GDPR AND DATA PROCESSING INFORMATION

Last Updated: April 18, 2026

This document supplements the Privacy Policy and explains how Dulvarn handles personal data under the GDPR and related data protection laws.

1. Overview of Roles

1.1 Dulvarn as controller

Dulvarn acts as a controller for personal data relating to:

  • website visitors
  • account holders and administrators
  • billing contacts
  • newsletter subscribers
  • support contacts
  • business inquiries
  • website and service security data
  • service analytics and operational records

1.2 Dulvarn as processor

Dulvarn acts as a processor when processing customer-connected service data on behalf of business customers through the product, including:

  • repository metadata
  • pull request titles
  • file names
  • diff statistics
  • connected GitHub account data
  • team and workspace configuration
  • notification endpoints
  • AI prompts and outputs derived from customer workflow data
  • logs reasonably necessary to operate, secure, and troubleshoot the service

In such cases, the customer is responsible for the lawfulness of the data it instructs Dulvarn to process and for responding to data subject requests relating to Customer Data, unless otherwise required by law.

2. Subject Matter, Nature, and Purpose of Processing

When Dulvarn acts as a processor, the subject matter of processing is the provision of the Dulvarn service, including:

  • repository and pull-request analysis
  • quality-engineering automation
  • release-control workflows
  • notifications and integrations
  • AI-assisted generation, review, repair, or reporting
  • service maintenance, security, and support

The nature of the processing may include collection, access, consultation, structuring, analysis, use, transmission, storage where necessary, deletion, and other processing required to provide the service.

3. Categories of Data Subjects

Depending on customer use, data subjects may include:

  • customer employees
  • customer contractors
  • repository contributors
  • pull request authors
  • code reviewers
  • customer administrators
  • support contacts
  • billing contacts

4. Categories of Personal Data

Depending on the configuration and customer use, personal data may include:

  • names
  • email addresses
  • company names
  • GitHub identity and OAuth-related data
  • repository metadata
  • pull request titles
  • file names
  • diff statistics
  • IP addresses
  • browser/device metadata
  • account and login data
  • support communications
  • AI prompts and outputs
  • logs and operational metadata

Dulvarn is not intended for processing special category data and customers must not use the service for such data unless expressly agreed in writing.

5. Legal Bases Where Dulvarn Is Controller

Where Dulvarn acts as a controller, we generally rely on:

  • contract – to provide accounts, subscriptions, support, and core service functionality
  • legitimate interests – to secure, improve, administer, market, and defend the service
  • legal obligations – to comply with accounting, tax, and legal requirements
  • consent – where required, such as for certain newsletter subscriptions or non-essential tracking where applicable

6. International Data Transfers

Dulvarn primarily hosts in the EU (Germany). Some providers may involve transfers outside the EEA/UK, including to the United States, especially for:

  • Stripe
  • Cloudflare
  • Anthropic

Where required, Dulvarn uses appropriate transfer mechanisms and safeguards, including standard contractual clauses and complementary safeguards where appropriate.

7. Security Measures

Dulvarn applies technical and organizational measures appropriate to the risk, including measures such as:

  • access controls
  • authentication controls
  • logging and monitoring
  • network and infrastructure protections
  • backup procedures
  • least-privilege operational practices where feasible
  • incident handling and abuse prevention controls

No system is perfectly secure, but security is incorporated into the operational design of the service.

8. Retention and Deletion

Dulvarn retains data according to the Privacy Policy and customer contract.

Current baseline periods include:

  • up to 90 days for inactive account data after cancellation
  • 7 years for billing and tax records
  • up to 12 months for logs, backups, analytics, and support records
  • free trial accounts may be deleted after 30 days of post-trial inactivity

Where Dulvarn acts as a processor, deletion or return of Customer Data will be handled in accordance with the customer agreement, technical feasibility, legal obligations, and backup lifecycle constraints.

9. Data Subject Requests

If a request concerns data for which Dulvarn acts as a controller, requests may be sent to:

hello@dulvarn.com

If a request concerns Customer Data for which Dulvarn acts solely as a processor, Dulvarn may redirect the requester to the relevant customer controller.

10. Complaints

Individuals in the EEA may have the right to complain to their local supervisory authority. Because Dulvarn is established in the Czech Republic, the relevant supervisory authority may include the Czech data protection authority.

11. DPA Availability

A separate Data Processing Agreement (DPA) is available for business customers on request and should be entered into where required.

12. Current Core Subprocessors Summary

Current major subprocessors and infrastructure providers may include:

  • Hetzner – hosting / infrastructure
  • Stripe – payments / billing
  • Cloudflare – CDN / WAF / security
  • Resend – transactional email
  • Anthropic – AI services, where used
  • self-hosted Plausible – analytics
  • self-hosted Ollama / local models – AI processing, where used

A dedicated subprocessor page and annex should be published separately and maintained over time.