Privacy Policy
Last updated: March 8, 2026
1. Who we are
deploybase is a static site hosting platform operated by TwanIT, a sole proprietorship (eenmanszaak) registered in the Netherlands.
- Trade name
- TwanIT / deploybase
- KVK number
- 71667415
- VAT ID
- NL002404374B49
- Address
- support@deploybase.eu
TwanIT is the data controller for the personal data processed through deploybase, as defined in the General Data Protection Regulation (GDPR / AVG).
2. Data we collect
We collect only the data necessary to provide our service.
Account data
When you create an account: your name, email address, and authentication credentials. Passwords are never stored in plain text — authentication is handled by our self-hosted Zitadel identity provider.
Billing data
When you subscribe to a paid plan: company name, billing address, VAT identification number, and payment method details. Payment processing is handled by Vatly — we do not store credit card numbers.
Usage data
When you use the platform: deployment metadata (project names, build logs, domain configurations), IP addresses in server logs, and API request logs.
Communication data
When you contact us: your email address and the content of your message.
3. Why we collect your data
| Purpose | Data used |
|---|---|
| Provide and maintain the service | Account data, usage data |
| Process payments and invoicing | Billing data |
| Send service notifications (build status, billing alerts) | Email address |
| Prevent abuse and ensure security | IP addresses, API logs |
| Comply with legal obligations (tax records) | Billing data, invoices |
| Respond to support requests | Communication data |
We do not use your data for profiling, automated decision-making, or selling to third parties.
4. Legal basis
We process your data based on the following legal grounds under GDPR Article 6:
- Contract performance (Art. 6(1)(b)) — Processing necessary to provide the hosting service you signed up for: account management, deployments, billing.
- Legal obligation (Art. 6(1)(c)) — Tax record keeping and invoice retention as required by Dutch tax law (7-year retention).
- Legitimate interest (Art. 6(1)(f)) — Security monitoring, abuse prevention, and service improvement. We balance this against your privacy rights.
We do not rely on consent as a legal basis for core service functionality.
5. Data processors
We use a limited number of trusted third-party processors. All are based in the EU or provide adequate data protection guarantees. We have Data Processing Agreements (DPAs) in place with each.
| Processor | Purpose | Location |
|---|---|---|
| Scaleway | Infrastructure hosting (servers, storage) | Paris, France (EU) |
| Bunny.net | Content delivery network (CDN) | Ljubljana, Slovenia (EU) |
| Vatly | Payment processing (Merchant of Record) | EU |
| Lettermint | Transactional email delivery | EU |
Authentication (Zitadel) is self-hosted on our own infrastructure — no third-party access to your credentials.
For full details, see our Data Processing Agreement and Security page.
6. International data transfers
Your data is stored and processed exclusively within the European Union. Our servers are located in Scaleway's Paris datacenter, and our CDN is configured for EU-only delivery.
We do not transfer personal data to countries outside the European Economic Area (EEA). If this ever changes, we will update this policy and ensure appropriate safeguards (such as Standard Contractual Clauses) are in place.
7. Data retention
| Data type | Retention period |
|---|---|
| Account data | Duration of your account + 30 days after deletion |
| Billing data and invoices | 7 years after the financial year (Dutch tax law) |
| Build logs | 90 days |
| Server access logs (IP addresses) | 30 days |
| Deployment data | Duration of your account |
| Support correspondence | 2 years after last contact |
When you delete your account, we remove your personal data within 30 days, except where retention is required by law.
8. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten").
- Right to data portability — Receive your data in a structured, commonly used format.
- Right to restrict processing — Request that we limit how we use your data.
- Right to object — Object to processing based on legitimate interest.
To exercise any of these rights, email us at support@deploybase.eu. We will respond within 30 days.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
10. Security
We take appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Authentication via passkeys and secure password hashing
- Role-based access control with team isolation
- Regular security updates and monitoring
- Infrastructure hosted in ISO 27001 certified datacenters
If we discover a data breach that affects your personal data, we will notify you and the Autoriteit Persoonsgegevens within 72 hours as required by GDPR.
For a full overview of our security measures, see our Security & Compliance page.
11. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will notify you by email or through a notice on the platform. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact
For privacy-related questions or to exercise your rights:
- support@deploybase.eu
- Postal address