertext does not pass through Cloudflare.
Stripe, Inc.	Payments processing, when billing is enabled.	Your billing address, tax identifiers, and payment-method record.
Transactional email provider	Delivery of account email (verification, password reset, alerts, receipts).	Your email address and the contents of the email.
Error-tracking provider	Aggregating and triaging application errors from the control plane.	Stack traces and structured error metadata. Credentials and backup data are redacted at the source.

We will revise this table when the list changes, and we will give meaningful notice (in this notice, in the dashboard, and by email where appropriate) before adding a new sub-processor that materially changes what we share. If you would like a contractual right to advance notice and an objection right (as a data-processing addendum), write to us and we will provide one.

Beyond the providers above, we may disclose information when a law we are subject to compels it (a court order, a binding regulator request), when it is necessary to protect the safety of a person or the security of the service, or to a successor in a merger, acquisition, or sale of substantially all our assets — in which case the successor takes on the obligations of this notice. We do not disclose information for any other reason.

❦6. Where the data lives❦

The control plane and its database are hosted in the European Union. Backup ciphertext lives wherever your storage destination lives, which is your choice. We may use providers (such as Stripe for payments) that are headquartered in the United States or transmit limited information to other jurisdictions; where the law requires a transfer mechanism for personal data leaving the EEA or the UK, we use the relevant standard contractual clauses or successor frameworks.

If you are subject to a regional data-residency requirement (a regulator that requires data to stay in-country), tell us in writing before signing up; we will tell you honestly whether we can meet it.

❦7. How long we keep it❦

In broad terms, we keep your information for as long as you have an account, and for a limited period afterwards.

Account, contact, configuration: for the life of the account; deleted within 30 days of account closure, except where retained for tax or legal reasons.
Billing records: retained for the period required by tax law in the jurisdiction we operate from (typically 7 years).
Backup metadata: for the life of the corresponding backup; we mark a backup deleted when retention removes the underlying file, and keep the metadata row (without credentials) for audit purposes for a further 12 months.
Audit log: rolling 24 months, longer where compelled.
Web-server logs: 90 days.
Email correspondence: until we both agree it is no longer useful, or 5 years, whichever is shorter.

When information is deleted, it is deleted from production; backups of our own systems are overwritten on their own retention cycle, which does not exceed 90 days.

❦8. Your rights❦

Where the law of your jurisdiction grants you rights over information we hold about you — including, in the EEA and the UK, under the GDPR; in California, under the CCPA; and in similar frameworks elsewhere — we will honour them. Specifically:

Access. A copy of the personal information we hold about you, in a portable format.
Correction. We will correct information that is wrong.
Deletion. Subject to obligations we cannot avoid (tax records, the active part of an audit log, a legal hold), we will delete it.
Restriction and objection. You can ask us to stop processing for marketing purposes, or to limit processing while a complaint is open.
Portability. We will export your configuration and metadata in a machine-readable format on request.
Withdrawal of consent. Where we rely on consent (marketing email, the future product-analytics opt-in), you may withdraw it at any time, including by clicking the unsubscribe link in the email.

To exercise any of these, write to [email protected]. We will respond within 30 days, or sooner where the law requires. If you are not satisfied with our response, you have the right to complain to your local data-protection authority.

❦9. Children❦

dbcrate is a tool for database operators. It is not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, write to [email protected] and we will delete it.

❦10. Changes to this notice❦

We will revise this notice as the service evolves — new sub-processors, new product features, new legal obligations. Material changes will appear here and be announced in the dashboard and by email at least 30 days before they take effect, except where a faster change is needed for legal or security reasons (in which case we will say so). The current effective date is at the top of this page; prior versions are kept in this site’s version control and can be produced on request.

❦11. Contact❦

Privacy questions, rights requests, and complaints: [email protected]. General correspondence: [email protected]. Security disclosures have their own address; see Security.