Privacy Policy
Last updated: April 17, 2026
This Privacy Policy explains how DataBridge Tech ("DataBridge", "we", "us") collects, uses and protects personal data when you visit databridge.tech or use DataBridge Cloud ("the Service"). We are based in the Netherlands and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG).
1. Who We Are
Controller: DataBridge Tech, Netherlands. Contact: hi@databridge.tech
We have not appointed a Data Protection Officer (DPO), as we are not required to under Article 37 GDPR. For any privacy question, contact us at the email above.
2. What Data We Collect
We collect personal data in three distinct contexts:
2.1 Website visitor data
When you browse databridge.tech, we use Umami (hosted in the EU) for cookieless, privacy-preserving analytics. Umami collects aggregated information such as page URL, referrer, browser type, country (derived from IP but the IP itself is not stored) and screen resolution. This data does not identify individuals and is not combined with other identifiers.
2.2 Account and communication data
When you request early access, sign up, or contact us, we collect:
- Name
- Work email address
- Company / organization name
- Any information you choose to include in your message
- Authentication metadata (login timestamps, session identifiers) once an account is created
2.3 Customer event data
When you use DataBridge Cloud to ingest, validate, transform and deliver event data, that data may contain personal data relating to your end users (for example, a user_id, email, or IP address inside an event payload). For this category:
- You are the data controller and we act as your data processor under Article 28 GDPR.
- Our obligations are governed by the Data Processing Agreement (DPA) that accompanies the Service. If you need a DPA, email hi@databridge.tech.
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the Service you signed up for | Performance of a contract (Art. 6(1)(b)) |
| Managing your account, billing and support | Performance of a contract (Art. 6(1)(b)) |
| Responding to your enquiries | Legitimate interests (Art. 6(1)(f)) - responding to you |
| Sending service announcements (e.g. incidents, breaking changes) | Legitimate interests (Art. 6(1)(f)) - keeping customers informed |
| Marketing emails (if any) | Consent (Art. 6(1)(a)) - opt-in only; you can unsubscribe anytime |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) - protecting the Service |
| Complying with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
4. How Long We Keep Your Data
| Data Category | Retention Period |
|---|---|
| Customer event data (in-flight) | Buffered up to 12 hours; deleted immediately after successful delivery to all configured destinations. Events that fail delivery after 12 hours are discarded. |
| Aggregated website analytics (Umami) | Up to 12 months |
| Account data | Duration of the account; deleted or anonymised within 30 days of account closure, except where longer retention is required by law |
| Invoices and billing records | 7 years (Dutch tax law - Art. 52 Algemene wet inzake rijksbelastingen) |
| Support and email correspondence | Up to 24 months after last interaction |
| Security logs | Up to 12 months |
We do not retain customer event payloads beyond the 12-hour processing window. Our platform is designed to be a pipeline, not a store.
5. Sub-Processors
We engage the following sub-processors to provide the Service. All are located in the EU or EEA, or operate under transfer mechanisms approved by the European Commission.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure (compute, storage, networking) | Germany (EU) |
| Umami | Website analytics (cookieless) | EU |
| Stripe, Inc. (planned) | Payment processing | EU/US - covered by Standard Contractual Clauses once onboarded |
If we add or change a sub-processor, we will update this list and, where required, notify you in advance.
6. International Data Transfers
At this time, all customer event data is stored and processed within the EU. If we ever need to transfer personal data outside the EEA, we will rely on a valid transfer mechanism (Standard Contractual Clauses, adequacy decisions, or equivalent safeguards) and update this Policy accordingly.
7. Your Rights Under the GDPR
You have the following rights regarding your personal data:
- Access - request a copy of the personal data we hold about you
- Rectification - ask us to correct inaccurate or incomplete data
- Erasure - ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
- Restriction - ask us to limit how we use your data
- Portability - receive your data in a structured, machine-readable format
- Object - object to processing based on legitimate interests or for direct marketing
- Withdraw consent - where processing is based on consent, withdraw it at any time
- Not be subject to automated decision-making - we do not make any decisions about you solely through automated processing
To exercise any of these rights, email hi@databridge.tech. We will respond within one month. We may ask for proof of identity to prevent unauthorised disclosure.
If you believe we are not handling your data properly, you have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl.
8. Security
We protect personal data using industry-standard measures:
- TLS 1.2+ for all data in transit
- Encryption at rest for databases and object storage
- Role-based access control with least-privilege defaults
- Audit logs for administrative actions
- Regular dependency updates and vulnerability monitoring
- Credentials stored using modern password hashing (bcrypt/argon2)
No system is perfectly secure. If you discover a vulnerability, please report it to hi@databridge.tech.
9. Cookies
See our Cookie Policy for details on cookies and similar technologies.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via email (to account holders) or a notice on the website at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Questions or requests related to this policy:
DataBridge Tech Email: hi@databridge.tech