This Privacy Policy explains how Yggdrasil Digital ("Stateward", "we", "us") processes personal data when you use the Stateward websites and Services, in accordance with Regulation (EU) 2016/679 (the "GDPR") and the French Data Protection Act (Loi Informatique et Libertés).
It covers the data for which we act as controller — mainly account, billing and website data. Where we process personal data contained in your code or repositories on your behalf, we act as your processor under our Data Processing Agreement; your own privacy notice governs that data toward your users.
1. Controller and Contact
Controller: Yggdrasil Digital (SASU, RCS Toulouse 917 849 820), 18 rue Fournié, 31830 Plaisance-du-Touch, France.
For any privacy question or to exercise your rights: privacy@stateward.com.
2. Data We Collect
- Account data: name, email, username, password (hashed), organisation, and authentication identifiers from GitHub, GitLab, Bitbucket or Google when you sign in via those providers.
- Billing data: plan, credit balance and transactions, billing contact and, where relevant, VAT number. Card details are handled directly by our payment provider; we do not store full card numbers.
- Usage and technical data: log data, IP address, device and browser information, pages and features used, API and CLI activity, and diagnostic events.
- Communications: messages you send us (support, contact form, email).
- Repository metadata: repository names, identifiers and configuration needed to run the Services. Source code and findings are governed by the Data Processing Agreement and are not used to identify you.
We do not knowingly collect special categories of data, and the Services are not intended for children.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Services, manage your account and integrations | Performance of a contract (Art. 6(1)(b)) |
| Process payments, invoicing and keep accounting records | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Secure the Services, prevent fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
| Provide support and respond to your requests | Contract and legitimate interest |
| Improve and measure the Services (aggregated analytics) | Legitimate interest, or consent for non-essential cookies |
| Send service messages and, with consent where required, product updates | Legitimate interest / consent (Art. 6(1)(a)) |
| Comply with legal obligations and defend our rights | Legal obligation and legitimate interest |
Where we rely on legitimate interest, you may object as described in Section 7.
4. How We Share Data
We share personal data only with:
- Processors acting on our instructions: hosting and infrastructure, payment, email, analytics and support tools. They are bound by GDPR-compliant agreements. Our current subprocessors are listed in our Subprocessors page.
- No third-party AI providers. AI-powered analysis runs on Yggdrasil Digital's own EU infrastructure (Citadea); we do not share your code with external AI providers. If you connect your own model (bring-your-own-key), that provider processes data under your own agreement with it.
- Authorities or third parties where required by law, to enforce our terms, or to protect rights, safety and security.
- A successor in the context of a merger, acquisition or reorganisation, subject to this Policy.
We do not sell your personal data.
5. Hosting and International Transfers
The application and customer data are hosted on Citadea, Yggdrasil Digital's own sovereign European (EU) infrastructure. The marketing website is served by Vercel.
Where a processor or AI provider involves a transfer outside the European Economic Area, we rely on an adequacy decision or appropriate safeguards under GDPR Article 46 (notably the European Commission's Standard Contractual Clauses), with supplementary measures where needed. You may request a copy of the relevant safeguards at privacy@stateward.com.
6. Retention
We keep personal data only as long as necessary:
- Account data: for the life of your account, then deleted or anonymised within a reasonable period after closure;
- Billing and accounting records: up to ten (10) years as required by French law;
- Logs and technical data: typically up to twelve (12) months, longer where needed for security investigations;
- Marketing consents and prospect data: up to three (3) years from the last contact.
7. Your Rights
Under the GDPR you have the right to access, rectify, erase, restrict and port your data, to object to processing based on legitimate interest or to direct marketing, and to withdraw consent at any time. You may also set guidelines for the handling of your data after your death.
To exercise these rights, contact privacy@stateward.com. We may need to verify your identity and will respond within one month. You have the right to lodge a complaint with the French supervisory authority, the CNIL (cnil.fr), or your local authority.
8. Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, least-privilege and read-only repository access, logging and monitoring. No system is perfectly secure, but security is the core of what we do; see our security policy for responsible disclosure.
9. Cookies
Our use of cookies and similar technologies is described in our Cookie Policy.
10. Changes
We may update this Policy. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice. Continued use after the effective date constitutes acknowledgement of the updated Policy.
Contact: privacy@stateward.com.