This privacy policy page has two section: Just keep reading for the informal part; See below for the legal part.

Informal

We respect your right to privacy — isn't that what everybody is saying? Privacy is hard. We aim for a good balance between privacy, security, business needs, usability and legal regulations.

Data processing potentially including personal data is happening on multiple levels with web hosting: We have to store IPs for security reasons, we have to store billing related data for 10 years and most importantly you are storing your code, uploads and databases here.

Data processing terms

Our terms are covering general data processing measurements. Additional "order data processing terms" are avaiable on request for B2B clients.

Code peeking policy

Techincally, fortrabbit staff is able to view and even edit all uploaded files and databases. Our aim is to be involved as little as possible. There is an internal policy for that. In many support cases knowledge about configuration or code is essential to find a solution. Where possible and acceptable we will ask for permission to look into your code upfront. In other security related cases, for instance fighting phishing attempts, it is required that we examine code pro-activly. This can take place in suspicion.

Security responsibility

We believe in a clear and transparent division of concerns. In a nutshell: We are responsible for the cloud infrastructure, the operating system and the PHP runtime; You are responsible for the software you write and use. Please also read our security responsibility article to learn more about the security division here.

Deleting data

When deleting Apps or Accounts with us, we delete as much and as complete as possible. For some clients this comes as an surprise as they expect that we just hide data away, until they pay their open invoices.

Web server logs

You can interact with fortrabbit services on various transport protocols. We are storing connection data in log files with each access. This may include the request time, the IP address of the requestor, the protocol and version used, URL called, response status, the number of bytes delivered, a referrer and a user agent (browser and OS). We are doing so for security reasons — to avoid malicious and unauthorized access. We reserve the right to analyze and blacklist certain IPs from our services based on these access logs. We will delete those logs as soon as possible. Certain logs might kept for analysis and fraud protection.

TLS encryption

fortrabbit Apps can be accessed via a TLS encrypted connection in various ways. All have in common that fortrabbit is not the Cerificate Authority and that the service is provided "as is". See our dedicated HTTPS & TLS help article for more.

Disclaimer

To err is human. We do our best to keep theese informations up-to-date, complete and correct. We reserve the right to add, change or remove certain services and practices without further announcement.

Third party services transparency

fortrabbit wouldn't be possible without relying on third party services. We have carefully reviewed and chosen our business partners. Individual data processing terms with those vendors are in place. The following gives you an overview which external services we use, how and why:

Cloud hosting & data centers

The fortrabbit itselfs platform runs on Amazon Web Services, (AWS). That includes our web properties (www, blog, help and dashboard) and most importantly the Apps our clients are creating here. Various different services from AWS (EC2, RDS, S3, Route53, Cloudfront …) are used in combination.

  1. Apps will be stored in the data center location you are choosing.
  2. Billing related and Account data is stored in Ireland.

Payment processing

Credit card billing informations are getting stored with our credit card payment processor Wirecard directly. We only keep a minimum of information: a reference and an identifier. SEPA bank account informations are stored with our databases.

Usage statistics, tracking & marketing

We are making use of Google Analytics and potentially of Google AdWords. We might use re-marketing from Google, as it is an effective way to stay on the radar of potential clients. We might also advertise on Twitter, for this we are sharing about your visit, think "Tailored Audiences".

Support service

The little chat bubble on the bottom right is powered by Intercom. This service collects some meta-data, like browser, operating system and geo location when you interact and provide your name and e-mail to get in touch with us. For identified Accounts we share your name, company, e-mail and the additional meta-data via API. This helps us giving you a personal and fast support. When you delete your Account with fortrabbit, the connected data-set will also get deleted. From time to time we also manually delete neglected, non-active, Accounts on the Intercom side, to store and share as little as needed.

Newsletter subscription

We are using MailChimp to send occasionally e-mail updates to subscribed Accounts. These e-mails include relevant informations on service updates and feature announcements. With MailChimp we share e-mail addresses and names (for personalization). New fortrabbit Accounts get signed up for the newsletter automatically. That's why you need to confirm that we contact you by e-mail upfront. Each newsletter — of course — includes a one-click opt-out option. Additionally, there is a Account notification setting with the Dashboard to manage subscriptions.

Transactional e-mails

We are using Postmark to send automated transactionsal e-mails to Accounts. These e-mails include relevant informations. They are either trigged by intervals or user interaction. Examples are: "double opt-in sign-up", "invoice notice", "trial expire notice" or "password reset". Naturally, there is no opt-out for these. Again, that's why you need to confirm that to be contacted by e-mail when signing up.

Status updates

Accounts can subscribe — via opt-in — to fortrabbit service status updates for downtimes and incidents. This optional service is provided by Statuspage from Atlassian. It is possible to subscribe by e-mail, SMS or RSS feed. It is available under status.fortrabbit.com.

Recruitment software

We are using a software to manage our hiring processes, to source, evaluate and track applicants. Currently we are using Breezy for this. Open positions can be found under fortrabbit.breezy.hr.

Account meta data

We will store additional meta data with your Account when you signup. This includes your IP, the time and a possible referrer. We use MaxMind to convert the IP to a geolocation that will also be stored with your Account. This might sound sneaky but is an important corner stone in fraud and phishing protection.

Internal case management

We use Trello as an internal ticketing system to keep track of ongoing business tasks. We might link client cases fron the chat system or billing related informations there as well.

Account profile pictures

We are sending a hash of your e-mail address to the Gravatar service to see if you have an Account over there. When you have, we are displaying your pofile picture from over there, when not a unique generic profile icon will be displayed.

Accounting

We are emplyoing a tax agency called Ecovis, as well as potentially other accountants to helps us with financial accounting. Natuarlly, these service providers have reading access to billing related data and invoices. Billing related data, like invoices, are stored with Google Drive.

Embedded content

In certain cases we might embed content from other web services in our websites. This can be a hotlink, some JS, or an iframe. Examples are a YouTube video, or a poll by Google forms or just an image from another website. Of course, this might refer your IP and a timestamp as well.

Legal

The source of our legal documents is on GitHub:
github.com/fortrabbit/legal

An updated version, in full compliance with GDPR; will be posted soon.

Privacy policy of fortrabbit

last amended on February 12th, 2016

We treat your personal data in accordance with all applicable laws. The personal data and all information provided by our clients regarding legal matters are protected by the strict German attorney client privilege. All other personal data gathered by us are protected under federal German law, in particular the Federal Data Protection Act ("Bundesdatenschutzgesetz", BDSG) and the Telemedia Act ("Telemediengesetz", TMG). All our employees are bound to these laws, too.

Statistics using Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies” (see below) to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. In case IP-anonymisation is activated on this website, your IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transfered to a Google server in the USA and truncated there. The IP-anonymisation is active on this website. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet usage. The IP-address, that your Browser conveys within the scope of Google Analytics, will not be associated with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also opt-out from being tracked by Google Analytics with effect for the future by downloading and installing Google Analytics Opt-out Browser Addon for your current web browser.

Remarketing & tracking

This website uses Google AdWords and probably other remarketing/tracking services such as Twitter to advertise on third party websites to previous website visitors. This could be used to advertise previous visitors. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network or other places. Third-party vendors, including Google, use cookies to serve ads based on someone's past visits to the our website. Of course, any data collected will be used in accordance with our own privacy policy and Google's privacy policy.

Cookies

fortrabbit makes use of cookies as well. When you visit a company web site, fortrabbit servers send a cookie to your computer. Alone, cookies do not personally identify you. You remain anonymous, unless you choose to identify yourself to fortrabbit, either by responding to a promotional offer, registering an Account, or filling out a Web form.

fortrabbit may uses session-based and persistent-based cookies. Session cookies persist during a browser session. They disappear when closing or quiting the browser. Persistent cookies remain after closing or quiting browser. If you disable the web browsers ability to accept cookies, functionality of the services may be affected, and you may not be able to successfully use the services.

If you have chosen to identify yourself to fortrabbit via registration, session cookies containing encrypted information to identify you are used. Each time you log into the services, a session cookie containing an encrypted, unique identifier that is tied to your account is placed your browser. Session cookies allow to identify you and to process your online transactions and requests. Cookies are required to use the services.

fortrabbit uses persistent cookies that only the company can read and use to identify browsers that have previously visited the company's web site. When you purchase services or provide the company with personal information, a unique identifier is assigned you. This unique identifier is associated with a persistent cookie that the company places on your web browser. The company is careful about the security and confidentiality of the information stored in persistent cookies. If you disable your web browser's ability to accept cookies, you will be able to navigate the company's web site, but you will not be able to successfully use the services.

fortrabbit may use information from session and persistent cookies in combination with data about fortrabbit clients.

JavaScript

If you disable JavaScript, some features of the fortrabbit web sites may not function properly.

IP addresses

fortrabbit web sites collect your internet protocol (“IP”) addresses to track and aggregate non-personal information and for security reasons. For example, fortrabbit uses IP addresses to guess a currency based on your location.

Registration

When registering with fortrabbit personal data will be collected, namely your e-mail address. The data collected is used exclusively to grant you access and contact you in relevant circumstances.

Your rights

You have the right to ask us about your personal data stored with us. You have the right to get incorrect information corrected or blocked or deleted. You can revoke the right to use personal data for advertising purposes at any time. If you want to make use of your rights as described before, please send us a letter (haha).