# Privacy Policy
Effective date: 8 April 2026
This privacy policy explains how Fundamental Software SAS ("we", "us", "machine0") collects, uses, and protects your personal data when you use machine0.io and the machine0 CLI.
Fundamental Software SAS RCS 102 706 348 R.C.S. Annecy 74310 Les Houches, France Contact: [email protected]
## 1. Roles and Scope
- machine0 as data controller: We are the data controller for the personal data you provide to create and manage your machine0 account (identity, authentication, billing, and infrastructure metadata described below).
- machine0 as data processor: We are a data processor for any data you store on your virtual machines. We do not access or inspect the contents of customer VMs unless you explicitly invoke a remote execution feature (such as SSH command execution via MCP). In those cases, command output is relayed to your client in real-time and is not stored or logged by machine0.
- HTTP proxy: When you enable the HTTP proxy feature, web traffic to your VM transits our infrastructure. This traffic is forwarded in real-time and is not stored, logged, or inspected.
This policy covers only data machine0 collects directly. It does not cover data you place on your VMs.
## 2. Data We Collect
| Category | Data | Legal Basis | Retention |
|---|---|---|---|
| Account identity | Email address, display name, profile image | Contract performance (Art. 6(1)(b)) | Duration of account + 30 days after deletion |
| Authentication | Session tokens (with IP address and user agent), OAuth tokens, hashed passwords, API keys | Contract performance (Art. 6(1)(b)) | Sessions: until expiry or logout. Passwords and API keys: until changed or account deleted. OAuth tokens: until revoked or account deleted. |
| SSH keys | Full SSH public key (public keys are not secret). For managed keys, the private key is stored encrypted at rest and is retrievable via the API. | Contract performance (Art. 6(1)(b)) | Until deleted by user or account deletion + 30 days |
| Billing | Stripe customer ID, wallet transactions, bandwidth measurements | Contract performance (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c), French Commercial Code Art. L123-22) | Transaction records: 10 years. Stripe customer ID: duration of account. |
| Infrastructure metadata | VM IP addresses, names, regions, sizes | Contract performance (Art. 6(1)(b)) | Duration of resource existence + 90 days after destruction |
| Request logs | HTTP method, path, status code, response duration, user ID, IP address | Legitimate interest (Art. 6(1)(f)), security and abuse prevention | 90 days |
| Analytics | User actions, IP address (via Segment, when configured) | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Error tracking | Error context and metadata (via Sentry, when configured) | Legitimate interest (Art. 6(1)(f)) | 90 days |
## 3. How We Use Your Data
- To provide, maintain, and improve the machine0 service
- To authenticate you and secure your account
- To bill you accurately for resource usage
- To detect and prevent abuse, fraud, and security incidents
- To comply with legal obligations (tax, accounting)
## 4. Sub-processors
We share personal data with the following sub-processors:
| Processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting, database, cache | US |
| DigitalOcean | VM infrastructure (compute, storage, networking) | Per region selected |
| Cloudflare | DNS and network proxy | Global (Anycast) |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
| OAuth authentication (when you sign in with Google) | US | |
| Segment (optional) | Product analytics | US |
| Sentry (optional) | Error monitoring | US |
We maintain data processing agreements with each sub-processor that include GDPR-compliant terms. We will notify customers of material changes to sub-processors. Our Data Processing Agreement is available for review.
## 5. International Transfers
- Account data (email, billing, sessions, SSH keys) is hosted on Railway infrastructure in the United States.
- VM data resides in the region you select when creating a VM.
- Transactional email is sent via Resend (US).
- Transfers to the United States rely on sub-processor data processing agreements incorporating Standard Contractual Clauses (SCCs) or applicable adequacy decisions.
## 6. Your Rights
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (right to be forgotten)
- Restrict processing
- Data portability (receive your data in a machine-readable format)
- Object to processing based on legitimate interest
- Withdraw consent where processing is based on consent
- Lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or your local supervisory authority
Contact [email protected] to exercise any of these rights. We will respond within 30 days.
## 7. Security
We implement the following measures to protect your data:
- Encryption in transit (TLS for all API traffic, SSH for VM access)
- Passwords hashed with bcrypt
- Managed SSH private keys encrypted at rest (AES)
- Session-based authentication with automatic expiry
- SSH-only VM access with password authentication disabled
- Rate limiting on authentication endpoints
## 8. Data Breach Notification
We will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, as required by Articles 33 and 34 of the GDPR.
## 9. Changes to This Policy
We may update this policy. Material changes will be communicated via email to the address associated with your account. Continued use of the service after notification constitutes acceptance of the updated policy.
## 10. Contact
Fundamental Software SAS 74310 Les Houches, France Email: [email protected]