This Privacy Policy explains how [LEGAL ENTITY] ("CubeChains", "we", "us") processes personal data when you use the CubeChains platform and website (the "Service"). We act as a data controller for your account data, and as a data processor for content you upload and process through flows (see section 8).
This policy is built around the EU/EEA General Data Protection Regulation (GDPR) as its spine, and also covers the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and Indonesia's Personal Data Protection Law (Undang-Undang No. 27 Tahun 2022, "UU PDP"). The core policy below applies to everyone. Additional rights and disclosures that depend on where you live are set out in the regional addenda in section 14.
1. Data we collect
You provide
- Account data: name/username, email address, password (hashed), and authentication identifiers if you sign in with Google or GitHub.
- Content: flows you build, text and files you upload, and configuration you enter.
- Communications: messages you send us via the contact form or support.
- Payment: if you subscribe to a paid plan, billing details are collected and processed by our payment processor; we do not store full card numbers.
Collected automatically
- Usage and device data: IP address, browser type, pages viewed, and actions taken, for security, rate limiting, and improving the Service.
- Cookies and similar technologies: see our Cookie Policy.
2. How we use data and our legal basis
Under the GDPR/UK GDPR we rely on the following legal bases (Article 6). The equivalent bases under UU PDP and other laws are analogous.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate your account and flows | Performance of a contract |
| Process payments and manage subscriptions | Performance of a contract |
| Security, fraud prevention, rate limiting | Legitimate interests / legal obligation |
| Service emails (verification, security, billing) | Performance of a contract |
| Analytics and product improvement | Consent (where required) |
| Marketing communications | Consent |
3. Client-side processing
Flow transformations run primarily in your browser. The content you transform is generally not sent to our servers during execution. Data leaves your device only when you explicitly upload a file to your Drive, connect an external source, or use a server-side feature (such as the AI assistant or webhook execution).
4. Sharing and sub-processors
We do not sell your personal data. We share it only with service providers ("sub-processors") that help us run the Service, under contracts that require them to protect it:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Server hosting (application & database) | EU (Germany) |
| Cloudflare | CDN, frontend hosting, R2 file storage, bot protection (Turnstile) | Global |
| Resend / SMTP2GO | Transactional email delivery | US / Global |
| OpenRouter | AI assistant features (when used) | US / Global |
| Google, GitHub | OAuth sign-in (if you choose it) | US / Global |
| Google, Kaggle, Hugging Face, Moodle | Optional data connectors you enable | Varies |
| Google Analytics / PostHog | Product analytics (with consent) | US / Global |
We do not sell or share personal data for cross-context behavioral advertising (as those terms are defined under the CCPA/CPRA). We may also disclose data where required by law or to protect our rights, users, or the public.
5. International transfers
Our primary application and database hosting (Hetzner) is located in the EU (Germany). For users in the EU/EEA, your account data is hosted within the EU. Some sub-processors (for example certain US providers) are located outside the EU/EEA and UK.
Where personal data is transferred out of the EU/EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Agreement (IDTA) or Addendum. For users in Indonesia, any transfer abroad is carried out consistently with UU PDP, relying on adequacy or contractual safeguards that ensure an adequate level of protection.
6. Data retention
We keep account data for as long as your account is active. When you delete your account, we delete or anonymise your personal data within a reasonable period, except where we must retain it to comply with legal obligations, resolve disputes, or enforce our agreements. Files you delete are removed according to our storage and soft-delete processes.
7. Content with others' personal data (education / processor role)
If you upload content containing other people's personal data, for example spreadsheets with student names, answers, or other records, you are the controller of that data and CubeChains acts as your processor. In that role we process such data only on your instructions, to provide the Service.
You are responsible for having a lawful basis and authorisation to upload it. If you are an educational institution or process student data at scale, a separate Data Processing Agreement (DPA) may be required; contact us at hello@cubechains.com to arrange one.
8. Security and breach notification
We use technical and organisational measures to protect personal data, including encryption in transit (TLS), hashed passwords, access controls, and private file storage served only through authenticated endpoints. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
In the event of a personal data breach that poses a risk to you, we will notify the relevant supervisory authority (for example the EU data protection authority, the UK ICO, or the competent Indonesian authority) and the affected individuals, within the timeframes required by applicable law (notably within 72 hours under the GDPR and UU PDP).
9. Your rights
Subject to applicable law, you have the following core rights over your personal data:
- Access: obtain a copy of the personal data we hold about you;
- Rectification: correct or update inaccurate or incomplete data;
- Erasure: request deletion of your data;
- Restriction: ask us to limit how we process your data;
- Portability: receive your data in a portable format;
- Object: object to certain processing, including direct marketing;
- Withdraw consent: where processing is based on consent, withdraw it at any time.
To exercise these rights, contact us at hello@cubechains.com. Much of your data can also be managed directly from your account settings. Region-specific rights and how to exercise them are described in section 14.
10. Children
The Service is not directed to children. We do not knowingly collect personal data from children below the age of consent without verifiable parental or guardian consent. If you believe a child has provided us personal data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here and, for material changes, notify you by email or in-app notice.
12. Contact
Data Controller: [LEGAL ENTITY]
[BUSINESS ADDRESS]
Privacy / DPO contact: hello@cubechains.com
Email: hello@cubechains.com
Or use our contact form.
If you are in the EU/EEA or UK, you may also contact your local data protection authority (or the UK ICO) with a complaint.
13. Regional privacy addenda
The following sections supplement the core policy with rights and disclosures specific to your region. Where a regional rule differs from the core policy, the regional rule applies to residents of that region.
EU/EEA & UK (GDPR / UK GDPR)
We process your personal data on the legal bases set out in section 2: performance of a contract, our legitimate interests, your consent, and compliance with legal obligations. You have all the rights listed in section 9, exercisable by contacting hello@cubechains.com.
- You have the right to lodge a complaint with a supervisory authority in your EU/EEA country of residence, or with the UK Information Commissioner's Office (ICO).
- We are not required to appoint a statutory Data Protection Officer; privacy enquiries are handled via the hello@cubechains.com contact, which functions as our privacy point of contact.
- Where we transfer your data outside the EU/EEA or UK, we rely on appropriate safeguards such as the Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum (see section 5).
California (CCPA / CPRA)
If you are a California resident, the following applies in addition to the core policy. Over the past 12 months we have collected the following categories of personal information:
- Identifiers: name/username, email address, account and authentication identifiers, IP address.
- Customer records: billing details processed via our payment processor.
- Internet/network activity: usage, device, and analytics data.
- User content: flows, text, and files you upload.
You have the right to:
- Know what personal information we collect, use, and disclose;
- Delete personal information we have collected about you;
- Correct inaccurate personal information;
- Opt out of the sale or sharing of personal information.
We do not sell your personal data, and we do not share it for cross-context behavioral advertising. Because we do not sell or share your data in this sense, we do not provide a "Do Not Sell or Share My Personal Information" mechanism. To exercise your rights, email us at hello@cubechains.com. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Indonesia (UU PDP No. 27/2022)
If you are in Indonesia, we process your personal data in line with the Personal Data Protection Law (Undang-Undang No. 27 Tahun 2022, "UU PDP"), acting as a Personal Data Controller for your account data and as a Personal Data Processor for content you upload (see sections 7 and 8). Under UU PDP you have the right to:
- access your personal data and obtain a copy;
- correct or update inaccurate data;
- erase or request deletion of your data;
- withdraw consent where processing is based on consent;
- object to or restrict certain processing;
- data portability where applicable;
- lodge a complaint with the competent Indonesian authority.
In the event of a personal data breach that poses a risk to you, we will notify the affected data subjects and the competent Indonesian authority as required by UU PDP. CubeChains may register as an Electronic System Operator in the private scope (Penyelenggara Sistem Elektronik / PSE Lingkup Privat) where required. To exercise your rights, contact us at hello@cubechains.com.