Privacy Policy
Last updated: [DATE] | ICO Registration: [NUMBER]
This Privacy Policy explains how ScaleRight Ltd ("we", "us") collects, uses, and protects your personal data when you use the Fencepost platform and services.
We are the Data Controller. We are registered with the UK Information Commissioner's Office (ICO) under registration number [NUMBER].
1. What Data We Collect
Account Data
- Email address (for account creation and communication)
- Name (optional)
- Payment information (processed by Stripe/Paddle — we do not store card numbers)
Service Data
- VPS IP address and server metadata
- Installation token (for license validation)
- Aggregated usage statistics (total calls, total cost — NOT message content)
Data We Do NOT Collect
- Your LLM API keys (these stay on your server)
- Your AI conversation content or messages
- Your OpenClaw skills or configuration
- Any data processed by your AI agents
2. Lawful Basis
| Data | Lawful Basis |
|---|---|
| Account data (email, payment) | Contract performance (Art. 6(1)(b) UK GDPR) |
| VPS metadata | Contract performance + Legitimate interest (Art. 6(1)(b), (f)) |
| Aggregated usage stats | Legitimate interest (service improvement) |
| Marketing emails | Consent (Art. 6(1)(a)) — opt-in only |
3. How We Use Your Data
- To provision and maintain your VPS instance
- To validate your license (installation token + IP)
- To process payments and send invoices
- To send service notifications (outages, updates)
- To improve the service (aggregated, anonymised analytics)
4. Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | Germany (EU) |
| Cloudflare Inc. | DNS, CDN, DDoS protection | Global (EU data processing) |
| Stripe / Paddle | Payment processing | EU / Global |
| Resend | Transactional email | EU |
5. Data Retention
- Account data: Retained while your account is active + 30 days after deletion
- Payment records: 7 years (UK tax law requirement)
- VPS metadata: Deleted within 30 days of account termination
- Usage analytics: Aggregated and anonymised after 90 days
6. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Port your data to another provider
- Object to processing based on legitimate interest
- Withdraw consent for marketing at any time
To exercise any of these rights, email privacy@scaleright.ai. We will respond within 30 days.
7. International Transfers
Your data is primarily processed within the EU (Hetzner, Germany). Where data is transferred outside the EU (e.g., Cloudflare CDN nodes), it is protected by Standard Contractual Clauses (SCCs) or the UK-EU adequacy decision.
8. Security
We implement appropriate technical and organisational measures including:
- Encryption in transit (TLS 1.3) and at rest
- Dedicated VPS per customer (no multi-tenant data mixing)
- Cloudflare DDoS protection and WAF
- Regular security patching via automated cloud-init updates
9. Cookies
The fencepost.dev website uses privacy-first analytics (Plausible/Fathom) which do not use cookies or track personal data. Payment pages (Stripe/Paddle) may set functional cookies required for payment processing.
10. Changes
We will notify you of material changes to this policy via email at least 14 days before they take effect.
11. Contact
Data Controller: ScaleRight Ltd
Email: privacy@scaleright.ai
ICO Registration: [NUMBER]
Supervisory Authority: Information Commissioner's Office (ico.org.uk)