Legal

Privacy Policy

Last updated: 20 May 2026 · Effective: 20 May 2026

This Privacy Policy explains how eMariners Inc, a company incorporated in Dubai, United Arab Emirates ("Stashbase", "we", "us") collects, uses, shares, and protects personal data in connection with the Stashbase service available at stashbase.io and app.stashbase.io (the "Service").

This policy is written to be GDPR-aware and applies globally. Where the General Data Protection Regulation (EU 2016/679) ("GDPR") applies to a person whose data we process, we will honour the rights it creates.

1. Who is responsible for your data

For data we collect from visitors to our marketing site and account holders (e.g., signup details, billing data), we act as the data controller.

For data you upload into your Stashbase projects — including end-user data of applications you build on Stashbase — we act as the data processor. You are the controller for that data, and you are responsible for having a lawful basis to process it and for honouring the rights of the individuals concerned. A Data Processing Addendum (DPA) is available for paid customers on request.

2. What data we collect

Account & billing data

  • Email address, name (if provided), hashed password or OAuth identifier
  • Organisation name, billing address, VAT/TRN number
  • Payment method metadata (handled by our payment processor — we never see full card numbers)

Usage data

  • Project metadata: project names, table names, row counts, storage usage
  • API request logs: timestamp, method, path, status code, IP address, response time (retained 30 days)
  • Dashboard activity: pages visited, features used, errors encountered

Customer Data (you control this)

  • Whatever schema and rows you create inside your projects, including auth users of your applications
  • Files and backups you upload

Cookies & similar technologies

We use a small set of strictly-necessary cookies on the marketing site and dashboard:

  • sb-session — authentication session (HttpOnly, Secure, SameSite=Lax)
  • sb-csrf — CSRF protection token
  • sb-prefs — non-essential UI preferences (theme, sidebar state). Set only after you change a preference.

We do not use third-party advertising cookies, behavioural tracking, or cross-site analytics that profile you. We do not require a cookie banner because we do not set non-essential cookies on first load.

3. Why we process your data (legal bases)

Under the GDPR, the legal bases on which we rely are:

  • Performance of a contract — to provide the Service you signed up for (account, projects, billing, support).
  • Legitimate interests — to keep the Service secure (e.g., rate limiting, fraud prevention), to operate and improve it, and to communicate service notices. We have balanced these against your privacy rights and believe the impact is minimal.
  • Legal obligation — to retain tax records, respond to lawful requests, and meet other compliance duties.
  • Consent — for any optional marketing emails (you may opt out at any time via the unsubscribe link).

4. How we share data

We do not sell your data and we do not share it for advertising. We disclose it only to:

  • Subprocessors we use to run the Service (listed below in section 9);
  • Professional advisers (legal, tax, accounting) under confidentiality;
  • Authorities, where compelled by law or a binding court order — we'll push back on overbroad requests and notify you where lawful.

5. Data retention

  • Account data: kept while your account is open.
  • After account closure: project data and account profile are retained for 30 days in case you reactivate, then permanently deleted from production systems.
  • Backups: rolling 30-day retention, so all traces of deleted data age out within 30 days of deletion.
  • API request logs: 30 days.
  • Billing records: kept for the period required by UAE/UK/EU accounting and tax law (typically 5–7 years), in invoice form only.

6. Your rights under the GDPR

If the GDPR applies to you, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase ("be forgotten") data we no longer need a legal basis to hold;
  • Restrict processing in certain circumstances;
  • Portability — receive your data in a structured, commonly-used, machine-readable format;
  • Object to processing based on legitimate interests, including profiling;
  • Withdraw consent at any time, without affecting the lawfulness of prior processing;
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email admin@stashbase.io. We'll respond within 30 days. If the request concerns end-user data inside one of your projects, you should contact the controller of that data (the operator of the application — often you).

7. International data transfers

Our primary infrastructure is in the European Union. Some subprocessors may process data in other jurisdictions (e.g., the United States, the United Arab Emirates). Where data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision to safeguard the transfer.

8. Security

We protect data with:

  • TLS 1.2+ in transit; AES-256 at rest for backups;
  • Per-project Postgres roles with Row-Level Security on by default;
  • Hashed passwords (bcrypt) and JWT-based session tokens with short lifetimes;
  • Principle-of-least-privilege access for our operators, audited via shell history;
  • Daily off-site backups with 30-day retention;
  • Incident response: we'll notify affected customers without undue delay (within 72 hours where the GDPR applies and the breach is likely to result in a risk to rights and freedoms).

9. Subprocessors

We use the following subprocessors to operate the Service. We'll give 30 days' notice of new subprocessors via the dashboard or by email so you can object:

SubprocessorPurposeLocation
Hetzner Online GmbHCompute & managed Postgres hostingGermany / Finland (EU)
IDrive e2S3-compatible object storage for daily backups (encrypted)United States
Cloudflare, Inc.DNS, CDN, DDoS protection for marketing & dashboardGlobal
Postmark (ActiveCampaign)Transactional email (verification, password reset, billing)United States
Stripe Payments Europe LtdPayment processing & invoicingIreland (EU) / United States
Google LLC (OAuth only)"Sign in with Google" — only if a user chooses itUnited States
Anthropic, PBCOperational AI assistance for internal engineering (no Customer Data sent)United States

10. Children

The Service is not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has provided personal data to us, contact admin@stashbase.io and we will delete it.

11. Automated decision-making

We do not make decisions that have a legal or similarly significant effect on you based solely on automated processing.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via the dashboard or by email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact & data protection

For any privacy-related question or to exercise your rights, contact:

eMariners Inc — Data Protection
Dubai, United Arab Emirates
Email: admin@stashbase.io

If we are unable to resolve your concern, you have the right to lodge a complaint with your local data protection authority (in the EU/EEA), the Information Commissioner's Office (UK), or the UAE Data Office, as applicable.