Privacy.

What we collect, how we store it, where it lives, who else touches it, and what you can do about any of it. Written in English; the GDPR governs the substance.

We collect your email address and an optional team name. We use them for authentication, billing, and service-critical communications, such as security incidents, scheduled maintenance, and deprecations.

Payment details (card numbers, bank account numbers, SEPA mandates) are processed by Stripe and never touch our servers. We retain transaction records, invoice numbers, and billing addresses for the purposes of accounting, tax compliance, and fraud detection, for as long as legally required.

Hosted plans pass your events through the pipeline. Event metadata (event name, source, status, latency, payload size, idempotency key, processing path) is logged for the lifetime of the event in the pipeline plus your dead-letter retention window.

Event payloads and stored entities are kept until you delete them, with no time limit on paid plans. On the free plan, entities are deleted one month after ingest.

IP addresses are logged at signup and on each authentication event. They are anonymized within 7 days: IPv4 to a /24 prefix, IPv6 to a /48. We use the anonymized data for security and fraud prevention only. We do not derive marketing audience information from IP.

We use Pirsch (Berlin) on the marketing site and PostHog (self-hosted in Frankfurt) on the dashboard. Both are privacy-friendly, both stay in the EU, and neither fingerprints visitors. We do not run Google Analytics, Meta pixels, LinkedIn Insight, or any third-party advertiser scripts.

We set first-party authentication and session cookies only. No third-party tracking cookies, no advertising cookies, no consent banner because no cookie we set requires consent under the ePrivacy Directive.

Service provision, authentication, billing, abuse and fraud prevention, service-critical communications, legal compliance. That is the list.

We do not use Customer data to train models. We do not sell data. We do not enrich third-party profiles with it. We do not allow a partner to do any of these on our behalf. If a future product feature would require any of the above, we will ask first and the answer is allowed to be no.

Internal access to your data is limited to engineers troubleshooting an incident you have reported, or investigating abuse of the Services. Access events are logged. Outside the company, we disclose data only when legally compelled (court order, law enforcement request that meets statutory requirements), or to the subprocessors listed in the Hosting and subprocessors section for the purposes listed alongside each.

As a data subject under the GDPR, you have the following rights with respect to your personal data:

i.

access

Get a copy of the data we hold about you, in a readable format.

ii.

correction

Update or correct what is wrong.

iii.

deletion

Have your data wiped from our systems.

iv.

restriction

Ask us to limit how we process your data.

v.

objection

Object to processing based on legitimate interest.

vi.

portability

Receive your data in a machine-readable format and move it elsewhere.

vii.

complaint

File with your supervisory authority, or with the competent German state data protection authority.

Email privacy@ingestlayer.com to exercise any of these. We respond within 30 days, often the same day.

TLS 1.3 in transit. AES-256 at rest. Encrypted database backups. Row-level isolation between teams enforced at the database layer. Provider keys you supply for the classify step (OpenAI, Anthropic, others) are encrypted with per-tenant KMS keys and never leave the region. SOC 2 Type II reports are available on the scale plan on request.

Primary infrastructure runs in two EU regions. Subprocessors are limited to what is necessary to operate the Services and comply with the law. The full list:

• Hetznerprimary hosting and storageFrankfurt, DE
• AWS eu-west-1warm standby, backupsDublin, IE
• Stripepayment processing (no event data)United States
• Pirschmarketing site analyticsBerlin, DE
• PostHogdashboard analytics (self-hosted)Frankfurt, DE
• your providerLLM classification (opt-in only, your key)your choice

We update this list with at least 30 days' notice before a new subprocessor processes Customer data. Material changes are emailed to all account holders. A signed Data Processing Agreement is available on request via dpa@ingestlayer.com.

account data

lifetime of the account, then deleted within 30 days

backups

60 days from cancellation, then purged

event metadata

your DLQ retention window (configurable)

event payloads

kept until deleted (1 month on free)

entities

kept until deleted (1 month on free)

security logs

12 months, then purged

invoices

10 years (German tax law)

General questions: hello@ingestlayer.com. Privacy and GDPR requests: privacy@ingestlayer.com. Data Processing Agreements: dpa@ingestlayer.com.