Privacy Policy

Digital Frontier Unipessoal LDA ("Digital Frontier," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our platform, or interact with our services (collectively, the "Services").

We are a data controller established in Portugal. The processing of personal data through our Services is subject to:

• General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
• Portuguese data protection law — Law 58/2019, which implements the GDPR domestically.
• Digital Services Act (DSA) — Regulation (EU) 2022/2065, which governs our obligations as a hosting service provider.

As stated in our Terms of Service, Digital Frontier operates as an infrastructure and hosting provider. We do not provide crypto-asset services regulated under MiCA.

1. Data Controller

The data controller responsible for your personal data is:

• Digital Frontier Unipessoal LDA
• Registered in Cascais, Portugal
• Email: privacy@digitalfrontier.so

Our data protection contact can be reached at dpo@digitalfrontier.so. Where a Data Protection Officer has been formally appointed, they can be reached at the same address.

2. Information We Collect

2.1 Information You Provide

We collect personal information that you voluntarily provide to us when you:

• Register an account (name, email address, organization).
• Complete your profile (billing information, company details).
• Contact us via our contact form, email, or support channels.
• Subscribe to newsletters or communications.
• Provide payment information (processed by our payment providers; we do not store full card details).

2.2 Information Collected Automatically

When you access or use our Services, we may automatically collect:

• Device and usage data: IP address, browser type and version, operating system, device identifiers, screen resolution.
• Usage patterns: pages visited, time spent on pages, features used, deployment activity, API call patterns.
• Log data: server access logs, error logs, and performance metrics collected for security and operational purposes.
• Cookies and similar technologies: session cookies for authentication, analytics cookies (only with your consent), and functional cookies for preferences.

2.3 Information from Third Parties

We may receive information from third-party services you use to authenticate with our platform (e.g., GitHub, Google), subject to their respective privacy policies and your consent.

3. How We Use Your Information

We use your personal data for the following purposes:

• Service delivery: To provide, maintain, and improve the Services, including account management, billing, and customer support.
• Security: To detect, prevent, and address fraud, unauthorized access, security incidents, and other illegal activities.
• Legal compliance and authority cooperation: To comply with the DSA (including Articles 9, 10, 16, 17, 18), the EU terrorist content regulation, Portuguese cybercrime law (Law 109/2009), NIS2 incident reporting obligations (Decree-Law 125/2025), and other applicable legal obligations.
• Communication: To respond to your inquiries, send service notifications, and (with your consent) marketing communications.
• Analytics and improvement: To analyze usage patterns and improve our Services, conducted on anonymized or aggregated data wherever possible.

4. Legal Basis for Processing (GDPR Article 6(1))

We process your personal data only when we have a lawful basis to do so:

• Consent (Art. 6(1)(a)): When you have given explicit consent, e.g., for marketing communications or non-essential cookies.
• Contract performance (Art. 6(1)(b)): When processing is necessary to perform our contract with you, e.g., providing the Services, account management, and billing.
• Legal obligation (Art. 6(1)(c)): When processing is necessary to comply with a legal obligation, including DSA disclosure orders, terrorist content removal obligations, tax and accounting law, NIS2 incident reporting, and Law 109/2009 evidence preservation.
• Legitimate interests (Art. 6(1)(f)): When necessary for our legitimate interests, e.g., security monitoring, fraud prevention, abuse prevention, and service improvement — always subject to a balancing test against your rights and freedoms. This basis is used narrowly and is documented per processing activity.
• Vital interests (Art. 6(1)(d)): In rare cases, to protect the vital interests of you or another natural person.

5. Sharing of Personal Data

We do not sell, rent, or license your personal data to third parties for their own marketing purposes. We may share your personal data only in the following circumstances:

• Service providers: With trusted third-party processors who act on our instructions under data processing agreements to help us deliver the Services (e.g., payment processors, cloud infrastructure providers, analytics tools).
• Competent authorities — DSA orders: In response to valid orders under DSA Articles 9 and 10, we disclose only information already collected for service provision and within our control. We do not collect data solely to have it available for authority disclosure.
• Legal requirements: When required by law, regulation, legal process, or enforceable governmental request from competent Portuguese or EU authorities, including orders under Law 109/2009 and the terrorist content regulation.
• Safety and security: To protect against fraud, security threats, or illegal activity, or to protect the rights, property, or safety of Digital Frontier, our customers, or the public.
• Corporate transactions: In connection with a merger, acquisition, or sale of assets, we will notify you before your personal data becomes subject to a different privacy policy.

6. Third-Party Services and Infrastructure

For full transparency, this section lists the third-party providers we use to deliver and secure the Services, the data each may process, and the jurisdiction in which they operate.

6.1 DNS Providers

We operate three domains, each served by a separate DNS provider for redundancy:

| Domain | DNS Provider | Provider Jurisdiction | |---|---|---| | digitalfrontier.so | Gcore (G-Core Labs S.A.) | Luxembourg, EU | | digitalfrontier.network | Bunny.net (BunnyWay d.o.o.) | Slovenia, EU | | digitalfrontier.cloud | Cloudflare, Inc. | United States |

DNS queries for each domain are resolved by the corresponding provider. DNS queries may include your IP address and the requested hostname. Cloudflare is subject to the EU–U.S. Data Privacy Framework; Standard Contractual Clauses are in place where required.

6.2 Hosting and Compute Infrastructure

Our application is hosted on dedicated virtual servers located exclusively within the European Union:

| Provider | Service Used | Location | Purpose | |---|---|---|---| | Hetzner Online GmbH | Cloud VPS (cax11) | Helsinki, Finland | Application server | | Hetzner Online GmbH | Object Storage (S3-compatible) | Nuremberg, Germany | File storage, Terraform state | | Scaleway SAS | DEV1-S VPS | Amsterdam, Netherlands | Application server | | UpCloud Ltd | Cloud Server (1xCPU) | Warsaw, Poland | Application server |

Each application server runs the Next.js application, a CockroachDB database node, and a KeyDB cache instance. Your data is replicated across these three EU locations for availability. All hosting providers are EU-based companies operating within the EEA.

6.3 CDN and Edge Delivery

| Provider | Service Used | Purpose | Data Processed | Jurisdiction | |---|---|---|---|---| | Vercel Inc. | Vercel Edge Network | CDN, edge caching, and delivery of the website | IP address, request headers, URL path | United States |

All user requests to the Platform pass through Vercel's edge network before reaching our EU origin servers. Vercel is subject to the EU–U.S. Data Privacy Framework; Standard Contractual Clauses are in place.

6.4 Services Exposed to End Users

The following third-party services may process personal data when you interact with the Platform:

| Provider | Service Used | Purpose | Data Processed | Jurisdiction | |---|---|---|---|---| | Cloudflare, Inc. | Turnstile | Bot protection (CAPTCHA) on forms | IP address, browser signals | United States | | Resend, Inc. | Resend Email API | Transactional email (notifications, confirmations) | Email address, message content | United States | | GitHub, Inc. (Microsoft) | GitHub OAuth | User authentication (sign-in) | GitHub profile data you authorize | United States |

For all US-based providers, we rely on Standard Contractual Clauses and/or the EU–U.S. Data Privacy Framework as transfer safeguards (see Section 7).

6.5 Internal-Only Services (No Direct User Exposure)

The following services run on our own EU infrastructure and do not expose data to external third parties:

• CockroachDB (self-hosted) — distributed SQL database replicated across all three EU nodes.
• KeyDB (self-hosted) — in-memory cache on each EU node.

These services are fully under our operational control and do not communicate with external systems.

7. International Data Transfers

Our primary infrastructure is located within the European Union, distributed across Finland, the Netherlands, and Poland (see Section 6.2). When your data is processed on our EU infrastructure, it remains within the EEA.

Several of the services listed in Section 6.3 are operated by US-based providers. We ensure that any transfer of personal data outside the EEA is made with appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission.
• Your explicit consent, where applicable.

8. Data Retention

We retain your personal data only for as long as necessary:

• Account data: For the duration of your account, and up to 90 days after termination for transition purposes.
• Billing records: As required by Portuguese tax and accounting law (typically 10 years).
• Server logs: Up to 12 months for security and operational purposes, unless required longer for an ongoing investigation or under a Law 109/2009 preservation order.
• Marketing consents: Until you withdraw your consent.
• Legal holds: Data subject to legal process, DSA orders, terrorist content orders, or regulatory investigation will be retained as required by law.
• Content moderation records: As required for DSA transparency reporting and Article 17 statement-of-reasons obligations.

Our retention practices follow GDPR data minimization: we collect only data that is actually necessary for service provision and security, and we avoid gratuitous overcollection.

9. Your Rights Under GDPR

As a data subject within the European Union, you have the following rights:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., tax law, evidence preservation, DSA reporting).
• Right to restriction (Art. 18): You may request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) (www.cnpd.pt), the Portuguese supervisory authority designated under Law 58/2019, or with any other supervisory authority in the EU member state of your habitual residence.

To exercise any of these rights, please contact us at privacy@digitalfrontier.so. We will respond to your request within 30 days, as required by the GDPR.

10. Cookies and Tracking Technologies

We use the following categories of cookies:

• Essential cookies: Required for the functioning of the Platform (authentication, session management, security). These cannot be disabled.
• Functional cookies: Remember your preferences and settings. These are optional and require your consent.
• Analytics cookies: Help us understand how users interact with our website and platform (e.g., page views, feature usage). These require your consent and are based on anonymized data.

You can manage your cookie preferences at any time through your browser settings. Disabling cookies may affect the functionality of certain features.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Access controls and authentication mechanisms.
• Regular security assessments and vulnerability scanning.
• Employee training on data protection and security practices.
• Incident response procedures in compliance with GDPR breach notification requirements (72-hour notification to CNPD) and, where applicable, NIS2 incident reporting under Decree-Law 125/2025, under the supervision of the competent Portuguese cybersecurity authorities, including CNCS where applicable.

While we take reasonable measures to protect your data, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such information promptly.

13. Automated Decision-Making

We do not use fully automated decision-making or profiling that produces legal effects or significantly affects you. Any automated processes (e.g., abuse detection, resource allocation) include human oversight.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a revised "Last updated" date.
• Sending an email notification for significant changes.
• Displaying a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically.

15. Contact Information and Supervisory Authority

For any questions or concerns about this Privacy Policy or our data practices:

• Privacy inquiries: privacy@digitalfrontier.so
• Data Protection Officer: dpo@digitalfrontier.so
• Legal inquiries: legal@digitalfrontier.so
• Postal: Digital Frontier Unipessoal LDA, Cascais, Portugal

Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt — designated under Law 58/2019.

DSA authority: ANACOM — designated as Portugal's Digital Services Coordinator under Decree-Law 20-B/2024.