Skip to content
cantila

Legal

Privacy policy

Effective 2026-05-28

Cantila is operated by JJ Cantila, sole proprietor. This policy describes what Cantila collects, why, where it lives, and your rights over it. Written plainly — no dark patterns and no buried opt-outs.

1. The short version

  • We collect what we need to provide the service and bill for it. Nothing else.
  • We do not sell personal data. We have never sold personal data. We never will.
  • You can export your data and delete your account from the Console at any time.
  • Subprocessors are listed at cantila.app/legal/subprocessors.

2. What we collect

Account information

  • Email address (required).
  • Name (optional).
  • Password hash (we never see your password in clear; bcrypt).
  • OIDC subject + claims (if you sign in with SSO).

Billing information

  • Stripe customer id, subscription id, billing address.
  • The last 4 digits of your card — never the full PAN; that lives at Stripe.

Operational data

  • Projects, deploys, environment variable names (values are encrypted at rest with AES-256-GCM under CANTILA_SECRET_KEY).
  • Build and runtime logs (retained 30 days for Hobby, 90 for paid).
  • Agent action journal — observations, actions, outcomes, verifiers.
  • Activity log — every mutation, system or human, with the source key fingerprint.

Traffic to your apps

Cantila Host proxies traffic to your projects. We log request metadata (method, path, status, latency, bytes) for 7 days for debugging and abuse prevention. We do not retain request bodies and we do not inspect TLS payloads.

3. What we do with it

  • Operate the service — deploys, scaling, routing, billing.
  • Detect and respond to abuse (security agent, audit log).
  • Email transactional notices (deploy succeeded / failed, invoice paid / failed, security alerts).
  • Improve the product based on aggregate, de-identified usage signals.

We do not run third-party advertising or analytics on the Cantila Console.

4. Where it lives

Primary production region: Hetzner FSN1 (Falkenstein, Germany). Database backups are encrypted and stored in the same region. Stripe processes payments globally per their data residency commitments.

5. Who else touches it

Cantila uses a small set of subprocessors — Hetzner (compute), Stripe (billing), Cloudflare (DNS), OpenSRS (domain reseller), and — when their respective Phases ship — Mailcow and Telnyx / Bandwidth. The full list with purpose and region is at cantila.app/legal/subprocessors.

6. Your rights

  • Access. Export your account data from Settings → Export.
  • Correction. Edit any field that's editable in the Console.
  • Deletion. Delete your account from Settings; we purge inside 30 days.
  • Portability. Exports include JSON for accounts, projects, and configurations, and SQL dumps for managed databases.
  • Objection. Email privacy@cantila.app.

GDPR, UK GDPR and CCPA apply where they apply. You don't need to cite the statute — just ask.

7. Retention

  • Account: while the account is open + 30 days after closure.
  • Billing records: 7 years (legal requirement).
  • Logs: 7–90 days depending on plan and category.
  • Backups: 30 days rolling.

8. Security

  • TLS 1.2+ on every public endpoint.
  • Secrets encrypted at rest with AES-256-GCM under per-account envelope keys.
  • Per-key API scopes; the Security agent watches for auth anomalies.
  • SSH and admin endpoints firewalled to the founder's residential IP.

Vulnerability reports: security@cantila.app.

9. Changes to this policy

Material changes get an email to every account at least 30 days before they take effect. Non-material edits (typos, link fixes) ship without notice; check the effective date at the top.

10. Contact

privacy@cantila.app or — for anything urgent — founder@cantila.app.