Privacy Policy
We collect what we need to run ChartlessOps for you (account, workspace, billing, the metrics data we pull from your sources) and nothing else. We don’t sell data. We don’t use your metrics to train models. You can export everything and email our DPO directly.
This Privacy Policy describes how ChartlessOps B.V. processes personal data in the course of operating the ChartlessOps platform. We are the controller for the data described in section 2 unless otherwise noted, and we operate from Amsterdam, the Netherlands, under the General Data Protection Regulation (EU 2016/679) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).
01 Who we are
ChartlessOps B.V., KvK 79482103, Keizersgracht 391, 1016 EJ Amsterdam, the Netherlands. Our Data Protection Officer is Sanne van der Meer; reachable at dpo@chartlessops.com.
02 What we collect
- Account data: email, name, hashed password, workspace membership, OAuth identity (if you signed in via Google), SAML attributes (if SSO).
- Billing data: billing email, address, VAT number, payment method tokens held by Stripe (we do not store card numbers).
- Workspace data: workspace name, members,
chartlessops.ymlconfiguration. - Metrics data: the time-series values we pull from your data sources (Prometheus, Datadog, etc.) to compute signals. We act as a processor for this category.
- Activity data: who viewed which signal, when. Retained 30 days for security; aggregated indefinitely.
- Source credentials: API tokens, IAM role ARNs, etc. for the systems we pull from. Encrypted at rest with envelope encryption; never logged.
03 Why we collect it
- To provide the Service you requested (legal basis: contract).
- To bill you (legal basis: contract).
- To detect abuse and protect platform integrity (legal basis: legitimate interest).
- To comply with Dutch tax and accounting law (legal basis: legal obligation).
04 How it is shared
We do not sell personal data. We do not share it for advertising. We share data with a small list of subprocessors who help operate the Service:
- Stripe Payments Europe Ltd — billing (Ireland).
- Amazon Web Services EMEA — primary infrastructure (Frankfurt + Dublin).
- Postmark (ActiveCampaign LLC) — transactional email (US, SCCs in place).
- Plausible Insights OÜ — cookie-free analytics for the marketing site (Estonia).
- Sentry GmbH — error tracking with EU data residency option (US, SCCs in place).
The current list is maintained at /subprocessors. We notify Enterprise customers at least 30 days before adding a new subprocessor.
05 Where it’s stored
Primary data is stored in AWS Frankfurt (EU-Central). Backups are replicated to AWS Dublin (EU-West). Metrics data is stored encrypted at rest. Enterprise customers may request EU-only data residency with no backup outside the EU.
06 Retention
- Account & billing data: for the life of your account and 7 years after closure (Dutch tax law).
- Metrics data: per your plan’s history window (30 / 90 days / configurable).
- Activity logs: 30 days in detailed form, indefinitely as monthly aggregates.
- Support communications: 24 months.
07 Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can exercise most of these from the workspace settings. To exercise any of them by other means, email dpo@chartlessops.com — we respond within 30 days at no charge for the first request in any 12-month period.
You can also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP) at autoriteitpersoonsgegevens.nl.
08 Security
All data is encrypted in transit (TLS 1.3, modern cipher suites only) and at rest (AES-256-GCM). Source credentials use envelope encryption with KMS-managed keys; never logged. Production access is restricted to Pieter and Sanne, gated by hardware security keys, and logged.
Security disclosures are welcomed at security@chartlessops.com and our PGP key is at /.well-known/security.txt. We don’t run a paid bug bounty but we credit researchers.
09 Cookies
The dashboard uses a single first-party session cookie for authenticated sessions. We do not set advertising or third-party tracking cookies. Plausible Analytics is configured for cookie-less measurement.
10 DPO contact
Sanne van der Meer acts as our Data Protection Officer. Reach her at dpo@chartlessops.com or by post at the address in section 1.
We will post material changes to this Policy at least 30 days before they take effect, and email account holders.