DxCore Privacy Policy
1. Data Controller
The data controller responsible for your personal data is:
Eyal Lapid Contact: privacy@dxcore.dev
For all privacy-related requests, including data subject rights requests, please contact us at privacy@dxcore.dev. We aim to respond within 30 days.
2. Data We Collect
We collect only the personal data that is necessary to provide, operate, and improve the DxCore CI/CD service. We do not sell your personal data.
| Category | Data Collected |
|---|---|
| Account | Email address, full name, hashed password |
| Organization | Organization name, URL slug, membership roles |
| Authentication | API tokens (hashed; only a short prefix stored for identification), session tokens |
| CI/CD Operational | Task names, package names, task durations, exit codes, shard information |
| Agent Metadata | Agent identifier, CPU core count, memory, disk space, user-defined tags |
| Run Metadata | Run status, timestamps, cached task counts, session identifiers |
| Technical | IP addresses, browser user-agent strings |
| Billing | Subscription plan, billing status (payment details handled by Polar) |
Passwords and API tokens are cryptographically hashed before storage and are never stored in plaintext.
Our legal bases for processing are contractual necessity (for account, organization, authentication, and billing data) and legitimate interest (for operational, agent, run, and technical data necessary to provide and secure the service). Details are available upon request at privacy@dxcore.dev.
3. Data We Do NOT Collect
We have deliberately designed DxCore to avoid collecting sensitive build-time data. The following data is never collected, stored, or transmitted to our servers:
- Source code — Your source code is never transmitted to DxCore servers. Build agents run on your own infrastructure and interact only with the coordinator for task scheduling and status reporting.
- Build logs — Log output from build steps is streamed directly within your infrastructure and is not stored on our servers.
- Build artifacts — Compiled binaries, packages, or any other build outputs are not handled or stored by DxCore.
- Secrets and credentials — Environment variables, API keys, certificates, and any credentials used in your build pipelines are never processed or stored by DxCore.
- Special category or sensitive data — We do not collect health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, financial data, or any other special category data under GDPR Article 9 or equivalent data under applicable law.
4. How We Use Data
We use the data we collect solely for the following purposes:
- Providing and operating the CI/CD service — Authenticating users, routing build tasks to available agents, tracking run status, and delivering results to your dashboard.
- Task scheduling optimization — We use historical task performance data to optimize task scheduling and reduce pipeline time.
- Account and organization management — Creating and maintaining user accounts, managing organization memberships and roles, and enforcing access controls.
- Transactional email communications — Sending account confirmation, password reset, and service notifications via Postmark. We do not send marketing emails unless you have separately opted in.
- Service reliability and improvement — Analyzing aggregated run metadata and agent performance data to identify bottlenecks, improve scheduling algorithms, and maintain service uptime.
- Security monitoring and abuse prevention — Using IP addresses and user-agent data to detect unauthorized access, brute-force attempts, and abuse of the service.
We do NOT use any of your data to train, fine-tune, or otherwise improve artificial intelligence or machine learning models, whether operated by us or by any third party.
5. Sub-processors
We use the following sub-processors to deliver the service. Each sub-processor has been evaluated for GDPR compliance and operates under a data processing agreement.
| Sub-processor | Location | Role | Legal Mechanism |
|---|---|---|---|
| DigitalOcean | Netherlands (AMS3 region, EU) | Cloud infrastructure hosting — servers, databases, object storage, networking | EU hosting; DPA in place |
| Postmark (by ActiveCampaign) | United States | Transactional email delivery | SCCs |
| Polar | United States | Payment processing — Merchant of Record for subscriptions and one-time purchases | SCCs; MoR handles payment card data independently |
Planned sub-processors (not yet active — users will be notified before activation):
- Observability platform (e.g., Sentry, Datadog, or SigNoz) — error tracking and performance monitoring
- AI providers (Anthropic, OpenAI, Google) — if/when AI-assisted features are introduced
We will notify users by email and update this policy at least 14 days before any new sub-processor is activated that involves processing of personal data.
6. International Data Transfers
Primary hosting is in the EU (DigitalOcean AMS3, Amsterdam, Netherlands). For most users, your data does not leave the EU/EEA during normal operations.
Israel has been recognized as providing an adequate level of data protection by the European Commission (adequacy decision renewed January 2024), so transfers between the EU and Israel do not require additional safeguards.
United States transfers: When data is processed by Postmark or Polar (both US-based), we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, and where applicable, the EU–US Data Privacy Framework (DPF). Copies of applicable SCCs are available on request at privacy@dxcore.dev.
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Account data (name, email, hashed password) | Retained while the account is active, plus 30 days after account deletion to allow for recovery |
| Organization data (org name, slug, roles) | Retained while the organization is active; deleted upon organization termination |
| CI/CD operational data (task names, durations, exit codes) | Retained for 12 months from creation, then deleted or anonymized |
| Agent metadata | Retained while the agent is registered; deleted upon agent deregistration |
| Run metadata | Retained for 12 months from run completion, then deleted or anonymized |
| Server logs (IP, user-agent, request logs) | 90-day rolling retention |
| Payment records | Retained per Polar's terms and applicable tax law (typically 7 years) |
| Authentication tokens (API, session) | Deleted immediately upon revocation or expiration |
Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate dispute resolution purposes.
8. Your Rights
Depending on where you are located, you may have the following rights regarding your personal data:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request correction of inaccurate or incomplete data.
- Deletion — Request deletion of your personal data, subject to legal retention obligations.
- Data portability — Request your data in a structured, machine-readable format.
- Restrict processing — Request that we limit how we process your data.
- Object to processing — Object to processing based on legitimate interest.
- Withdraw consent — Where processing is based on consent, withdraw it at any time.
- Lodge a complaint — File a complaint with your local data protection authority.
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. We do not sell your personal information.
How to exercise your rights: Submit a request to privacy@dxcore.dev. We will respond within 30 days (extendable by up to two additional months for complex requests). We may need to verify your identity before processing requests.
9. Cookies
We use only essential cookies required for the operation of the service. We do not use tracking, advertising, or analytics cookies.
Essential cookies used:
- Session cookie — Maintains your authenticated session after login.
- CSRF token cookie — Protects against cross-site request forgery attacks.
For full details, including cookie names, lifetimes, and purposes, please see our separate Cookie Policy.
10. Children's Privacy
DxCore is a professional CI/CD tool intended for software development teams and is not directed at children. We do not knowingly collect personal data from individuals under 18 years of age.
By creating an account, you confirm that you are at least 18 years old (or the age of majority in your jurisdiction, if higher). If we become aware that we have collected personal data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact us at privacy@dxcore.dev.
11. Security Measures
We implement technical and organizational security measures appropriate to the risk, including:
- Encryption in transit — All data is encrypted using TLS 1.2 or higher.
- Cryptographic hashing — Passwords and API tokens are cryptographically hashed before storage.
- Access controls — Access to production systems is restricted to authorized personnel using strong authentication.
- Data minimization — We collect only the data necessary for the service (see Section 3).
- Vulnerability management — We monitor for security vulnerabilities and apply patches in a timely manner.
No security measure is 100% guaranteed. If you discover a security vulnerability, please report it responsibly to security@dxcore.dev.
12. Security Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authorities within 72 hours where the breach is likely to pose a risk to individuals.
- Notify affected individuals without undue delay where the breach poses a high risk, describing the nature of the breach, likely consequences, and measures taken.
- Document all breaches and remedial actions in an internal breach register.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer.
- Material changes (e.g., new categories of data collected, new sub-processors, changes to legal bases, changes to retention periods) — We will notify you by email at least 14 days before the changes take effect.
- Non-material changes (e.g., clarifications, corrections, formatting updates) — Changes will take effect immediately upon publication, with the "Last updated" date revised accordingly.
We encourage you to review this policy periodically. The current version is always available at https://dxcore.dev/legal/privacy.
Version 1.0 — Last updated: April 2026