Privacy Policy
DollarBox is operated by UnicornOps Limited, Ireland.
What we collect
- Account data: email address, hashed password, first name, last name.
- Billing data: handled entirely by Stripe. We store your Stripe customer ID; we do not store card numbers.
- Session data: a server-side session cookie is set when you log in. It is strictly necessary. No analytics cookies.
- Access logs: IP addresses and user agents for security monitoring (retained for 30 days).
- Container metadata: names, images, status, IPv6 addresses of containers you deploy.
- Organization metadata: organization names, slugs, billing emails, and membership roles.
What we don't collect
No analytics. No tracking pixels. No fingerprinting. No marketing data. No third-party advertising.
Where your data lives
Our servers are hosted in the EU (Hetzner, Germany). Stripe processes payment data under their own privacy policy. Kubernetes resources are provisioned in the same EU data center.
Your rights (GDPR)
Right of Access (Article 15)
You have the right to request a copy of all personal data we hold about you. You can request this directly through your account settings at any time. We will compile your data and provide a secure download link via email within 30 days. Data is provided in JSON format and includes your account information, organizations, containers, volumes, and access logs.
Right to Rectification (Article 16)
You have the right to correct inaccurate personal data. Please email hello@dollarbox.dev with your correction request.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data. You can initiate this through your account settings. Upon confirmation:
- Your email address is immediately anonymized (replaced with a non-identifiable placeholder)
- All other personal data (containers, volumes, organizations, access logs) is permanently deleted within 30 days
- Your Stripe customer record is deleted (best effort)
Automated Decision Making
We do not use automated decision making or profiling based on your personal data.
Data retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account data | While account is active + 30 days after deletion request | Contract (Terms of Service) |
| Email address | Anonymized immediately upon deletion request | GDPR Article 17 |
| Access logs | 30 days | Legitimate interest (security) |
| Closed organizations | 30 days after closure | GDPR Article 17 |
| Billing records | 7 years | Irish tax law (Legal obligation) |
| Container metadata | Deleted with container or account | Contract |
Note: Billing records cannot be deleted sooner than 7 years due to tax compliance requirements. This data is retained by Stripe and our billing system separately from your account.
Security measures
- All data is encrypted at rest and in transit
- Access is controlled via role-based access control (RBAC)
- IP addresses in audit logs are pseudonymized
- We maintain records of all data processing activities (Article 30)
- Regular security audits and vulnerability scanning
International data transfers
- Our infrastructure is hosted in the EU (Hetzner, Germany)
- Stripe (US-based) processes payment data under Standard Contractual Clauses (SCCs)
- No other third-party data processors are used
Contact
For privacy questions or to exercise your rights:
- Email: hello@dollarbox.dev
- Data Protection Officer: dpo@dollarbox.dev
Changes
This policy was last updated on 2026-06-19 to reflect our GDPR compliance implementation.