Privacy Policy

Last updated: 17 June 2026

This Privacy Policy describes how ChromaHost ("we", "us", "our") collects, uses, and protects personal data when you use the ChromaHost service ("the Service"). The Service is operated from Croatia, an EU member state, and is fully subject to the General Data Protection Regulation (GDPR).

Your data controller is: justzvan, reachable at gdpr@chromahost.xyz

1. Data We Collect

1.1 Account Data

When you register with email and password:

  • Email address — used to identify your account and contact you about the Service
  • Password — stored as an argon2id hash; we never store the plaintext password

When you register or sign in with Hack Club OAuth:

  • Email address — as above
  • Slack ID — linked to your Hack Club identity
  • Verification status — whether Hack Club has verified your identity
  • YSWS eligibility — whether you are eligible for the Hack Club plan

1.2 SSH Keys

Public SSH keys you upload to the dashboard. Used to authenticate Git push access to your projects.

1.3 API Keys

API keys you generate in the dashboard. Stored as plaintext (you are responsible for keeping them secret). Used to authenticate webhook redeploy requests.

1.4 Projects and Domains

Project names, Git repository URLs, domain names, port mappings, and source code you deploy. Stored to operate your hosting environment.

1.5 Session Data

Session tokens stored in a database-backed HTTP cookie. Used to keep you logged in. Expire automatically when you log out or after an inactivity period.

1.6 Log Data

Server-side access logs may include IP addresses, request paths, and timestamps. Retained for up to 30 days for security and operational purposes. IP addresses may be retained beyond this period if associated with a breach of our Terms of Service (e.g. abuse, DDoS, spam).

2. Deployment Regions

The Service operates across multiple cloud regions. When you create a project, you choose the region where it is deployed. Your project data — including source code, build output, and container state — is stored in the region you select. By choosing a region, you consent to your data being processed in that location.

All regions are operated by us or our infrastructure providers under data processing agreements that ensure GDPR compliance.

3. Legal Basis for Processing

| Data | Legal basis | |------|------------| | Account data | Performance of a contract (Art. 6(1)(b) GDPR) | | SSH keys, API keys, projects, domains | Performance of a contract | | Session tokens | Performance of a contract | | Log data | Legitimate interests (Art. 6(1)(f) GDPR) — security and abuse prevention | | Hack Club OAuth data (slack ID, verification, YSWS) | Performance of a contract; your explicit consent via the OAuth flow |

4. How We Use Your Data

  • Operate and deliver the Service (container hosting, reverse proxying, webhook redeploys)
  • Authenticate your identity and manage sessions
  • Enforce plan limits and eligibility requirements
  • Detect and prevent abuse
  • Comply with legal obligations

We do not sell your data. We do not use your data for advertising.

5. Data Processors

| Processor | Purpose | Location | Transfer mechanism | |-----------|---------|----------|--------------------| | Hack Club (HCB) | OAuth authentication — provides email, slack ID, verification status, YSWS eligibility when you sign in with Hack Club | United States | Standard Contractual Clauses | | Infrastructure providers (per-region) | Host compute nodes and store project data in your chosen deployment region | Varies by region | GDPR-compliant data processing agreements |

Processors do not use your data beyond the specific purpose for which they receive it.

6. Data Sharing

We do not share your personal data with third parties beyond the processors listed above, except:

  • Legal obligations — if required by law, court order, or governmental authority within the EU.

7. Data Retention

| Data | Retention | |------|-----------| | Account data | Until you delete your account | | SSH keys, API keys, projects | Until you delete them or delete your account | | Session tokens | Until you log out or account deletion | | Log data | Up to 30 days (longer if tied to a ToS breach) |

After account deletion, your data is removed within 30 days.

8. Your Rights

Under GDPR (Articles 15-22), you have the following rights:

  • Access (Art. 15) — request a copy of all personal data we hold about you
  • Rectification (Art. 16) — ask us to correct inaccurate data
  • Erasure (Art. 17) — ask us to delete your data ("right to be forgotten")
  • Restriction (Art. 18) — ask us to restrict processing in certain circumstances
  • Portability (Art. 20) — receive your data in a structured, machine-readable format
  • Objection (Art. 21) — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

You can exercise the most common rights directly in your account, without contacting us:

  • Export your data — Dashboard → Settings → Privacy & Data → "Export my data" downloads a complete JSON copy of your personal data (access and portability).
  • Delete your account — Dashboard → Settings → Danger Zone permanently erases your account and all associated data (right to erasure).

For any other request, email gdpr@chromahost.xyz. We will respond within 30 days.

You have the right to lodge a complaint with your national supervisory authority. In Croatia: Agencija za zaštitu osobnih podataka (AZOP), azop.hr. In other EU member states: your national data protection authority.

9. Data Security

We use industry-standard measures to protect your data:

  • Passwords hashed with argon2id
  • HTTPS for all data in transit
  • Database access restricted to the application server

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Cookies

We use a single session cookie to keep you logged in. It is strictly necessary for the Service to function. We do not use tracking, analytics, or advertising cookies.

11. Children

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at gdpr@chromahost.xyz and we will delete it.

12. Changes to This Policy

We may update this Policy from time to time. We will update the "Last updated" date above when we do. Continued use of the Service after changes constitutes acceptance.

13. Contact

For all privacy and data protection inquiries, including GDPR requests:

gdpr@chromahost.xyz