PRIVACY POLICY

EnvManager

Effective Date: March 6, 2026

1. INTRODUCTION

DigitX ("Company", "we", "us", "our"), operating the EnvManager platform (envmanager.com), is committed to protecting your privacy and ensuring you have a positive experience on our website and services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our platform, including all associated features, functionality, and services (collectively, the "Service").

This Privacy Policy applies to all users, including visitors, customers, and authorized representatives of organizations using EnvManager. Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service.

2. DATA CONTROLLER AND CONTACT INFORMATION

Data Controller:

DigitX

Netherlands

Website: digitx.nl

Email: info@digitx.nl

For privacy-related inquiries, please contact us at the email address above. We will respond to your inquiry within thirty (30) days.

3. INFORMATION WE COLLECT

We collect various types of information in connection with the services we provide, including:

3.1 Information You Provide Directly

  • Account Registration: Name, email address, password, company name, job title, and organization details
  • Environment Variables and Secrets: Configuration data, API keys, tokens, and other sensitive values you choose to store in the Service (encrypted)
  • Communication: Correspondence with our support team, including email content, attachments, and inquiries
  • Payment Information: Billing address, payment method details (processed securely through Stripe; we do not store your full credit card details on our servers)
  • Profile Information: Display name, avatar, biography, and other profile customization details

3.2 Information Collected Automatically

  • Device Information: Device type, operating system, browser type and version, device identifiers, and mobile network information
  • Usage Data: Pages or features accessed, time spent on the Service, actions taken, clicks, search queries, and interaction patterns
  • Log Data: IP address, access timestamps, HTTP status codes, referring/exit pages, and error logs
  • Location Data: General geographic location derived from IP address (country, region, city-level) for security and service optimization
  • Cookies and Tracking Technologies: Session identifiers, preference settings, and analytical data (see Section 10 for details)
  • API Integration Data: Data related to integration with third-party services (Vercel, Railway, Render, GitHub, Google Cloud, Azure) including connection status and sync timestamps

3.3 Information from Third Parties

  • Authentication Providers: User profile data from Supabase authentication services
  • Service Integrations: Information shared by integrated platforms (Vercel, Railway, Render, GitHub, Google Cloud, Azure) as authorized by you
  • Analytics Providers: Data collected by PostHog and Google Tag Manager for usage analytics and service improvement
  • Public Sources: Publicly available information used for security verification and fraud prevention

4. LEGAL BASIS FOR PROCESSING (GDPR)

Under the General Data Protection Regulation (GDPR), we process personal data based on the following legal bases:

  1. Contract Performance (Article 6(1)(b)): Processing necessary to provide the EnvManager Service, including account management, secret storage and encryption, CLI integration, and security features.
  2. Legal Obligation (Article 6(1)(c)): Processing required by applicable laws, regulations, and legal obligations, including tax requirements, anti-money laundering regulations, and law enforcement requests.
  3. Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate interests, including service security, fraud prevention, platform improvements, analytics, customer support, and business operations, where these interests are not overridden by your rights.
  4. Consent (Article 6(1)(a)): Processing based on your explicit consent, including marketing communications, non-essential cookies, and optional analytics.

5. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

  • Service Delivery: Providing, maintaining, and improving the EnvManager platform and its features
  • Account Management: Creating and managing user accounts, authentication, and access control
  • Security and Protection: Detecting and preventing fraud, abuse, security incidents, and unauthorized access
  • Communication: Responding to inquiries, sending service announcements, updates, and support messages (transactional emails via Mailgun; marketing emails via Brevo)
  • Analytics and Improvement: Analyzing usage patterns, service performance, and user behavior to optimize the platform
  • Billing and Payments: Processing payments, generating invoices, and managing subscription services
  • Marketing: Sending promotional communications, newsletters, and updates (with your consent)
  • Legal Compliance: Meeting regulatory requirements, responding to legal requests, and resolving disputes
  • Integration Management: Facilitating connections with third-party services and platforms you authorize

6. DATA SHARING AND DISCLOSURE

We do not sell, trade, or rent your personal information to third parties. We may share information in the following circumstances:

6.1 Service Providers

We share information with vendors and service providers who assist us in operating the Service, including:

  • Supabase: Authentication, user management, and database hosting (hosted in Frankfurt, Germany, within the European Union)
  • PostHog: Product analytics and user behavior analysis
  • Google Tag Manager and Google Ads: Analytics, event tracking, and advertising conversion measurement
  • Stripe: Payment processing and subscription billing (Stripe processes your payment data in accordance with PCI DSS Level 1 compliance)
  • Brevo (formerly SendGrid): Marketing email communications, newsletters, and promotional messages
  • Mailgun: Transactional email delivery (account confirmations, password resets, security alerts, and service notifications)

6.2 Third-Party Integrations

When you authorize integrations with Vercel, Railway, Render, GitHub, Google Cloud, or Azure, we share the necessary information required to establish and maintain these connections. You control the scope and permissions for each integration.

6.3 Legal Requirements

We may disclose information when required by law, such as in response to subpoenas, court orders, or legal obligations, or when necessary to protect our rights, privacy, safety, or property, and that of our users and the public.

6.4 Business Transfers

If DigitX is involved in a merger, acquisition, bankruptcy, or asset sale, your personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

7. DATA SECURITY AND ENCRYPTION

We implement comprehensive security measures to protect your personal information and stored secrets:

  • AES-256 Encryption: All stored environment variables, API keys, and secrets are encrypted at rest using Advanced Encryption Standard with 256-bit keys
  • Transport Security: All data transmitted between your device and our servers uses TLS/SSL encryption (HTTPS)
  • Role-Based Access Control: Granular access controls restrict data access based on user roles and permissions within organizations
  • Access Logging: All access to sensitive data is logged and monitored for security purposes
  • Regular Security Audits: We conduct periodic security assessments and penetration testing
  • Secure Authentication: Multi-factor authentication capabilities and secure password requirements
  • Incident Response: Documented procedures for responding to potential security incidents

While we implement robust security measures, no system is completely impenetrable. We cannot guarantee absolute security. If you believe your account has been compromised, please notify us immediately at info@digitx.nl.

8. DATA RETENTION

We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

  • Account Data: Retained for the duration of your account and for a reasonable period after account deletion to comply with legal obligations (typically 7 years for tax and accounting records)
  • Stored Secrets: Retained until you explicitly delete them or your account is terminated
  • Backup Data: Retained for 30 days after deletion to allow recovery, then permanently deleted
  • Log Data: Retained for 90 days for security and troubleshooting purposes
  • Analytics Data: Aggregated usage data retained for 24 months; individual tracking data retained for 13 months
  • Communications: Support and communication records retained for 2 years unless longer retention is required for legal reasons

When retention periods expire, we securely delete or anonymize the information. If retention is required for legal compliance, we will retain the minimum information necessary.

9. YOUR PRIVACY RIGHTS

9.1 GDPR Rights (Applicable to EU/EEA Residents)

If you are located in the European Union, European Economic Area, or Switzerland, you have the following rights under the GDPR:

  1. Right of Access (Article 15): You have the right to obtain confirmation of whether we process your data and to receive a copy of the personal data we hold about you in a structured, commonly-used, and machine-readable format.
  2. Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
  3. Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to certain exceptions (e.g., where processing is necessary for legal compliance).
  4. Right to Restrict Processing (Article 18): You have the right to request that we limit the processing of your data in certain circumstances.
  5. Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly-used, machine-readable format and to transmit it to another controller.
  6. Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  7. Right to Withdraw Consent (Article 7): You have the right to withdraw consent for processing at any time without affecting the lawfulness of processing before withdrawal.
  8. Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with a supervisory authority in your Member State.

To exercise any of these rights, please contact us at info@digitx.nl. We will respond to your request within thirty (30) days, or the timeframe required by applicable law.

9.2 CCPA Rights (Applicable to California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  1. Right to Know: You have the right to request what personal information we collect, use, share, and sell about you.
  2. Right to Delete: You have the right to request deletion of personal information we collect from you, subject to exceptions.
  3. Right to Opt-Out of Sale/Sharing: You have the right to direct us not to sell or share your personal information with third parties. We do not sell personal information, but you may request we not share it.
  4. Right to Correct: You have the right to request correction of inaccurate personal information.
  5. Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.

To exercise any of these rights, please submit a verifiable consumer request by emailing info@digitx.nl with "CCPA Request" in the subject line. We will verify your identity and respond within forty-five (45) days.

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your experience, understand usage patterns, and improve our Service:

10.1 Types of Cookies

  • Essential Cookies: Required for the Service to function (authentication, security, session management)
  • Preference Cookies: Remember your settings, language preferences, and customization choices
  • Analytics Cookies: Used by PostHog and Google Tag Manager to understand how users interact with the Service
  • Marketing and Advertising Cookies: Used by Google Ads to deliver personalized advertising, measure ad conversions, and track campaign effectiveness

10.2 Cookie Control

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Disabling essential cookies may impair the functionality of the Service. For non-essential cookies, we rely on your consent, which you can withdraw at any time.

10.3 Third-Party Tracking

PostHog, Google Tag Manager, and Google Ads may place cookies and tracking pixels on your device. Google Ads uses conversion tracking to measure the effectiveness of our advertising campaigns. Brevo may use tracking pixels in marketing emails to measure open rates and engagement. These third parties have their own privacy policies governing their data practices. You may opt out of certain tracking through their respective opt-out mechanisms. For Google Ads, you can manage ad personalization at https://adssettings.google.com.

11. INTERNATIONAL DATA TRANSFERS

DigitX is based in the Netherlands. Our primary infrastructure, including our Supabase instance, is hosted in Frankfurt, Germany, within the European Union. This means your core data (account information, stored secrets, and application data) remains within the EU.

However, some of our service providers may process data outside the European Economic Area. These include Stripe (payment processing, US-based with EU data processing), PostHog (analytics), Brevo (marketing emails), Mailgun (transactional emails), and Google (advertising and analytics). For transfers outside the European Economic Area, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): Where required, we use approved SCCs for data transfers to third countries
  • Adequacy Decisions: Transfers to jurisdictions recognized as having adequate data protection (e.g., EU-US Data Privacy Framework)
  • Data Processing Agreements: We maintain DPAs with all sub-processors that handle personal data
  • Your Consent: We obtain your explicit consent for specific transfers where required

12. CHILDREN'S PRIVACY

EnvManager is not intended for use by children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that a child has provided us with personal information, we will promptly delete such information and terminate the child's account.

If you believe a child has provided information to us, please contact us immediately at info@digitx.nl.

13. THIRD-PARTY LINKS AND SERVICES

The Service may contain links to third-party websites and services operated by other companies, including our integration partners (Vercel, Railway, Render, GitHub, Google Cloud, Azure). This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices.

We encourage you to review the privacy policies of any third-party services before providing your information or using their services.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. We will notify you of material changes by:

  • Updating the "Effective Date" at the top of this Privacy Policy
  • Sending you an email notification if the changes are material
  • Posting a notice on the Service
  • Requesting your consent if required by applicable law

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy.

15. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

DigitX

Email: info@digitx.nl

Website: digitx.nl

Response Time: We will respond to privacy inquiries within thirty (30) days

For EU/EEA Residents: You also have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights.

16. SUPPLEMENTARY PROVISIONS

16.1 Data Processing Agreement

For B2B customers processing personal data through EnvManager, we maintain a Data Processing Agreement (DPA) compliant with GDPR Article 28. Please request a copy at info@digitx.nl.

16.2 Automated Decision Making

We use automated systems for fraud detection, security analysis, and anomaly detection. You have the right to request human review of decisions that produce legal or similarly significant effects. Contact info@digitx.nl to exercise this right.

16.3 Service-Specific Information

CLI Integration: The EnvManager CLI may collect technical information about your development environment (OS, version, node version) to optimize compatibility. You can disable telemetry through CLI configuration.

Role-Based Access Control: Organization admins can view access logs showing which team members accessed specific secrets and when. This is necessary for security and compliance auditing.

16.4 Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of the Netherlands. For disputes concerning this policy, you may pursue remedies according to applicable Dutch law and EU regulations (where applicable).

Last Updated: March 6, 2026

EnvManager is committed to your privacy and data security. Thank you for trusting us with your sensitive information.