DOCKHAND PRIVACY POLICY Last Updated: December 14, 2025 Effective Date: December 14, 2025 ================================================================================ 1. INTRODUCTION This Privacy Policy describes how Finsys Jaroslaw Krochmalski ("Finsys," "we," "us," or "our") handles data in connection with the Dockhand software application ("Software"). This Policy applies to all users of the Software. Finsys is committed to protecting your privacy and ensuring transparency about our data practices. This Policy explains that the Software operates entirely locally on your infrastructure with no data transmitted to Finsys. 2. DATA CONTROLLER INFORMATION Finsys Jaroslaw Krochmalski ul. Borki 6 05-119 Jozefow Poland VAT ID: PL7121835977 REGON: 061576391 Email: enterprise@dockhand.pro Website: https://dockhand.pro For the purpose of the General Data Protection Regulation (GDPR) and other applicable data protection laws, Finsys is NOT the data controller for any personal data processed through your installation of the Software. You (the user or your organization) are the data controller for all data stored in your Software installation. 3. OUR FUNDAMENTAL PRINCIPLE: LOCAL-ONLY DATA The Software is designed with privacy as a core principle: - ALL DATA STAYS LOCAL: The Software stores all data exclusively on your infrastructure (your servers, your databases, your storage). - NO DATA TRANSMISSION: The Software does not transmit any data to Finsys servers, third-party servers, or any external services. - NO TELEMETRY: The Software contains no telemetry, analytics, usage tracking, crash reporting, or any other data collection mechanisms. - FULLY SELF-CONTAINED: The Software operates entirely within your infrastructure without requiring any connection to Finsys systems. - FINSYS HAS NO ACCESS: Finsys cannot access, view, retrieve, or process any data stored in your Software installation. 4. DATA PROCESSED BY THE SOFTWARE When you use the Software, the following types of data may be stored LOCALLY on your infrastructure: 4.1 User Account Data - Usernames and email addresses - Password hashes (never stored in plain text) - Multi-factor authentication (MFA) secrets (Enterprise Edition) - User profile information and avatars - Role assignments and permissions (Enterprise Edition) 4.2 Authentication Data - Session tokens and cookies - OIDC/SSO tokens and provider configurations - LDAP/Active Directory connection settings (Enterprise Edition) - API tokens for remote access 4.3 Docker Environment Data - Docker host connection details (URLs, ports, socket paths) - Docker container information (names, IDs, configurations) - Container logs and metrics - Image and volume data - Network configurations - Compose stack definitions 4.4 Git Integration Data - Git repository URLs and credentials - SSH keys and access tokens - Deployment webhooks 4.5 Registry Data - Docker registry URLs and credentials - Image pull/push history 4.6 Activity and Audit Data - User activity logs - Container events and operations - Audit trails (Enterprise Edition) 4.7 Application Settings - General configuration preferences - Notification channel settings (SMTP, webhooks) - Scheduled task configurations All of the above data is stored exclusively in your local database (SQLite or PostgreSQL) and on your local filesystem. None of this data is transmitted to or accessible by Finsys. 5. HOW DATA IS STORED 5.1 Database Storage The Software uses either SQLite or PostgreSQL as configured by you: - SQLite: Data stored in a local file on your server - PostgreSQL: Data stored in your PostgreSQL database instance 5.2 File Storage Certain data is stored in the local filesystem: - Compose stack files - Uploaded files (e.g., user avatars) - Temporary files during operations 5.3 Encryption - Passwords are hashed using secure algorithms (Argon2id) - Sensitive credentials may be encrypted at rest depending on your database configuration - You are responsible for implementing disk encryption, database encryption, and network security for your infrastructure 6. YOUR RESPONSIBILITIES AS DATA CONTROLLER Since all data is stored locally on your infrastructure, YOU are the data controller for purposes of GDPR and other data protection laws. As data controller, you are responsible for: 6.1 Legal Basis for Processing Ensuring you have a valid legal basis for processing personal data of your users (e.g., consent, legitimate interest, contractual necessity). 6.2 Data Subject Rights Responding to data subject requests including: - Right of access (Article 15 GDPR) - Right to rectification (Article 16 GDPR) - Right to erasure (Article 17 GDPR) - Right to restriction of processing (Article 18 GDPR) - Right to data portability (Article 20 GDPR) - Right to object (Article 21 GDPR) 6.3 Security Measures Implementing appropriate technical and organizational measures to protect personal data, including: - Access controls and authentication - Encryption of data at rest and in transit - Regular security updates and patches - Backup and disaster recovery procedures - Network security (firewalls, VPNs, etc.) 6.4 Data Retention Establishing and implementing appropriate data retention policies. 6.5 Breach Notification Notifying supervisory authorities and affected individuals in case of a personal data breach, as required by applicable law. 6.6 Privacy Notices Providing appropriate privacy notices to your users regarding how their data is processed within the Software. 7. DATA WE DO NOT COLLECT To be absolutely clear, Finsys does NOT collect, receive, access, or process ANY of the following: - Your identity or contact information (unless you contact us directly) - Your Docker infrastructure information - Your container configurations or data - Your user accounts or credentials - Your activity logs or audit trails - Your git repositories or deployment data - Usage statistics or analytics - Error reports or crash data - Any telemetry or diagnostic data - Any data whatsoever from your Software installation 8. WHEN FINSYS MAY RECEIVE DATA The only circumstances in which Finsys may receive data from you are: 8.1 Direct Communication When you voluntarily contact us via email (enterprise@dockhand.pro), we receive and process the information you provide (name, email address, message content). This data is processed for the purpose of responding to your inquiry based on our legitimate interest in providing customer support. 8.2 License Purchase When you purchase an Enterprise Edition license, we collect and process: Data Collected: - Name and/or company name - Email address - Billing address - Payment information (processed by payment provider) - Licensed hostname/identifier Legal Basis (GDPR Article 6): - Contract performance (Art. 6(1)(b)) - to fulfill the license agreement - Legal obligation (Art. 6(1)(c)) - for invoicing and tax records How We Use This Data: - To issue and deliver your License Key - To send license renewal reminders - To provide support related to your license - To comply with tax and accounting obligations Data Retention: - License and invoice records: 7 years (Polish tax law requirement) - Email correspondence: 3 years after last contact Data Sharing: - Payment processor (for payment transactions only) - No other third parties - No marketing or advertising use 8.3 Website Visits If you visit our website (https://dockhand.pro), standard web server logs may be collected. See our website privacy policy for details. 9. LICENSE KEY DATA Enterprise Edition License Keys contain: - Customer name (as registered) - Licensed hostname or identifier - Expiration date - Cryptographic signature This information is embedded in the License Key itself and stored locally in your Software installation. Finsys retains a record of issued licenses for license management purposes. 10. INTERNATIONAL DATA TRANSFERS Since all Software data is stored locally on your infrastructure, no international data transfers occur through the Software itself. If your infrastructure is located outside the European Economic Area (EEA), you are responsible for ensuring appropriate safeguards for any personal data stored therein. 11. DATA RETENTION 11.1 Software Data You control the retention of all data in your Software installation. The Software does not automatically delete data unless you configure retention policies or manually delete data. 11.2 Communication Data If you contact us directly, we retain correspondence for as long as necessary to respond to your inquiry and for our records, typically not exceeding 3 years unless required for legal purposes. 11.3 License Records We retain license purchase and activation records for the duration required by tax and accounting regulations (typically 5-7 years). 12. CHILDREN'S PRIVACY The Software is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data to us through direct communication, please contact us. 13. THIRD-PARTY SERVICES 13.1 Software Integrations The Software may connect to third-party services as configured by you: - Docker registries - Git repositories (GitHub, GitLab, etc.) - OIDC/SSO providers - LDAP/Active Directory servers - Notification services (SMTP, Discord, Slack, etc.) These connections are initiated by you, configured by you, and occur between your infrastructure and these third-party services. Finsys is not involved in these connections and has no access to the data exchanged. The privacy policies of these third-party services apply to your use of them. 13.2 No Hidden Third-Party Data Sharing The Software does not share any data with third parties on our behalf. There are no embedded analytics services, advertising networks, or data brokers within the Software. 14. SECURITY 14.1 Software Security We implement security measures in the Software design: - Secure password hashing (Argon2id) - Session management with secure tokens - Input validation and sanitization - Protection against common web vulnerabilities 14.2 Your Security Responsibilities Since all data is stored on your infrastructure, you are responsible for: - Keeping the Software updated - Securing your server and database - Implementing network security measures - Managing user access and authentication - Creating and securing backups 15. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time. Material changes will be communicated through: - Updated "Last Updated" date at the top of this Policy - Notice on our website - Notice within the Software (for significant changes) We encourage you to review this Privacy Policy periodically. 16. GDPR COMPLIANCE Finsys complies with the General Data Protection Regulation (EU) 2016/679. Summary of Our Data Processing: - We only collect personal data (email, name) when you purchase a license - Legal basis: Contract performance and legal obligation - Data is stored securely in the EU (Poland) - Retention: 7 years for tax records, 3 years for correspondence - No automated decision-making or profiling - No data sold or shared for marketing purposes Your GDPR Rights (Articles 15-22): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. To exercise any of these rights, contact: enterprise@dockhand.pro We will respond within 30 days as required by GDPR. 17. YOUR RIGHTS If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws, you have rights regarding personal data we hold about you (from direct communications or license purchases): - Access: Request access to personal data we hold about you - Rectification: Request correction of inaccurate data - Erasure: Request deletion of your data - Restriction: Request restriction of processing - Portability: Request a copy of your data in portable format - Objection: Object to processing based on legitimate interests - Complaint: Lodge a complaint with a supervisory authority To exercise these rights, contact us at enterprise@dockhand.pro. Note: These rights apply to data WE hold (from direct communication or license purchases), not to data in YOUR Software installation. For data in your installation, YOU are the data controller and responsible for handling such requests from your users. 18. SUPERVISORY AUTHORITY If you are located in Poland, the relevant supervisory authority is: Urzad Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa Poland https://uodo.gov.pl If you are located in another EEA country, you may contact your local data protection authority. 19. CONTACT US For any privacy-related questions, concerns, or requests: Finsys Jaroslaw Krochmalski ul. Borki 6 05-119 Jozefow Poland Email: enterprise@dockhand.pro Website: https://dockhand.pro ================================================================================ SUMMARY Dockhand is a privacy-respecting application: - All data stays on YOUR infrastructure - NO data is sent to Finsys servers - NO telemetry or analytics - YOU are the data controller for your installation - Finsys has NO access to your data We believe privacy is a fundamental right, and we have designed Dockhand to respect that right by ensuring you maintain complete control over your data at all times. ================================================================================ Copyright (c) 2025-2026 Finsys Jaroslaw Krochmalski. All rights reserved.