Underlayer
Log inGet started

Legal

Privacy Policy

This policy explains how Underlayer collects, uses, stores, and protects personal data across the website, dashboard, billing flows, and scheduler features.

Last updated: June 1, 2026

1. Introduction

Underlayer ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how we protect it, and your rights regarding that data when you use the Underlayer platform, website, APIs, and related services (the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. Please also review our Terms and Conditions.

2. Data Controller

The data controller responsible for processing your personal data is the individual operating Underlayer as a self-employed professional (autónomo) under Spanish law:

  • Name: [NOMBRE COMPLETO]
  • Tax ID (NIF): [NIF]
  • Address: [DIRECCIÓN COMPLETA], [CIUDAD], [CP], Spain
  • Contact: privacy@underlayer.dev

3. Information We Collect

3.1 Account Information

When you register, we collect your name, email address, and authentication credentials. Authentication is managed via Supabase Auth, which may handle social login tokens (Google, GitHub) on our behalf. We may also collect a profile picture URL if provided by your social login provider.

3.2 Billing Information

Payment data is collected and processed directly by Stripe, Inc. We do not store full card numbers, CVVs, or complete payment credentials on our servers. We may receive and store a truncated card number (last 4 digits), card brand, expiration date, billing country, and billing email from Stripe for display and support purposes.

For subscription lifecycle management, we may also receive Stripe metadata and events such as customer identifiers, invoice IDs, payment status, charge outcomes, dispute indicators, and subscription renewal/cancellation timestamps.

Stripe independently acts as a data controller for certain payment data under its own policies. Please review the Stripe Privacy Policy at stripe.com/privacy.

3.3 Usage Data

  • IP address, browser type and version, operating system, and device information.
  • Pages visited, features used, click patterns, and timestamps.
  • Scheduler activity metadata: task and cron job configurations, dispatch timestamps, HTTP status codes, response times, error summaries, and retry counts.
  • API usage patterns: endpoints called, request volumes, and error rates.

3.4 Content Data

We store the Content you submit to the Service, including webhook URLs, cron expressions, task payloads, environment variables, and dispatch alert configurations. This data is stored to operate the Service on your behalf.

3.5 Cookies & Local Storage

We use strictly necessary cookies and local storage tokens for authentication and user preferences. We do not use third-party advertising or tracking cookies. No data is shared with advertising networks.

Our payment processor Stripe may set technically-necessary cookies on checkout and billing pages for fraud-prevention purposes (e.g. __stripe_mid, __stripe_sid). These cookies are strictly functional and do not track you across third-party sites for advertising.

Because we use only technically necessary cookies, a cookie consent banner is not required under Spanish law (LSSI). We continuously audit our third-party integrations to ensure this remains accurate.

⚠️ Pendiente: auditoría de cookies

Antes de lanzar, verifica con tu abogado que ninguna herramienta de analítica (Google Analytics, Hotjar, Meta Pixel, etc.) esté activa. Si incorporas cualquier cookie no estrictamente necesaria, deberás añadir una Política de Cookies separada y un banner de consentimiento.

🔶 Acción pendiente — auditar antes de ir a producción.

3.6 Communication Data

If you contact us via email or support channels, we collect and store your message content, email address, and any attachments you provide in order to respond to your inquiry.

3.7 Server Logs

Our servers automatically log certain information, including IP addresses, request timestamps, HTTP methods, URLs, status codes, user agent strings, and referrer URLs. These logs are used for security, debugging, and performance monitoring.

4. How We Use Your Information

  • Service delivery — authentication, task execution, cron scheduling, webhook dispatches, alerts, and support.
  • Billing — processing payments, managing subscriptions, generating invoices via Stripe.
  • Security — detecting and preventing unauthorized access, abuse, rate limit violations, and fraud.
  • Product improvement — aggregated, anonymized usage analysis to improve features, performance, and reliability.
  • Communications — transactional emails (alerts, invitations, receipts, security notifications) and optional product updates with your consent.
  • Legal compliance — fulfilling legal obligations, responding to lawful requests, and protecting our rights.
  • Debugging & support — investigating reported issues, reproducing bugs, and providing technical assistance.

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the Service you requested.
  • Legitimate interests (Art. 6(1)(f) GDPR) — security, fraud prevention, service improvement, and protecting our legal rights.
  • Consent (Art. 6(1)(a) GDPR) — optional marketing communications, which you can withdraw at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) — tax, accounting, and regulatory requirements.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers, all of whom are contractually bound to protect your data:

ProviderPurposeData shared
Stripe, Inc.Payments & subscriptionsEmail, billing details, payment events
SupabaseAuthentication & databaseEmail, auth tokens, profile data
Hetzner Online GmbHInfrastructure hosting (EU)All service data (encrypted at rest)
Transactional email providerAlert & notification emailsEmail address, notification content

We may also disclose personal data if required by law, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.1 Payment Processor Specifics (Stripe)

Stripe may process payment data in multiple jurisdictions according to its global infrastructure. Underlayer receives only limited billing data needed for account management, invoicing, fraud prevention, and customer support. Underlayer does not receive full payment instrument details.

In case of payment disputes (chargebacks), Stripe may share additional transaction evidence with us (such as invoice records and account identifiers) for dispute handling and fraud prevention.

7. International Data Transfers

Our primary infrastructure is hosted in the EU (Hetzner, Germany). Some sub-processors (e.g., Stripe, Supabase) may process data in the United States or other countries. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms to ensure adequate protection.

8. Data Retention

  • Account data — retained while your account is active, plus 30 days after deletion to allow for recovery.
  • Activity logs & dispatch history — retained per your subscription tier (7–90 days), then automatically purged.
  • Billing records & invoices — retained for 7 years to comply with tax and accounting regulations.
  • Server & security logs — retained for up to 90 days, then deleted or anonymized.
  • Support correspondence — retained for up to 2 years after ticket resolution.
  • Anonymized analytics — may be retained indefinitely as they cannot identify individuals.

When data is no longer needed, it is securely deleted or irreversibly anonymized. You may request earlier deletion as described in Section 9.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations.
  • Data portability — receive your data in a structured, machine-readable format.
  • Restriction of processing — request that we limit how we process your data.
  • Objection — object to processing based on legitimate interests.
  • Withdrawal of consent — withdraw consent at any time (without affecting prior processing).
  • Non-discrimination — we will not discriminate against you for exercising your rights (CCPA).

To exercise any of these rights, contact us at privacy@underlayer.dev. We will respond within 30 days (or sooner if required by law). We may ask you to verify your identity before processing your request.

If you are in the EU, you have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • The right to know what personal information we collect, use, and disclose.
  • The right to delete your personal information.
  • The right to opt out of the sale of personal information. We do not sell personal information.
  • The right to non-discrimination for exercising your privacy rights.
  • The right to correct inaccurate personal information.
  • The right to limit use of sensitive personal information.

To exercise these rights, contact us at privacy@underlayer.dev.

11. Security Measures

We implement industry-standard security measures to protect your data, including:

  • TLS/SSL encryption for all data in transit.
  • Encryption at rest for stored data.
  • Hashed and salted credentials (we never store passwords in plain text).
  • Role-based access controls and principle of least privilege for internal systems.
  • Regular security reviews and dependency auditing.
  • Rate limiting and abuse detection mechanisms.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and shall not be liable for any unauthorized access or breach that occurs despite our reasonable efforts.

12. Children's Privacy

The Service is not directed to individuals under 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor without parental consent, we will take steps to delete it promptly.

13. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you.

14. Do Not Track Signals

We do not track users across third-party websites. We do not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard for compliance. However, we do not use third-party tracking or advertising cookies.

15. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

16. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the Service at least 15 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

We recommend reviewing this policy periodically for any changes. The "Last updated" date at the top indicates when the latest revision was made.

18. Contact Us

For privacy-related inquiries, requests, or complaints:

See also: Terms and Conditions