1. Introduction

Binary Leap OU ("TenantsDB", "we", "us", or "our"), a company registered in Estonia (registry code 16471040, Harju maakond, Tallinn, Lasnamae linnaosa, Sepapaja tn 6, 15551, Estonia), operates the TenantsDB platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, APIs, command line tools, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Information We Collect

We collect the following categories of information:

Account Information: When you create an account, we collect your email address, a cryptographic hash of your password (we never store passwords in plain text), and your chosen project name. We generate and store API keys and proxy passwords associated with your account.

Usage Data: We collect information about how you interact with the Service, including API requests made, queries executed through the proxy, database operations performed, and timestamps of these activities. Query logs are retained for 7 days on the Free tier and without automatic deletion on paid tiers.

Technical Data: We automatically collect your IP address, request headers, and connection metadata when you access the Service. This information is used for rate limiting, abuse prevention, and security monitoring.

Payment Information: Payment processing is handled entirely by Paddle.com Market Limited ("Paddle"), our Merchant of Record. We do not collect, store, or process credit card numbers, bank account details, or other payment instrument data. Paddle provides us with your billing email, transaction identifiers, and subscription status.

Customer Data: You and your end users may store data in tenant databases, workspace databases, and control databases provisioned through the Service. The contents of these databases are your Customer Data and are addressed in Section 5.

Search Index Data: When the search feature is enabled, we automatically index data from your tenant databases into our search engine to enable keyword and AI-powered search functionality. Search indexes are stored on our self-hosted infrastructure.

3. How We Use Your Information

We use the information we collect for the following purposes:

(a) To provide, operate, and maintain the Service. (b) To authenticate your identity and authorize access to your resources. (c) To process transactions and manage your subscription through Paddle. (d) To enforce rate limits, detect abuse, and protect the security of the Service and its users. (e) To monitor and improve the performance and reliability of the Service. (f) To respond to your support requests and communicate with you about the Service. (g) To comply with applicable legal obligations.

We do not use your personal information for advertising, profiling, or automated decision-making. We do not sell your personal information to third parties.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

Performance of a contract: Processing your account information and usage data is necessary to provide the Service as agreed under our Terms of Service.

Legitimate interests: Processing technical data for security monitoring, abuse prevention, and service improvement is necessary for our legitimate interest in operating a secure and reliable platform, provided that these interests are not overridden by your data protection rights.

Legal obligation: We may process your information where necessary to comply with applicable law, regulation, or legal process.

Consent: Where required by applicable law, we will obtain your consent before processing your personal information for purposes not covered by the bases above. You may withdraw consent at any time by contacting us at legal@tenantsdb.com.

5. Customer Data

Customer Data refers to all data that you or your end users store in databases provisioned through the Service. We process Customer Data solely as a data processor acting on your instructions for the purpose of providing the Service. We do not access, analyze, sell, or share Customer Data except as necessary to operate the Service (for example, to execute queries, perform backups, replicate data during migrations, or index data for search functionality).

You are the data controller for Customer Data and are responsible for ensuring that your collection, storage, and processing of end user data through the Service complies with all applicable data protection laws.

6. Data Storage and Infrastructure

All infrastructure used to operate the Service is self-hosted on dedicated servers located in data centers operated by Hetzner Online GmbH in Germany and Finland. This includes database servers, search engines, message queues, and application servers.

We do not use multi-tenant cloud services (such as managed database services or serverless platforms) to process Customer Data. L2 dedicated virtual machines are provisioned on Hetzner Cloud in the region you specify.

Backups are stored in encrypted form on Amazon Web Services (AWS) S3 storage located in the EU (Frankfurt region).

7. Sub-processors

We engage the following third-party sub-processors to provide the Service:

Hetzner Online GmbH (Germany): Server hosting and cloud virtual machines. Hetzner processes data only as infrastructure provider and does not access the content of your databases.

Amazon Web Services EMEA SARL (Luxembourg): S3 object storage for encrypted backups. AWS processes backup data only as a storage provider.

Paddle.com Market Limited (United Kingdom): Payment processing, invoicing, and tax compliance. Paddle processes your billing information as Merchant of Record. Paddle's privacy policy is available at paddle.com/privacy.

All sub-processors are bound by data processing agreements that require them to protect your data in accordance with applicable data protection laws.

8. Data Transfers

Your Account Information and Technical Data are processed on servers located within the European Union (Germany and Finland). Backups are stored in the EU (Frankfurt). No Customer Data is transferred outside the European Economic Area unless you explicitly provision an L2 dedicated VM in a non-EU region.

Paddle, as a UK-based entity, processes billing data under the UK GDPR framework and the EU-UK adequacy decision.

9. Data Retention

Account Information: Retained for the duration of your account. Upon account termination, all data is retained for 30 days to allow recovery, after which it is permanently deleted.

Query Logs: Retained for 7 days on the Free tier. No automatic deletion on paid tiers. You may request deletion at any time.

Customer Data (databases, search indexes): Retained for the duration of your account. Soft-deleted tenants are retained with snapshots until you permanently delete them or your account is terminated. Upon account termination, all data is permanently deleted after the 30-day grace period.

Backups: Retained according to the automated backup schedule. Upon account termination, all backups are permanently deleted after the 30-day grace period.

Technical Data (IP addresses, rate limit records): Retained for a maximum of 30 days for security purposes, after which it is automatically purged.

Inactive Free Accounts: We may terminate Free tier accounts with no API activity for 12 consecutive months, subject to 30 days prior notice by email.

10. Data Security

We implement the following security measures to protect your information:

(a) All connections to the Service are encrypted using TLS. (b) Passwords are stored using bcrypt cryptographic hashing. We never store passwords in plain text. (c) API keys are hashed before storage. (d) Database backups are encrypted at rest on S3. (e) Rate limiting and IP-based abuse detection are enforced at the proxy and API layers. (f) Tenant databases are isolated at the database level. No shared tables, no shared credentials, no shared connection strings. (g) L2 dedicated tenants are isolated at the virtual machine level.

While we implement commercially reasonable security measures to protect your data, no method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security.

11. Your Rights

If you are located in the European Economic Area, you have the following rights under the GDPR:

Right of access: You may request a copy of the personal data we hold about you.

Right to rectification: You may request correction of inaccurate personal data.

Right to erasure: You may request deletion of your personal data, subject to our legal obligations and the retention periods described above.

Right to restriction: You may request restriction of processing of your personal data under certain circumstances.

Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format.

Right to object: You may object to processing based on legitimate interests.

Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at legal@tenantsdb.com. We will respond within 30 days of receiving your request. We may request additional information to verify your identity before processing your request.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

12. Cookies

The TenantsDB marketing website (tenantsdb.com) uses only essential cookies required for basic site functionality. We do not use advertising cookies, tracking cookies, or third-party analytics services on our marketing site.

The TenantsDB Service (API and database proxy) does not use cookies. Authentication is performed via API keys in request headers.

13. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe that we have collected information from a child under 16, please contact us at legal@tenantsdb.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to your registered address at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

15. Contact Information

For questions about this Privacy Policy or to exercise your data protection rights, contact us at:

Binary Leap OU Harju maakond, Tallinn, Lasnamae linnaosa, Sepapaja tn 6, 15551, Estonia Email: legal@tenantsdb.com Support: support@tenantsdb.com

Estonian Data Protection Inspectorate (supervisory authority): Andmekaitse Inspektsioon Tatari 39, 10134 Tallinn, Estonia info@aki.ee

Last updated: March 2026