Last updated: March 18, 2026

This Privacy Policy explains how Hydrant / Manuel Rossner ("Hydrant", "we", "us", "our") collects and processes personal data when you visit our website, create an account, join a workspace, or use our rendering services.If you do not agree with this Policy, please do not use the Service.

1. Who we are and how to contact us

Controller (for our website, billing, support, marketing, and account-level data):

Manuel Rossner
Bessemerstraße 51
12103 Berlin
Germany

Email: privacy@hydrant.app

Impressum: www.hydrant.app/legal/imprint

Data Protection Officer: Manuel Rossner

For customer content processed inside workspaces: see Section 6 on Roles. We typically act as processor for "Customer Personal Data" when we host and render your workspace data under a Data Processing Agreement (DPA).

Supervisory authority: You have the right to lodge a complaint with your local authority or the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

2. What we collect

2.1 Data you provide

• Account & login: name, email, password (hashed), optional 2FA factors.
• OAuth: when you choose Google or GitHub sign-in, we receive your basic profile data (name, email, provider ID).
• Workspace data: datasets, scenes, fonts, uploads, settings, members and roles.
• Billing: company details, VAT ID, billing address, payment metadata via Stripe (we do not store full card data).
• Support & feedback: messages, attachments, survey responses.

2.2 Data we collect automatically

• Usage & device info: IP address, device type, browser, language, timestamps, event logs.
• Security & rate-limit signals: via Upstash (e.g., IP, token identifiers) and our auth layer (Better Auth).

2.3 Analytics & session insights

• PosthHog for product analytics and session replay (mouse movements, clicks, scrolls, page performance; we take reasonable steps to avoid capturing sensitive fields).
• Googly Analytics for website/product analytics. We only run non-essential analytics with your consent where required (see Cookies).

3. Cookies & consent

We use:

• Strictly necessary cookies (authentication, security, session continuity).
• Analytics cookies (PostHog, Google Analytics) with your prior consent where required. Use our cookie banner/settings to change or withdraw consent at any time. Certain features may not function without essential cookies.

4. Why and on what legal bases we process data

• Provide and secure the Service (account, auth, workspaces, rendering, rate-limiting): Art. 6(1)(b) GDPR (contract) and 6(1)(f) (legitimate interests -- security, reliability).
• Billing, tax, and compliance: Art. 6(1)(b) and 6(1)(c) (legal obligation).
• Product analytics & session replay: Art. 6(1)(a) (consent) where required; otherwise 6(1)(f) (legitimate interests in improving the Service).
• Marketing communications: Art. 6(1)(a) (consent) or 6(1)(f) for existing customers within legal bounds (you can opt out).
• Abuse prevention & fraud detection: Art. 6(1)(f).
• Legal claims & defense: Art. 6(1)(f).

5. How long we keep data

• Account & workspace data: for the life of the account; we delete or anonymize within ~30–90 days after termination unless we must keep it longer for legal reasons.
• Logs & security data: typically up to 12 months (shorter where feasible).
• Billing records: up to 10 years to meet German/EU tax law.
• Backups: limited-retention rolling backups (e.g., up to ~35 days).

6. Roles: controller vs. processor

• For our website, account administration, billing, support, and marketing: Hydrant is the controller.
• For Customer Personal Data that you upload into your workspace (e.g., datasets, scenes, member identifiers): Hydrant acts as a processor to you (the Workspace Owner) and processes this data under a DPA (see "Data Processing Agreement" page). You are responsible for having a lawful basis to process your end users' data.

7. Sharing and international transfers

We share data with service providers ("processors/sub-processors") strictly to deliver the Service:

• Hosting & rendering: AWS (primarily EU regions), including compute and storage for rendering and files.
• Database: NeonDB (managed Postgres).
• Rate limiting / queues: Upstash (managed Redis).
• Authentication: Better Auth (including optional 2FA flows).
• Payments & invoicing: Stripe.
• Analytics & session insights: PostHog, Google Analytics, Sentry.
• Login providers (independent controllers): Google, GitHub (for OAuth sign-in you choose to use).

Where data is transferred outside the EEA (e.g., to the US), we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms and apply additional safeguards where appropriate.

8. Security

We use industry-standard measures including encryption in transit (TLS), encryption at rest where supported by our providers, role-based access controls, least-privilege production access, audit logging, and optional 2FA. No system is perfectly secure; please use a strong, unique password and enable 2FA where available.

9. Your rights (EU/EEA and similar regimes)

You can exercise: access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests. Where processing relies on consent, you can withdraw consent at any time.Contact: privacy@hydrant.appYou may also complain to your supervisory authority.

10. Children

The Service is not intended for individuals under the age of 16. We do not knowingly collect data from children. If you believe a child provided data, contact us to delete it.

11. Public datasets and attribution

We integrate public sources (e.g., Our World in Data, World Bank). When our UI or templates display dataset credits, you must keep those credits intact in ordinary use (see Terms of Service).

12. Changes to this Policy

We may update this Policy from time to time. We will notify you by email or in-app. Continued use indicates acceptance of the updated Policy.

13. Contact

Manuel Rossner
Bessemerstraße 51
12103 Berlin
Germany

Email: privacy@hydrant.app