This policy describes the personal data collected by FerrLabs (Bryan Ferrando, sole proprietor, SIREN 104 243 951) acting as data controller for account-level data, in accordance with the GDPR. For Customer issue content, FerrLabs acts as a data processor under article 28 GDPR — see "Roles" below.
Roles (controller vs processor)
For Customer-published content (issues, comments, attachments, GitHub integration data), FerrLabs acts as a data processor within the meaning of article 28 GDPR. The Customer is the data controller. A Data Processing Agreement (DPA) is available on request.
Data collected
- Account: email address, password (hashed with Argon2id), display name, timezone, locale.
- Organization: name, slug, team size, country.
- Customer content: issues, comments, attachments, labels, project metadata, activity log entries.
- GitHub integration: webhook payloads (PR titles, commit messages, issue references, PR author handles), OAuth tokens (encrypted at rest), repository identifiers.
- Audit log: IP address, user-agent, timestamps of sensitive actions.
- Cookies:
fl_session(httpOnly, SameSite=Lax, 7-day lifetime) — strictly necessary for authentication. - Server logs: 30-day retention.
GitHub webhook integration
When you enable the GitHub integration, FerrTrack receives and stores webhook payloads (PR titles, commit messages, issue references) to enable auto-linking between PRs and issues. No GitHub data is transmitted to third parties. Webhook payloads are retained for a maximum of 12 months.
Purposes
- Authentication and access to the service.
- Operation, security, and troubleshooting of the platform.
- Storage and retrieval of Customer issue content and project state.
- Auto-linking between GitHub PRs and FerrTrack issues.
- Billing of paid subscriptions.
- Compliance with legal obligations.
Legal bases (GDPR art. 6)
- Performance of the contract (6.1.b) for accounts and subscriptions.
- Legitimate interest (6.1.f) for security, audit logs, and abuse prevention.
- Legal obligation (6.1.c) for accounting and tax data.
Subprocessors
- OVH SAS — hosting (France).
- Stripe Inc. — payments (United States, certified under the Data Privacy Framework) — active when a paid subscription is activated.
- Resend — transactional emails — active when transactional emails are sent.
- GitHub (Microsoft Corp.) — webhook source for PR and commit references (United States, certified under the Data Privacy Framework) — active when the GitHub integration is enabled.
Retention period
| Data | Retention |
|---|---|
| Active account | For the lifetime of the account |
| Deleted account | 90 days, then permanent purge |
| Customer issue content | For the lifetime of the project, plus 30 days after deletion |
| Activity log | For the lifetime of the project |
| GitHub webhook payloads | 12 months |
| Audit log | 24 months |
| Server logs | 30 days |
| Billing data | 10 years (art. L.123-22 of the French Commercial Code) |
Your rights
Under the GDPR, you have the rights of access, rectification, erasure, portability, objection, and restriction of processing.
To exercise your rights, contact contact@ferrlabs.com. Requests concerning Customer issue content are forwarded to the Customer (data controller).
You may also lodge a complaint with the CNIL (cnil.fr).
Data Protection Officer (DPO)
FerrLabs has not appointed a DPO. This is not required for a sole proprietorship that does not carry out large-scale processing of sensitive data (GDPR art. 37).
Transfers outside the European Union
Where applicable, transfers occur to subprocessors located in countries with an adequacy decision or certified under the Data Privacy Framework (Stripe, GitHub). No transfer is made to a country without adequate safeguards.
Changes
This policy may be updated. The date of the last revision is shown at the top of this page.
French version: Politique de confidentialité.