Last updated: 30 March 2026

Privacy Policy

This Privacy Policy describes the personal data DBaaS.dev collects, the purposes for which it is used, the period for which it is retained, and the rights available to you under applicable data protection law.

Summary: We collect the minimum data necessary to operate the service. We do not sell your data or use it for advertising. The contents of your databases remain yours — we process them solely to provide the infrastructure you have provisioned.

1. Who We Are

DBaaS.dev is a managed PostgreSQL hosting service operated by a team based in India. References to "we", "us", or "DBaaS.dev" throughout this policy refer to the service operator.

For the purposes of data protection law, DBaaS.dev acts as a Data Controller for account and usage data, and as a Data Processor for any data you store inside your PostgreSQL databases.

Contact: [email protected]

2. What Data We Collect

Account data

When you sign up via Google OAuth, we receive and store:

Your name and email address (as provided by Google)
A Google-issued user identifier
Timestamp of account creation

Usage and technical data

When you use the service, we automatically collect:

IP address of requests to our API
Database resource identifiers, creation/deletion times, and status
Plan type, resource allocation metadata (CPU, memory limits)
Request logs (HTTP method, path, status code, response time) — retained for up to 30 days
Error traces for debugging

Ephemeral database usage

If you use our ephemeral (no-account) API, we collect your IP address and the timestamps of database creation and deletion. No account is linked. This data is retained for 30 days for abuse prevention.

What we do not collect

Payment card details (we don't process payments currently)
The contents of your PostgreSQL databases — your application data is yours
Browser cookies beyond what Auth.js sets for session management
Tracking pixels, ad identifiers, or behavioural analytics

3. How We Use Your Data

Purpose	Legal basis
Authenticating you and running your account	Contract (providing the service you signed up for)
Operating, monitoring, and maintaining your database instances	Contract
Rate limiting and abuse prevention (IP-based)	Legitimate interest (protecting the platform)
Debugging errors and improving reliability	Legitimate interest
Sending service-related emails (critical alerts, account notices)	Contract / Legitimate interest
Legal compliance and responding to lawful requests	Legal obligation

We do not use your data for advertising, profiling, or any purpose beyond the operation of the service.

4. How Long We Keep Your Data

Data type	Retention period
Account information (name, email)	Until you delete your account, plus 30 days for backup purposes
Database resource metadata	For the life of the resource, then 90 days post-deletion
Request logs	30 days rolling
Ephemeral DB usage records (IP, timestamps)	30 days
Backup copies of account data	Up to 90 days after account deletion

5. Third-Party Subprocessors

We use the following third-party services to operate DBaaS.dev. Each is bound by its own data processing obligations:

Subprocessor	Purpose	Data shared	Location
Google (OAuth)	Authentication	Name, email (returned to us on sign-in)	USA
Neon (neon.tech)	Stores service metadata (accounts, resource records)	Account info, resource metadata	USA
Cloudflare	Frontend hosting (Cloudflare Pages), CDN, DNS	IP addresses, request headers	Global (edge)
Kubernetes cluster (VPS provider)	Runs your actual PostgreSQL database containers	Database contents you store	USA

Your PostgreSQL databases run on servers located in the United States. If you are based in the EU, EEA, or India, this constitutes a cross-border data transfer. We rely on standard contractual obligations and the legitimate interest of providing the service you requested as the transfer mechanism.

6. Your Data in Your Databases

The data you store inside your PostgreSQL databases is your responsibility. You are the Data Controller for that data. DBaaS.dev is the Data Processor — we only process it to run your database instance as instructed. We do not inspect, mine, or access your database contents beyond what's technically necessary for infrastructure operations (e.g. health checks, backups if applicable). If your database contains personal data about third parties, you are responsible for your own compliance obligations under GDPR, DPDP, or any other applicable law.

7. Your Rights

Depending on your location, you have the following rights over the personal data we hold about you:

Under GDPR (EU/EEA residents)

Access: Request a copy of the personal data we hold about you
Correction: Ask us to correct inaccurate data
Deletion ("right to be forgotten"): Request deletion of your data
Portability: Receive your data in a machine-readable format
Restriction: Ask us to limit how we use your data
Objection: Object to processing based on legitimate interests
Withdrawal of consent: Where processing is consent-based, you may withdraw it at any time

Under India's DPDP Act 2023 (Indian residents)

Access: Know what personal data we hold and how it's processed
Correction and erasure: Request corrections or deletion of your personal data
Grievance redress: Raise a complaint with our designated contact
Nominate: Nominate another individual to exercise rights on your behalf
Withdrawal of consent: Withdraw consent you've previously given (note: this may result in account termination if it prevents us from providing the service)

To exercise any of these rights, please contact [email protected]. We will respond within 30 days. No fee is charged for reasonable requests.

8. Data Breach Notification

In the event we become aware of a security breach likely to result in a risk to your rights and freedoms (under GDPR), or involving your personal data (under the DPDP Act), we will:

Notify affected users without undue delay, and within 72 hours of becoming aware (GDPR requirement)
Notify the Data Protection Board of India (DPBI) promptly upon becoming aware of a breach involving Indian residents' personal data, as required under the DPDP Act
Provide details of what happened, what data was affected, and what steps we're taking

Breach notifications will be sent to the email address on your account.

9. Children's Privacy

DBaaS.dev is not intended for children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it promptly.

10. Changes to This Policy

We will update this page when our practices change and revise the effective date at the top accordingly. For material changes, we will send notice to your registered email address at least 7 days before the changes take effect.

Contact

For privacy-related enquiries, rights requests, or complaints, please contact:

Email: [email protected]

Entity: DBaaS.dev (India)

We will respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your applicable data protection authority — for example, your EU supervisory authority or the Data Protection Board of India.