privacy policy

last updated 2026-05-10 · phase 0 private alpha

This Privacy Policy explains what personal data the briven Service (briven.tech and any subdomain) collects, why, and what you can do about it. The Service is operated by flndrn Limited(the “Operator”, also the data controller for the purposes of the EU General Data Protection Regulation), a company registered at Arch. Makariou III 171, Vanezis Business Center 4th floor, 3027 Limassol, Cyprus. Day-to-day development takes place in Flanders, Belgium. For brand and legal context see the Terms of Service.

1. what we collect

We process the following categories of personal data:

• Account data — email address (required), display name (optional), OAuth provider identifier and avatar URL (only if you sign in via Google).
• Project metadata — names you give projects, schemas you push, deployment timestamps, and a per-project audit log of mutations (who did what, when).
• Encrypted secrets — project env vars and API keys, encrypted at rest with AES-256-GCM. The Operator can never read these without your authenticated request.
• Operational telemetry — request paths, response codes, and latency on the API and dashboard. We use these to debug and to bill function-invocation usage.
• IP-derived identifiers — your IP address is hashed with a server-side pepper at the moment a request is logged. The plaintext IP is never written to disk. The hash is what appears in the audit log; it lets us correlate sessions for security investigations without de-anonymising you.
• Billing data (when paid tiers launch) — billing email and a token from our payment processor. We do not store card or bank-account details on briven infrastructure; the processor handles all of that.

2. what we do not collect

• The contents of your customer database. We operate the Postgres cluster and the runtime; we do not read your tables, rows, or function code outside of the support paths you explicitly authenticate.
• Third-party advertising cookies, marketing trackers, or session-replay tools. briven.tech ships zero analytics scripts to your browser.
• Plaintext IP addresses, browser fingerprints, or device identifiers for advertising purposes.

3. why we process it

The legal bases for processing under GDPR Article 6 are:

• Contract (Art. 6(1)(b)) — to provide you the Service you signed up for: hosting your Postgres, running your functions, serving your dashboard.
• Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, and operational debugging. The audit log and IP hashing fall under this basis.
• Legal obligation (Art. 6(1)(c)) — when a court order, regulatory subpoena, or DSA/DMA disclosure requirement compels us.
• Consent (Art. 6(1)(a)) — currently used only for optional product announcements; you can decline at sign-up and withdraw any time without affecting your access to the Service.

4. who we share with

We share data only with the third-party processors listed at briven.tech/subprocessors. Each one is bound by a data-processing agreement that limits them to the purpose for which we engage them. We do not sell personal data and do not rent it to advertisers. We disclose data to law enforcement only when required by binding legal process and we challenge over-broad demands where we can.

5. retention

• Account data — kept while your account is active. After account closure: 30-day soft-delete window during which you can restore, then permanent erasure.
• Project data — same: 30-day soft-delete after you close the project, then permanent erasure including from backups within 90 days.
• Audit logs — 13 months, then rotated. Required so we can investigate security incidents that surface late.
• Function invocation logs — 7 days for free-tier projects, 30 days for paid tiers (when applicable). Customer-controlled retention is on the roadmap.
• Backups — encrypted off-site backups are kept for 30 days then rotated. A deletion request runs through the active store immediately; backup deletion follows the 30-day rotation cycle.

6. security

TLS 1.3 on every public endpoint; AES-256-GCM for project env vars at rest; bcrypt for password hashes; SHA-256 for API key hashes; constant-time comparison on every secret check. SSH access to the host is key-only; root-password authentication is disabled. Dependency updates roll weekly. No system is ever fully secure; if you discover a vulnerability, please email security@flndrn.com rather than disclosing publicly.

7. international transfers

Your data is hosted in the EU (Hostinger Frankfurt VPS). Some of our subprocessors are located outside the EU; transfers to those processors rely on Standard Contractual Clauses approved by the European Commission, supplemented where appropriate by additional technical and organisational measures (encryption at rest and in transit, minimisation of data shared with each processor). The subprocessors page notes the location of each processor.

8. your rights

Under GDPR and equivalent laws, you have the right to:

• access the personal data we hold about you;
• rectify inaccurate or incomplete data — most fields are user-editable in the Settings page;
• erase your data — open Settings → Danger zone and click delete account. We send a confirmation email the moment the request lands, soft-delete your projects and sole-owner orgs, revoke your API keys, and clear your PII (legal name, address, VAT id, display name, profile image) from our control plane. After the 30-day reversal window the row is hard-deleted and the data is unrecoverable. Multi-owner team orgs survive (you're removed from membership instead).
• port your data — briven export --with-data produces a portable JSON archive plus a pg_dump of every row;
• restrict or object to a specific processing purpose;
• withdraw any consent you previously gave;
• complainto your local data protection authority. The Operator’s lead supervisory authority is the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit).

To exercise any of these rights, email privacy@flndrn.com. We answer within 72 hours and resolve within 30 days, extendable by 60 days for complex requests (we will tell you).

9. cookies

briven.tech sets exactly two cookies, both first-party and HTTP-only:

• briven.session — your sign-in session, sent only to briven.tech and its subdomains. Cleared on sign-out or after 30 days of inactivity.
• briven.csrf — a per-session anti-CSRF token. Cleared with the session.

We do not set advertising or analytics cookies. There is no consent banner because there is nothing to consent to that we don’t already need to operate the Service.

10. children

briven is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has signed up, contact us and we will erase the account.

11. updates

Material changes to this policy will be announced on briven.tech/changelog and emailed to the address on your account at least 30 days before they take effect. The “last updated” date at the top of this page reflects the most recent version.

12. contact

Privacy questions and rights requests: privacy@flndrn.com. Until brand-fronted email is fully wired up, this address forwards to flandriendev@hotmail.com. We answer within 72 hours.