Privacy Policy (GDPR)

Last updated: 2025-10-31 · GDPR-compliant (EU)

Overview

1. Introduction
2. Data Controller & Roles
3. Data We Collect
4. Legal Bases (GDPR)
5. Hosting & Sub-processors
6. Security
7. Your Rights
8. Data Retention
9. Cookies
10. International Transfers
11. Children
12. Disclosures & Requests
13. Changes
14. Contact

1. Introduction

This Privacy Policy explains how phasi.app (“Service”) processes personal data. We comply with the General Data Protection Regulation (GDPR) and applicable EU/German data protection laws. This document should be read together with our Terms of Service, Data Processing Agreement (DPA), Security Policy and List of Sub-processors.

Not a PLM/ERP replacement: Phasi is a coordination/visibility layer. The Service is not intended to process safety-critical or medical data. Do not upload such data.

2. Data Controller & Roles

Controller: Yevgen Yeshchenko, Im Egerten 7/1, 74391 Erligheim, Germany — support@phasi.app

Controller: account/admin data, billing/communication data.
Processor: workspace/project content submitted by users (see DPA).

No Data Protection Officer is required under Art. 37 GDPR for the current processing activities.

3. Data We Collect

Account Data: name, email, authentication identifiers, password hash.
Workspace & Membership: company name, role, invitations, team assignments.
Project Data: structures, phases, tasks, assignees, comments, attachments you upload.
Usage & Logs: timestamps, IP, device/browser metadata, audit events, performance/security logs.
Billing (if enabled): organization details, plan, invoice metadata. We do not store raw card data.

Special categories: do not upload special categories under Art. 9 GDPR or safety-critical/medical data.

4. Legal Bases (GDPR)

Art. 6(1)(b) Contract necessity: account creation, providing core features, support.
Art. 6(1)(f) Legitimate interests: security, fraud prevention, service improvement, analytics of aggregated usage (without identifying individuals).
Art. 6(1)(a) Consent: optional analytics/communications where applicable; can be withdrawn at any time.
Art. 6(1)(c) Legal obligation: tax/accounting retention, responding to lawful requests.

5. Hosting & Sub-processors

Primary hosting and data storage are located in the EU. We use trusted providers to deliver the Service. The current list is maintained at /subprocessors.

Supabase (EU): database, authentication, file storage.
Vercel: application hosting and global CDN (primary data at rest in EU; global edge delivery).
Payments (if enabled): processing via a PCI-certified provider; we do not store card PANs.

We do not sell personal data. Sub-processor changes will be reflected on the Sub-processors page.

6. Security

TLS/HTTPS in transit; provider-level encryption at rest.
Role-based access control and least-privilege principles.
Row-Level Security (RLS) and audit trails for critical actions.
Backups and disaster-recovery procedures (best-effort under Beta terms).
Vulnerability management and incident response playbooks.

For details see our Security Policy. You remain responsible for secure account usage and maintaining your own off-platform backups of critical data.

7. Your Rights

Under Arts. 15–21 GDPR you have the rights of access, rectification, erasure, restriction, portability, and objection, as well as the right to withdraw consent where processing relies on consent.

Requests: support@phasi.app. You also have the right to lodge a complaint with your local supervisory authority (e.g., Baden-Württemberg LfDI).

8. Data Retention

We retain personal data for as long as necessary to provide the Service and meet legal obligations. Typical periods:

Account & workspace data: retained while the account is active.
Security/audit logs: typically up to 24 months (shorter in Beta if needed).
Billing/tax records: as required by law (e.g., 6–10 years in DE/EU).

Backups may persist for a limited period after deletion. We may anonymize data for statistical purposes.

9. Cookies

We use essential cookies for authentication and core functionality. Optional analytics/marketing cookies (if any) are used only with your consent. See Cookies Policy.

10. International Transfers

We primarily store data in the EU. Where data is accessed from or transferred to third countries, we implement appropriate safeguards under Chapter V GDPR (e.g., EU Commission Standard Contractual Clauses) and conduct transfer impact assessments where required.

11. Children

The Service is not intended for individuals under 18 years of age.

12. Disclosures & Requests

We may disclose data where required by law or to protect the Service, provided such requests are reviewed and limited to what is legally necessary. We will notify you where legally permitted.

13. Changes

We may update this Privacy Policy from time to time. Material changes will be indicated via the “Last updated” date and/or in-app notices.

14. Contact

E-mail: support@phasi.app
Yevgen Yeshchenko
Im Egerten 7/1, 74391 Erligheim, Germany