Privacy Policy
Last updated: December 26, 2025
1. Introduction
This Privacy Policy explains how [COMPANY NAME] ("we", "us", "our") collects, uses, and protects your personal data when you use BinDist ("the Service").
Data Controller: [COMPANY NAME] [ADDRESS] [COUNTRY] Email: privacy at bindist.eu
2. Data We Collect
2.1 Account Information
- Tenant/company name
- Email address
- API keys (stored as SHA-256 hashes only - we never store plaintext keys)
2.2 Application Data
- Application names and descriptions
- Version information and release notes
- Uploaded binary files and their metadata (file size, checksums)
2.3 Activity Logs
We automatically collect the following when you use our API:
- Timestamp of requests
- IP address
- User agent (browser/client information)
- Application and version accessed
- Customer ID
Activity logs are retained for 90 days and automatically deleted after this period.
2.4 Payment Information
Payment card details are processed by our payment provider Adyen and are never stored on our servers. We only receive confirmation of payment status and a secure token for recurring billing.
3. How We Use Your Data
We process your data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service | Contract performance |
| Account authentication | Contract performance |
| Activity logging for security and debugging | Legitimate interest |
| Fraud prevention | Legitimate interest |
| Payment processing | Contract performance |
| Service communications | Contract performance |
4. Data Storage & Security
4.1 Location
All data is stored in AWS eu-west-1 (Ireland), within the European Economic Area (EEA).
4.2 Security Measures
- Encryption in transit: All API traffic uses HTTPS/TLS encryption
- Encryption at rest: S3 buckets use AES-256 server-side encryption
- API key security: Keys are hashed with SHA-256 before storage
- File integrity: SHA-256 checksums for all uploaded files
- Tenant isolation: Separate database tables and storage buckets per tenant
- Access control: API Gateway rate limiting (100 req/s, burst 200)
- Public access blocked: S3 buckets have public access completely blocked
4.3 Backups
- Active backups: Retained for 365 days
- After account cancellation: Data archived for 14 days, then permanently deleted
- Archived backups: Deleted after 90 days
5. Cookies & Local Storage
BinDist uses minimal client-side storage:
| Storage Type | Purpose | Duration |
|---|---|---|
| sessionStorage | API key for current session | Until tab closed |
| localStorage | Theme preference (light/dark) | Persistent |
We do not use:
- Analytics or tracking cookies
- Advertising or marketing cookies
- Social media tracking pixels
- Third-party cookies for profiling
The only third-party script is the Adyen payment SDK (on signup page only), which may set strictly necessary cookies for fraud prevention.
No cookie consent banner is required as all storage is strictly necessary for the service to function (ePrivacy Directive).
6. Third-Party Services
We use the following third-party services that may process your data:
| Service | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting | EU (Ireland) | AWS Privacy |
| Adyen | Payment processing | EU | Adyen Privacy |
No data is transferred outside the EU/EEA.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Application data | Until deleted by tenant |
| Activity logs | 90 days (automatic deletion) |
| Backups | 365 days |
| Post-cancellation archives | 90 days |
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (available via API and website dashboard)
- Rectification of inaccurate data (via account settings)
- Erasure ("right to be forgotten") - request account deletion
- Data portability - export your data using our backup feature
- Restriction of processing - contact us
- Object to processing - contact us
- Withdraw consent - where processing is based on consent
To exercise these rights, contact us at privacy at bindist.eu.
9. Children's Data
BinDist is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Dutch Data Protection Authority within 72 hours
- Notify affected users without undue delay if the breach poses a high risk
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Email notification to account holders
- Notice on our website
Continued use of the Service after changes constitutes acceptance of the updated policy.
12. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. For BinDist, this is:
Dutch Data Protection Authority (Autoriteit Persoonsgegevens) Website: https://autoriteitpersoonsgegevens.nl
You may also contact the data protection authority in your country of residence.
13. Contact Us
For privacy-related questions or to exercise your rights:
Email: privacy at bindist.eu Address: [ADDRESS]