Privacy policy

Controller Information

Base Secrète Sàrl (“us”, “we”, or “our”) operates the https://rorvswild.com website and monitoring service (the “Service”).

This Privacy Policy describes how we collect, use, protect, and handle your personal information. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Swiss Federal Act on Data Protection (FADP).

1. What Information We Collect

1.1 Account Information

When you create an account:

• Name and email address - for account management and communication
• Password - stored encrypted, never in plain text
• Billing address - for invoicing purposes

Legal basis: Contract performance (GDPR Art. 6(1)(b))

1.2 Payment Information

Payment card details are processed by Stripe, our PCI-compliant payment processor. We only store:

• Last 4 digits of card number
• Card brand (Visa, Mastercard, etc.)
• Expiration date
• Country

We never have access to your full card number or CVV.

Legal basis: Contract performance (GDPR Art. 6(1)(b))

1.3 Monitoring Data

When your application sends monitoring data:

• Performance Metrics:
  • Request/job names (controller and action)
  • Response times and throughput
  • Database query performance
  • Server metrics (CPU, RAM, disk usage)
• Error Information:
  • Exception type and message
  • Stack trace (file paths and line numbers)
  • Timestamp and deployment information
• Request Context:
  • HTTP method and path
  • Response status code
  • Hostname

Data Filtering: We use Rails’ parameter filtering to automatically remove sensitive fields like passwords and authentication tokens from error data. However, some sensitive information may still be captured (for example, in URL parameters) if not properly handled by your application. We recommend following Rails security best practices to avoid including sensitive data in URLs or request parameters.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) - providing the monitoring service

1.4 Session Data

• Session tokens - to keep you logged in
• IP address - for security
• Browser type - for compatibility
• Last activity timestamp - for session management

Legal basis: Legitimate interest (GDPR Art. 6(1)(f))

1.5 Usage Analytics

We collect minimal analytics:

• Pages visited on rorvswild.com
• Referrer
• Browser and device information

We do NOT use Google Analytics or third-party tracking services.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f))

2. How We Use Your Information

We use your data to:

• Provide the monitoring service
• Manage your account and process billing
• Send transactional emails (errors, invoices, security alerts)
• Respond to support requests
• Improve our service

We do NOT:

• Sell your data to third parties
• Use your data for advertising
• Share your data except as described here

3. Data Retention

Data Type	Retention Period
Account information	Until account deletion
Monitoring data	30 days
Session data	1 year or logout
Usage analytics	2 years
Invoices	7 years after account deletion (legal requirement)

After deletion, data is permanently removed. Backups are overwritten within 30 days.

4. Your Rights Under GDPR

To exercise any rights, contact us using the link present at the end of this document. We respond within 30 days. No fee unless your request is excessive.

4.1 Right to Access

You can request a copy of your personal data by contacting us.

4.2 Right to Rectification

Update your information in Account Settings or contact us.

4.3 Right to Erasure (“Right to be Forgotten”)

Request deletion of your personal data.

Note: Invoices must be retained for 7 years for tax compliance (anonymized)

4.4 Right to Data Portability

Receive your data in machine-readable format.

4.5 Right to Restriction of Processing

Request that we limit how we process your data. Contact us with your specific request

4.6 Right to Object

Object to processing based on legitimate interests.

4.7 Right to Withdraw Consent

Withdraw consent for marketing communications.

Click “Unsubscribe” in any marketing email

4.8 Right to Lodge a Complaint

Swiss Authority: Federal Data Protection and Information Commissioner (FDPIC)
Website: www.edoeb.admin.ch

EU Citizens: Your local Data Protection Authority

5. Data Sharing and Third Parties

We share data only with:

• Stripe (Payment Processing)
  • Purpose: Process payments
  • Location: USA and Ireland (EU)
  • Protection: Standard Contractual Clauses
• Email Service Provider
  • Purpose: Send transactional emails
  • Location: EU/Switzerland
• Scaleway (Hosting)
  • Purpose: Server hosting
  • Location: Paris, France (EU)

We will NEVER sell your personal data.

6. Data Security

We protect your information with:

• TLS 1.3 encryption for data in transit
• Encryption at rest for backups
• Firewall protection (iptables)
• Database access restricted to authorized personnel
• Secure password storage (bcrypt)
• API key authentication

Your responsibility: Use strong passwords and keep API keys secure.

No security is 100% secure, but we continuously work to protect your data.

7. International Data Transfers

Primary Location: Paris, France (EU)

Transfers outside EU: Only to Stripe (USA/Ireland), protected by Standard Contractual Clauses.

8. Data Breach Notification

If a breach occurs that may affect your rights:

• We will notify you within 72 hours
• We will inform Swiss FDPIC as required
• We will provide remediation steps

Report security incidents via the link at the end of this document.

9. Children’s Privacy

Our service is not for anyone under 16. If you believe a child has provided us with personal information, contact us immediately and we will delete it.

10. Communications

Transactional emails (no consent needed):

• Account verification, password resets
• Error notifications
• Invoices and payment confirmations
• Security alerts

Marketing emails (requires consent):

• Product updates
• Tips and best practices
• Company news

Unsubscribe anytime by clicking “Unsubscribe” in emails.

11. Cookies

We only use essential cookies for authentication and session management. No tracking or advertising cookies.

See our Cookies Policy for details.

12. Data Processing Agreement (DPA)

If you monitor applications that process EU citizen data, you are the Data Controller and we are the Data Processor.

Status: DPA available upon request. Contact us.

13. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

Changes are communicated by:

• Updating the “Last updated” date
• Email notification for material changes

Continued use after changes means acceptance.

14. Contact Us

For questions or requests about your personal data:

Email: Available at the end of the document.
Subject line: Include “Privacy Request” or “GDPR Request”
Response time: Within 30 days

Postal Address:
Base Secrète Sàrl
86 route de Frontenex
Geneva, Switzerland

15. Legal Framework

This policy complies with:

• EU General Data Protection Regulation (GDPR)
• Swiss Federal Act on Data Protection (FADP)

Questions?

Contact us.