Privacy Policy
We collect what we need to run RailRocket for you (account, billing, usage, workspace metadata) and nothing else. We don’t sell data. We don’t use your code, data, or workspace content to train models. You can export everything, delete everything, and email our DPO directly.
This Privacy Policy describes how RailRocket GmbH processes personal data in the course of operating the RailRocket platform. We are the controller for the data described in section 2 unless otherwise noted, and we operate from Berlin, Germany, under the General Data Protection Regulation (EU 2016/679) and the German Federal Data Protection Act (BDSG).
01 Who we are
RailRocket GmbH, HRB 247 891 B (Charlottenburg), Schönhauser Allee 36, 10435 Berlin, Germany. Our Data Protection Officer is Hannah Klein; reachable at dpo@railrocket.dev.
02 What we collect
- Account data: email, name, hashed password, organisation membership, OAuth identity (if you signed in via GitHub / GitLab).
- Billing data: billing email, address, VAT number, payment method tokens held by Stripe (we do not store card numbers).
- Usage data: compute hours, workspace count, snapshot operations, region. Aggregated; not tied to your end users.
- Workspace metadata: repo URLs, branch names,
railrocket.ymlconfig, exposed ports. - Operational logs: workspace start/stop events, attach events, errors. Retained 30 days.
- Code & data you upload: processed under your instructions; we are a processor for this category and use it only to operate the Service.
03 Why we collect it
- To provide the Service you requested (legal basis: contract).
- To bill you for usage above the free tier (legal basis: contract).
- To detect abuse and protect platform integrity (legal basis: legitimate interest).
- To comply with German tax and accounting law (legal basis: legal obligation).
04 How it is shared
We do not sell personal data. We do not share it for behavioural advertising. We share data with a small list of subprocessors who help operate the Service:
- Stripe Payments Europe Ltd — billing & payment processing (Ireland).
- Amazon Web Services EMEA — primary infrastructure (Frankfurt + Stockholm).
- Postmark (ActiveCampaign LLC) — transactional email (US, SCCs in place).
- Plausible Insights OÜ — cookie-free analytics for the marketing site (Estonia).
- Sentry GmbH — error tracking for the dashboard and control plane (US, EU data residency option).
The current list is maintained at /subprocessors. We notify Org-plan customers at least 30 days before adding a new subprocessor.
05 Where it’s stored
The control plane (account, billing, configuration) is stored in AWS Frankfurt (EU). Workspace data is stored in the AWS region you configure (EU-Central by default). Org-plan customers using bring-your-own-cloud have data stored in their own VPC.
Transfers outside the EEA rely on Standard Contractual Clauses where applicable.
06 Retention
- Account & billing data: for the life of your account and 10 years after closure (German § 257 HGB).
- Usage data: 18 months in detailed form, indefinitely as monthly aggregates.
- Workspace snapshots: 30 days after workspace deletion.
- Operational logs: 30 days.
- Customer code & workspace contents: deleted within 30 days of account closure.
07 Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can exercise most of these from your dashboard. To exercise any of them by other means, email dpo@railrocket.dev — we respond within 30 days and at no charge for the first request in any 12-month period.
You can also lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) at datenschutz-berlin.de.
08 Security
All data is encrypted in transit (TLS 1.3, modern cipher suites only) and at rest (AES-256-GCM). Production access is restricted to Lukas and Hannah, gated by hardware security keys, and logged. We follow the German IT Security Act 2.0 incident notification requirements and would notify affected customers within 72 hours of becoming aware of a qualifying breach.
Security disclosures are welcomed at security@railrocket.dev and our PGP key is at /.well-known/security.txt. We don’t run a paid bug bounty but we credit reporters.
09 Cookies
The dashboard uses a single first-party session cookie for authenticated sessions. We do not set advertising or third-party tracking cookies. Plausible Analytics is configured for cookie-less measurement.
10 DPO contact
Hannah Klein acts as our Data Protection Officer. Reach her at dpo@railrocket.dev or by post at the address in section 1.
We will post material changes to this Policy at least 30 days before they take effect, and email account holders. The current version is always at this URL.