Privacy Policy

Linabase is a service operated from Türkiye. Privacy inquiries, requests to exercise your rights under GDPR / KVKK / CCPA, and any other questions about this Policy can be sent to privacy@linabase.com. We aim to acknowledge inbound requests within 72 hours and to complete them within 30 days.

Security disclosures: see /.well-known/security.txt.

When you create a Linabase account:

• Email address and name (required to identify your account).
• Password (stored as a salted hash; we never see the plaintext after you submit it).
• If you sign in via Google or another OAuth provider: the email address, name, and profile-image URL the provider returns. We do not request additional scopes.
• Account role (regular user vs administrator), assigned by us based on configuration.

When you use the service:

• The projects and organizations you create, their names, schemas, and configuration.
• Audit metadata for security-relevant actions (login, project creation, sensitive setting changes).
• Email delivery logs for transactional emails we send you (recipient, subject, delivery status).
• API keys and webhooks you configure (URLs only; the secret material is hashed where applicable).

When you pay:

• Billing email, invoice amounts, payment method status, subscription state. Card numbers and full payment details are handled by our payment processor (DodoPayments); we receive only metadata sufficient to recognize a charge succeeded.

Automatically, when you interact with the service:

• IP address and user-agent for the session you are signed in on. Used to detect suspicious logins, ban credential-stuffing IPs (via fail2ban), and respond to abuse reports.
• Error reports (stack traces, request metadata) when something goes wrong. All form input, media, and authentication headers are masked or scrubbed before transmission to our error monitoring provider.
• Aggregated, cookieless analytics on our public marketing pages (page views and approximate country). No personal identifier is stored in your browser.

• To operate the service you signed up for, including running the backend infrastructure, processing your queries, and storing your files.
• To communicate with you about your account: verification, password reset, magic-link sign-in, new-login notifications, billing receipts.
• To detect and prevent abuse: rate-limiting, ban management, fraud signals, and responding to security incidents.
• To meet our legal and regulatory obligations: tax records, breach notifications to authorities, lawful requests for information.

We do not sell personal data. We do not share personal data with advertisers. We do not use your data to train AI models.

• Performance of a contract (GDPR Art. 6(1)(b)) — most processing tied to operating your account.
• Legitimate interest (Art. 6(1)(f)) — security monitoring, abuse prevention, fraud detection, debugging via error monitoring. We have weighed your rights against our interest in keeping the service safe and reliable; you can object to processing on this basis by writing to privacy@linabase.com.
• Legal obligation (Art. 6(1)(c)) — retention of billing records under Turkish tax law, breach notifications to supervisory authorities.
• Consent (Art. 6(1)(a)) — for any future optional communications (we do not send marketing email at present).

We use a small set of third-party services to operate Linabase. Each is disclosed at /subprocessors with its purpose, jurisdiction, the data categories it handles, and the transfer mechanism. We update that list at least 30 days before adding any new subprocessor; subscribe to the RSS feed for change notifications.

Beyond subprocessors, we may share personal data:

• To comply with a lawful request from a regulator, court, or law-enforcement authority. We review every request and disclose only what is legally required.
• In connection with a business transfer (merger, acquisition, asset sale). If this happens, we will notify you and the successor entity will be bound by this Policy or a substantively similar one.
• With your explicit instruction (for example, if you configure a webhook to forward auth events to your own systems).

Our primary infrastructure (Postgres, object storage, application servers) is operated by Hetzner in Germany. Data you upload to Linabase stays in the EU.

Some of our subprocessors operate outside the EU adequacy perimeter (the United States, India). Transfers to those providers rely on the EU Standard Contractual Clauses (SCCs) and additional safeguards as described at /subprocessors.

• Account data — kept for as long as your account exists. Deleted on request (see "Your rights" below) or when the account is closed.
• Audit logs — automatically deleted after 90 days.
• Email delivery logs — automatically deleted after 30 days.
• Backups — daily snapshots are retained for 7 days; monthly snapshots are retained for 12 months. Backups are encrypted at rest (AES-256, server-side). Deleted data persists in the relevant backup window until those snapshots naturally expire.
• Billing records — kept for the period required by Turkish tax law (typically 5 years), even after account closure. We minimise the identifying detail to what tax records actually require.
• Error reports — retained for 90 days by our error monitoring provider, then deleted.

If you are a Linabase developer (signed up at linabase.com), you can exercise the following rights by writing to privacy@linabase.com:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — delete your account and associated data. Two timing caveats: (1) data in encrypted backup snapshots persists until those snapshots naturally expire under the retention schedule above; (2) billing records subject to Turkish tax retention cannot be deleted before the retention period ends, but we strip identifying detail to the minimum required.
• Restriction — ask us to stop processing your data while we investigate a dispute about it.
• Portability — receive your account data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where consent is the legal basis, withdraw it at any time. Withdrawal does not affect past processing.
• Complain — to the Turkish data protection authority (KVKK, kvkk.gov.tr) or, if you are in the EU/EEA/UK, to your local supervisory authority.

We respond to requests within 30 days. There is no charge for a first request; we may charge a reasonable fee for excessive or manifestly unfounded repeated requests.

Some people reading this signed up to an application that uses Linabase as its backend, rather than to Linabase itself. If that's you: the operator of the application you signed up to is the controller of your personal data, not Linabase. We process your data on their instructions under a data processing agreement.

For requests about your data in that application (access, deletion, correction), please contact the operator of the application first. They are the party empowered to act on your data. If you cannot identify or reach that operator, you may contact us at privacy@linabase.com and we will assist with routing the request.

We take security seriously. The relevant operational controls:

• All traffic between you and Linabase is encrypted with TLS 1.2 or higher.
• Database backups are encrypted at rest using AES-256 server-side encryption before they leave our infrastructure.
• Authentication uses salted password hashing (bcrypt) and short-lived JWT access tokens. Sessions are bound to the originating IP family and rotated regularly.
• Postgres is publicly reachable on port 5432 for tenants who need direct database connections. Access is restricted by SCRAM-SHA-256 authentication, per-tenant database roles, and fail2ban (10 failed attempts in 10 minutes triggers a 10-minute IP ban).
• Tenant isolation is enforced at the Postgres level via row-level security policies and per-tenant schemas. A bug that confuses one tenant for another is treated as a critical security incident with a 72-hour breach notification path.
• Error monitoring (Sentry) is configured to mask form input, redact authentication headers, and drop request bodies before transmission.
• We follow a documented breach-response procedure with a 72-hour notification path to the supervisory authority for any confirmed personal-data breach.

No system is perfectly secure. If you become aware of a vulnerability, please report it to security@linabase.com.

Linabase does not use third-party tracking cookies, advertising pixels, or cross-site fingerprinting. Our analytics provider on public pages is a self-hosted Umami instance that is cookieless and stores no identifier in your browser.

We use the following client-side storage, all of which qualifies as strictly necessary or functional under the ePrivacy Directive:

• An authentication cookie that keeps you signed in.
• localStorage entries for your theme preference, saved queries you create, layouts of database diagrams you arrange, and other workspace state that exists because you explicitly created it.
• Limited buffering by our error monitoring SDK when an error is captured. Form input and media are masked before any data is transmitted.

Because none of the above is used for tracking, advertising, or non-essential personalization, no consent banner is required and none is shown.

When a new sign-in is detected on your account from an IP address you have not used recently, we send an alert email to your registered address. This email is for security purposes only and exists to help you spot account takeover quickly. If you would prefer not to receive these emails, contact privacy@linabase.com to opt out.

Linabase supports the Model Context Protocol (MCP), which lets third-party AI assistants and other MCP clients access your account on your authorization. When you authorize a client through our consent screen, that client receives a limited-scope token to act on your behalf. You can review and revoke those grants from your account settings. We log every grant and revocation for audit purposes.

Linabase is a backend developer tool and is not intended for use by people under the age of 16. We do not knowingly collect personal data from children. If you believe a child has signed up, please contact privacy@linabase.com and we will delete the account.

We may update this Policy from time to time. When we do, we change the "Last updated" date at the top of the page. Material changes are announced via email to active account holders at least 30 days before they take effect. If you continue to use the service after a change has taken effect, you accept the updated Policy.

Previous versions of this Policy are available on request from privacy@linabase.com.

For privacy questions or to exercise any of your rights: privacy@linabase.com.

For security disclosures: security@linabase.com or /.well-known/security.txt.

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Turkish data protection authority (Kişisel Verileri Koruma Kurumu, kvkk.gov.tr) or, if you are in the EU/EEA/UK, with the supervisory authority in your country of residence.