Privacy Policy
Last revised: June 23, 2026
This Privacy Policy describes how UAB Sensmetry ("we", "us", or "our"),
company code 305079257, J. Jasinskio g. 16A, LT-03163 Vilnius, Lithuania,
processes your personal information through Sysand Index, acting as a
data controller.
If you have questions or comments about this policy, you may email us at
privacy@sensmetry.com.
What Information Do We Collect?
We collect the following personal information when you use Sysand Index:
- Account information: username, display name, email address, and hashed
password.
- Authentication data: if you sign in via Google, Microsoft, GitHub, or
GitLab, we receive and store provider account identifiers, email address,
profile name, and related profile payload needed to connect the account. We
do not store your OAuth tokens.
- Audit logs: we log security-relevant actions (login, password changes,
token management) along with your IP address for incident response.
- Operational identifiers: we process IP addresses for abuse prevention,
rate limiting, and download-count deduplication. Download deduplication uses
a 24-hour window so public download counts approximate unique downloaders
rather than raw requests. Some unauthenticated security throttles keep raw
trusted client IPs briefly so abusive token-exchange or upload traffic can be
blocked before authentication.
- Trusted publishing data: when a CI provider exchanges an OIDC token, we
may retain claim categories needed to match, audit, and troubleshoot the
exchange, such as issuer, repository or project identifiers, workflow or
pipeline file, environment, protected-ref evidence, and token timing metadata.
- Uploaded content: packages you publish, including metadata such as
publisher name, project name, and version.
- Avatar images: we generate an MD5 hash of your email address and send it
to Gravatar (operated by Automattic) to retrieve your
profile picture. This request is made from our server, not your browser — your
IP address is never shared with Gravatar. If you have a Gravatar account, your
avatar is displayed; otherwise a generated geometric pattern is shown.
How Do We Process Your Information?
We process your personal information to provide, secure, and administer
Sysand Index:
- To operate and maintain the service.
- To authenticate you and secure your account.
- To send transactional emails (token creation, invitations, account changes).
- To investigate and respond to security incidents via audit logs.
- To enforce rate limits, reduce abuse, and deduplicate download counts.
- To send limited staff operational notifications about organization requests,
security-sensitive events, and service errors so we can operate the service.
- To debug operational errors. Error reports may include request metadata and
stack traces; staff should avoid placing secrets in request data.
We do not sell your personal information. We do not use your personal
information for advertising. We do not use third-party analytics or
tracking services.
What Legal Bases Do We Rely On to Process Your Information?
The General Data Protection Regulation (GDPR) requires us to explain the
valid legal bases we rely on when processing your personal information.
We process your personal information on the following bases:
- Contract: processing necessary to provide the service you signed up for
(account management, package hosting).
- Legitimate interest: security audit logging, incident response, abuse
prevention, operational notifications, error reporting, and download-count
deduplication.
When and With Whom Do We Share Your Personal Information?
Your public profile (username, display name) and published packages
are visible to all users. We do not share your private information with
third parties except:
- Google Cloud Platform (operated by Google LLC, US) — hosts the service in
the EU. See the Where Do We Store Your Information? section below for
details.
- Google Workspace (Google LLC, US) — delivers transactional emails (token
creation, invitations, account changes) from our corporate email account and
may process staff operational notifications, including Google Chat messages.
- Gravatar (Automattic, US-based) — receives MD5 hashes of email addresses
to serve avatar images. No other personal information is shared.
- Operational email recipients — staff may receive service error reports
containing request metadata and stack traces for debugging and incident
response.
- When required by law.
Where Do We Store Your Information?
Your information is stored on Google Cloud Platform in the europe-north2
region (Stockholm, Sweden). Both the website and the API are served
over TLS, with certificates issued by
Let's Encrypt.
Information is encrypted in transit (TLS between you and the service,
and between the application and the database) and at rest (Google-managed
encryption keys for Cloud SQL and Cloud Storage).
Cloud SQL automated backups, including point-in-time recovery, are
stored in the same region.
Google Cloud Platform is operated by Google LLC, a US-based company.
Although the storage region is in the EU, Google as a service provider
may be subject to US legal requests. We provide adequate protection for
any such transfers through the
Google Cloud Data Processing Addendum, which incorporates the
Standard Contractual Clauses and the UK International Data Transfer
Addendum as available under applicable law from time to time.
Do We Use Cookies and Other Tracking Technologies?
We use only essential cookies required for the service to function:
- Session cookie: keeps you logged in.
- CSRF cookie: protects against cross-site request forgery.
We also use browser local storage for functional UI state, including your theme
preference (light/dark/system) and whether you dismissed the deployment banner.
We do not use any analytics or advertising cookies.
How Long Do We Keep Your Information?
We will only keep your personal information for as long as it is
necessary for the purposes set out in this privacy policy, unless a
longer retention period is required or permitted by law.
- Account information: retained until you delete your account, except that
some security, package, and namespace data may remain as described below.
- Audit logs: retained for up to one year, then automatically purged.
- Rate-limiting and download deduplication identifiers: retained only for
their operational windows, such as the 24-hour download deduplication window
or the short stale-counter pruning window for abuse-prevention throttles.
- Trusted publishing OIDC token records: retained only briefly after expiry
so failed or suspicious exchanges can be audited, then purged by maintenance.
- Published packages: retained until you or a project owner removes them.
Public package metadata, release files, and related project facts may remain
visible after an account is deleted if ownership or supply-chain integrity
requires it.
- Namespace reservations: if a username or organization name has served a
release, the name may remain reserved after account or organization deletion
to prevent another party from publishing under an identifier that downstream
users already trust.
What Are Your Privacy Rights?
In some regions (like the EEA, UK, and Switzerland), you have certain
rights under applicable data protection laws. These may include the
right to:
- Access your personal information.
- Rectify inaccurate editable profile information via your account settings.
- Delete your account from your account settings page. Deletion removes the
live account and direct account data, but retained audit, package, namespace,
and security records may remain where needed for service integrity, legal
obligations, or security. Email us if you need help with retained data or a
namespace reservation.
- Export your personal information — download a copy from your
account settings page.
- Withdraw consent at any time where we rely on consent to process your information.
- Lodge a complaint with your Member State data protection authority.
The easiest way to exercise your rights is by emailing us at
privacy@sensmetry.com.
Do We Make Updates to This Policy?
We may update this privacy policy from time to time. The updated version
will be indicated by an updated "Last revised" date at the top of this
privacy policy. We will notify registered users of material changes by
email.
How Can You Contact Us About This Policy?
If you have questions or comments about this policy, you may email us at
privacy@sensmetry.com.