Privacy Policy

Last updated: February 2026

1. Controller

The controller responsible for data processing on this website is:

Pixel & Process UG (haftungsbeschränkt)
Marliring 74, 23566 Lübeck, Germany
Email: privacy@lockwave.io

2. Data We Process

When you use Lockwave, we process the following categories of personal data:

  • Account data - Name, email address, password hash, profile photo (optional), two-factor authentication secrets
  • Team data - Team name, membership, roles
  • SSH public keys - Public key material, fingerprint, key type, associated metadata. We never store private keys.
  • Host data - Display name, hostname, OS, architecture, IP addresses, OS usernames
  • Audit events - Timestamped records of actions performed (key generation, assignment changes, break-glass events, etc.)
  • Billing data - Processed by Stripe. We do not store credit card numbers. See Stripe's privacy policy.
  • Usage data - Server logs, IP addresses, browser user agent (for security and debugging)
  • Contact form data - Name, email, subject, category, message, and IP address when you submit a support inquiry. Processed on the legal basis of your consent (Art. 6(1)(a) GDPR). Retained until your inquiry is resolved, then deleted within 90 days.

3. Legal Basis

We process personal data on the following legal bases (GDPR Art. 6):

  • Contract performance (Art. 6(1)(b)) - Account data, SSH keys, hosts, and assignments are necessary to provide the service
  • Legitimate interest (Art. 6(1)(f)) - Audit logs and security monitoring to protect the service and our users
  • Legal obligation (Art. 6(1)(c)) - Tax records and invoices as required by German law
  • Consent (Art. 6(1)(a)) - Optional marketing communications (you may withdraw consent at any time)

4. Hosting & Infrastructure

Lockwave is hosted on servers operated by Hetzner Online GmbH, located in the European Union (Germany and Finland). Data does not leave the EU unless you explicitly configure it otherwise.

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany

5. Third-Party Processors

  • Stripe, Inc. - Payment processing (USA, EU Standard Contractual Clauses apply)
  • Hetzner Online GmbH - Server hosting (EU)
  • Sentry (Functional Software, Inc.) - Error tracking (USA, EU Standard Contractual Clauses apply)

6. Data Retention

  • Account data - Retained while your account is active. Deleted within 30 days of account deletion.
  • SSH keys & assignments - Deleted when you delete them or when your account is deleted.
  • Host data - Deleted when the host is removed or when your account is deleted.
  • Audit logs - Retained for 12 months after the event for compliance purposes, then anonymized.
  • Invoices & tax records - Retained for 10 years as required by German tax law (§ 147 AO).

7. Your Rights

Under GDPR, you have the following rights:

  • Access (Art. 15) - Request a copy of your personal data. Use the DSAR export feature in your dashboard.
  • Rectification (Art. 16) - Correct inaccurate data via your profile settings.
  • Erasure (Art. 17) - Request deletion of your account and associated data.
  • Data portability (Art. 20) - Export your data in machine-readable format via the DSAR feature.
  • Restriction (Art. 18) - Request restriction of processing.
  • Objection (Art. 21) - Object to processing based on legitimate interest.

To exercise your rights, contact us at privacy@lockwave.io.

8. Right of Withdrawal

Where processing is based on your consent (Art. 6(1)(a) GDPR), you have the right to withdraw that consent at any time (Art. 7(3) GDPR). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To withdraw consent, contact us at privacy@lockwave.io. We will process your withdrawal without undue delay.

9. Cookies

Lockwave uses only strictly necessary cookies for session management and CSRF protection. We do not use advertising or tracking cookies.

10. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encrypted storage, access controls, and regular security reviews.

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstr. 98, 24103 Kiel
https://www.datenschutzzentrum.de

12. Changes

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The current version is always available at this URL.