DreamCI · Legal
Privacy Policy
Last updated: 2026-05-22
This Privacy Policy explains how {{COMPANY_NAME}} (“we”, “us”, “DreamCI”) collects, uses, and shares personal data when you use the DreamCI continuous-integration platform for Unity (the “Service”). It is intended to satisfy the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”) as amended by the CPRA, and Brazil’s Lei Geral de Proteção de Dados (Law No. 13.709/2018, “LGPD”).
We are the data controller for the personal data we collect through the Service. Our registered address is {{ENTITY_ADDRESS}}. You can reach our Data Protection Officer at {{DPO_EMAIL}}.
1. Data we collect
We collect the minimum data needed to operate the Service. Specifically:
- Account data: email address, display name, avatar URL, identity-provider subject identifier (from our identity provider (Auth0)), and optional GitHub App installer identifier when you install the DreamCI GitHub App for an organization.
- Repository access credentials: GitHub repository access uses GitHub App installation tokens minted just in time. Source providers that require user credentials, such as GitLab or Unity Version Control, store encrypted credentials at rest with AES-256-GCM.
- Build inputs and outputs: source code references (commit SHA, branch, repository URL), build logs, build artifacts (binaries), and metadata such as Unity version, target platform, duration, and warnings. Source code is not retained after the build completes; it is checked out into ephemeral containers and removed when the run ends.
- Technical data: IP address, user-agent string, request timestamps, and audit-log entries describing security- sensitive actions (logins, role changes, build cancellations, etc.).
- Billing data: Paddle, our merchant of record, collects payment information directly. We do not receive your card number; we only receive a customer identifier, subscription state, and usage-record receipts.
2. Legal bases for processing (GDPR / LGPD)
- Performance of a contract (GDPR Art. 6(1)(b); LGPD Art. 7, V): processing strictly necessary to provide the Service — account creation, build execution, artifact storage, billing.
- Legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7, IX): operating the Service securely (rate limiting, audit logging, fraud and abuse detection). We do not perform behavioural advertising.
- Legal obligation (GDPR Art. 6(1)(c); LGPD Art. 7, II): retention of certain records to comply with tax, accounting, or law enforcement obligations.
- Consent (GDPR Art. 6(1)(a); LGPD Art. 7, I): where we ask you to opt in (e.g. non-essential analytics cookies, if any).
3. How long we keep data (retention)
We apply the retention periods documented in our public retention policy. In summary:
- Build artifacts: retained for the number of days configured by each project (default 14 days). After expiry the artifact retention sweeper deletes both the blob and the database row.
- Build logs and metadata: retained for up to 90 days for debugging and support, then anonymised.
- Audit log: retained for 365 days. Personally identifiable fields (actor user id, IP, user-agent) are pruned at expiry; the action / resource event itself is retained for aggregate security analytics.
- Account data: retained while the account is active. We anonymise on deletion request and physically erase 30 days later (see Section 7). Inactive accounts (no login for 24 consecutive months) are notified and then deleted on the same schedule.
- Backups: encrypted database backups are retained on a 35-day rolling window; deletions are propagated when the backup rotates out.
4. Sharing and sub-processors
We share personal data with a small set of carefully selected sub-processors:
- Hetzner Online GmbH (Germany, EU) — hosts our servers, database, and object storage.
- Auth0 (Okta, Inc.) — identity provider (authentication, multi-factor enrolment, account recovery).
- Paddle.com Market Ltd (United Kingdom) — merchant of record for billing; handles checkout, payments, tax, and refunds.
- GitHub, Inc. / GitLab B.V. (USA / Netherlands) — when you connect a repository provider, we validate the token and read repository data you authorise.
- Sentry / observability vendor — optional, only when we collect error telemetry. PII is scrubbed before transmission.
We sign Data Processing Agreements with every sub-processor that handles personal data on our behalf. Sub-processor updates are announced at least 30 days before they take effect.
5. International data transfers
Our primary infrastructure is located in the European Union (Germany). Where a sub-processor is established outside the EU/EEA (e.g. GitHub and Paddle for certain functions), the transfer is governed by the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum. We document the safeguards in our Data Processing Agreement (see /legal/dpa).
6. Security
We protect personal data with, at minimum, the following measures:
- TLS 1.2+ for every connection between you and the Service.
- Encryption at rest for the database (LUKS) and object storage.
- AES-256-GCM application-layer encryption for OAuth access tokens and per-project secrets.
- PostgreSQL row-level security (FORCE) on every multi-tenant table — even a database role bypassing application code cannot see another organisation’s rows.
- Append-only audit log of security-sensitive actions; reviewed monthly.
- Least-privilege service accounts; production access is logged and requires multi-factor authentication.
- Annual third-party security review of the platform (post-launch).
7. Your rights
Subject to applicable law you have the right to:
- Access the personal data we hold about you — use the “Export my data” button in Settings → Account, or call
GET /api/v1/users/me/export. - Rectify inaccurate personal data — change your email or display name in Settings, or contact us.
- Erase your account and personal data — use the “Delete my account” button in Settings → Account, or call
DELETE /api/v1/users/me. We anonymise all personal data immediately and physically delete the row 30 days later (the grace period covers accidental deletion). - Restrict processing or object to legitimate-interest-based processing.
- Portability — the export above produces a machine-readable JSON document covering all categories listed in Section 1.
- Withdraw consent at any time for processing based on consent (e.g. cookie preferences at
/legal/cookies). - Lodge a complaint with a supervisory authority. You may also contact your local authority — in {{JURISDICTION}}this is the relevant national data-protection regulator.
We respond to verified requests within 30 days. To raise a request outside the self-service flow, email {{DPO_EMAIL}} or POST /api/v1/users/me/dsr-request.
8. Cookies
See the dedicated Cookie Policy. The Service does not run advertising or behavioural tracking. Essential cookies (session, CSRF, cookie-preference) are set without consent because they are strictly necessary to provide the Service. Any analytics cookie is gated by your consent and is opt-in.
9. Children
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced by email (to account holders) and on the dashboard at least 30 days before they take effect.
11. Contact
Data Protection Officer: {{DPO_EMAIL}}
Postal address: {{COMPANY_NAME}}, {{ENTITY_ADDRESS}}