Privacy Policy

Last Updated: November 15, 2025

Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use DistroPack.

1. Introduction

DistroPack ("we", "us", "our", or "DistroPack") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Software-as-a-Service platform for Linux package management and distribution.

By using DistroPack, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you directly provide to us when using the Service:

  • Account Information: Email address, username, password (hashed), and authentication preferences
  • Profile Information: Any additional information you choose to provide in your account profile
  • Project and Package Data: Project names, descriptions, package configurations, metadata, and build settings
  • Source Files: Files you upload for package building, including source code, binaries, scripts, and other assets
  • Packaging Scripts: Pre-install, post-install, pre-upgrade, post-upgrade, pre-delete, and post-delete scripts
  • Build Configuration: Package dependencies, target architectures, distribution-specific settings
  • Communication Data: Messages you send to our support team, feedback, and other communications

2.2 Information Collected Automatically

When you use the Service, we automatically collect certain information:

  • Usage Data: Build job history, build counts, API usage, feature usage patterns
  • Technical Data: IP address, browser type and version, device information, operating system
  • Log Data: Server logs, error logs, access logs, and diagnostic information
  • Session Data: Authentication tokens, session identifiers, and security-related data
  • Performance Data: Build times, success/failure rates, system performance metrics

2.3 Information from Third-Party Services

If you choose to authenticate using third-party providers, we may receive:

  • OAuth Provider Data: Basic profile information (name, email, profile picture) from Google or GitHub
  • Payment Information: Subscription status, billing information, payment history from Paddle (we do not store full payment card details)

We do not have access to your payment card details, as all payment processing is handled securely by Paddle.

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Provision: To provide, maintain, and improve the DistroPack platform and its features
  • Package Building: To process your source files and build distribution-specific packages
  • Repository Management: To create, maintain, and host package repositories with proper metadata and GPG signing
  • Account Management: To create and manage your account, authenticate your identity, and enforce subscription limits
  • Billing and Subscriptions: To process payments, manage subscriptions, and communicate about billing matters
  • Communication: To send you service-related notifications, updates, security alerts, and support responses
  • Security: To detect, prevent, and address security issues, fraud, and unauthorized access
  • Analytics: To analyze usage patterns, improve service performance, and develop new features
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Enforcement: To enforce our Terms of Service and protect our rights and the rights of our users

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4. Data Storage and Security

4.1 Storage Location

Your data is stored in secure, geographically distributed data centers:

  • Account and Metadata: Stored in PostgreSQL databases with regular backups
  • Source Files and Packages: Stored in S3-compatible object storage with redundancy and versioning
  • Built Packages: Hosted on our FileServer infrastructure for repository distribution

4.2 Security Measures

We implement industry-standard security measures to protect your information:

  • Encryption: Data in transit is encrypted using TLS/SSL. Sensitive data at rest is encrypted
  • Authentication: Strong password requirements, OAuth integration, and secure session management
  • Access Controls: Role-based access control, service authentication for inter-service communication
  • GPG Signing: All packages and repository metadata are cryptographically signed
  • Rate Limiting: API endpoints are rate-limited to prevent abuse and unauthorized access
  • Monitoring: Continuous security monitoring, logging, and intrusion detection
  • Regular Updates: Security patches and updates are applied promptly

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Sharing and Disclosure

5.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

  • Paddle: Payment processing and subscription management. See Paddle's Privacy Policy
  • S3-Compatible Storage Providers: File storage and hosting services. Data is stored according to their security standards
  • OAuth Providers: Google and GitHub for authentication. See their respective privacy policies
  • Email Service Providers: For sending transactional and service-related emails

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 Public Repository Access

When you build and publish packages through DistroPack:

  • Built packages are hosted in publicly accessible repositories
  • Repository metadata and GPG public keys are publicly available
  • Your username may be visible in repository URLs and package metadata
  • Source files remain private and are not publicly accessible

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

  • Valid legal requests, subpoenas, court orders, or government regulations
  • Enforcement of our Terms of Service or other agreements
  • Protection of our rights, property, or safety, or that of our users
  • Investigation of suspected fraud, security threats, or illegal activities

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

6. Cookies and Tracking Technologies

6.1 Cookies

We use cookies and similar tracking technologies to enhance your experience:

  • Authentication Cookies: To maintain your login session and authenticate your identity
  • Security Cookies: To protect against cross-site request forgery (CSRF) and other security threats
  • Preference Cookies: To remember your preferences and settings
  • Analytics Cookies: To understand how you use the Service and improve our platform

6.2 Cookie Management

Most web browsers allow you to control cookies through their settings. You can:

  • Block or delete cookies through your browser settings
  • Set your browser to notify you when cookies are being used
  • Disable cookies entirely (note: this may affect Service functionality)

Essential cookies are necessary for the Service to function and cannot be disabled. Disabling non-essential cookies may limit certain features.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to:

  • Access your personal information and account data through your account dashboard
  • Download your source files and package configurations
  • Request a copy of your data in a portable format

7.2 Correction and Updates

You can update most of your information directly through your account settings:

  • Update your email address, username, and profile information
  • Modify project and package configurations
  • Change your password and authentication preferences

7.3 Deletion

You can delete your data at any time:

  • Delete individual files, packages, or projects through the Service interface
  • Delete your entire account, which will remove all associated data
  • Request deletion of specific data by contacting support

Upon account deletion:

  • Your account information will be removed from our systems
  • Your source files will be deleted from storage
  • Built packages will be removed from repositories
  • Some data may be retained as required by law or for legitimate business purposes (e.g., billing records)

7.4 Opt-Out Rights

You can opt out of:

  • Marketing communications (service-related emails will still be sent)
  • Non-essential cookies through your browser settings
  • Third-party OAuth authentication (use email/password instead)

7.5 GDPR and CCPA Rights

If you are located in the European Economic Area (EEA) or California, you have additional rights under GDPR and CCPA, including the right to object to processing, restrict processing, and data portability. To exercise these rights, please contact us using the information provided in Section 12.

8. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

  • Active Accounts: Data is retained while your account is active
  • Deleted Accounts: Most data is deleted within 30 days of account deletion
  • Billing Records: Retained for 7 years as required by tax and accounting laws
  • Security Logs: Retained for up to 1 year for security and fraud prevention
  • Legal Requirements: Data may be retained longer if required by law or legal proceedings

After the retention period, data is securely deleted or anonymized. Built packages may remain in public repositories until manually removed, even after account deletion.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. By using the Service, you consent to:

  • Transfer of your information to countries where our service providers operate
  • Processing of your information in accordance with this Privacy Policy

We take appropriate safeguards to ensure your information receives an adequate level of protection, including contractual clauses and security measures consistent with applicable data protection laws.

10. Children's Privacy

DistroPack is not intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

11. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies:

Your interactions with third-party services are governed by their respective privacy policies and terms of service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification to your registered email address (for significant changes)
  • Displaying a prominent notice on the Service (for major changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your account.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We will respond to your inquiry within a reasonable timeframe, typically within 30 days. For requests related to data access, deletion, or other privacy rights, we may require verification of your identity to protect your privacy.

14. Data Protection Officer

If you are located in the EEA and wish to contact our Data Protection Officer (DPO) regarding GDPR-related matters, please use the contact information provided in Section 13 and indicate that your inquiry is for the DPO.

Note: This Privacy Policy is effective as of the "Last Updated" date shown above. Please review this policy periodically to stay informed about how we protect your information.