Sysand is in a testing-deployment and package-migration phase. See the migration guide.

Privacy Policy

Last revised: May 29, 2026

This Privacy Policy describes how UAB Sensmetry ("we", "us", or "our"), company code 305079257, J. Jasinskio g. 16A, LT-03163 Vilnius, Lithuania, processes your personal information through Sysand Index, acting as a data controller.

If you have questions or comments about this policy, you may email us at privacy@sensmetry.com.

What Information Do We Collect?

We collect the following personal information when you use Sysand Index:

  • Account information: username, display name, email address, and hashed password.
  • Authentication data: if you sign in via Google, Microsoft, GitHub, or GitLab, we receive your email address and profile name from the provider. We do not store your OAuth tokens.
  • Audit logs: we log security-relevant actions (login, password changes, token management) along with your IP address for incident response.
  • Uploaded content: packages you publish, including metadata such as publisher name, project name, and version.
  • Avatar images: we generate an MD5 hash of your email address and send it to Gravatar (operated by Automattic) to retrieve your profile picture. This request is made from our server, not your browser — your IP address is never shared with Gravatar. If you have a Gravatar account, your avatar is displayed; otherwise a generated geometric pattern is shown.

How Do We Process Your Information?

We process your personal information to provide, secure, and administer Sysand Index:

  • To operate and maintain the service.
  • To authenticate you and secure your account.
  • To send transactional emails (token creation, invitations, account changes).
  • To investigate and respond to security incidents via audit logs.

We do not sell your personal information. We do not use your personal information for advertising. We do not use third-party analytics or tracking services.

What Legal Bases Do We Rely On to Process Your Information?

The General Data Protection Regulation (GDPR) requires us to explain the valid legal bases we rely on when processing your personal information. We process your personal information on the following bases:

  • Contract: processing necessary to provide the service you signed up for (account management, package hosting).
  • Legitimate interest: security audit logging and incident response.

When and With Whom Do We Share Your Personal Information?

Your public profile (username, display name) and published packages are visible to all users. We do not share your private information with third parties except:

  • Google Cloud Platform (operated by Google LLC, US) — hosts the service in the EU. See the Where Do We Store Your Information? section below for details.
  • Google Workspace (Google LLC, US) — delivers transactional emails (token creation, invitations, account changes) from our corporate email account.
  • Gravatar (Automattic, US-based) — receives MD5 hashes of email addresses to serve avatar images. No other personal information is shared.
  • When required by law.

Where Do We Store Your Information?

Your information is stored on Google Cloud Platform in the europe-north2 region (Stockholm, Sweden). Both the website and the API are served over TLS, with certificates issued by Let's Encrypt. Information is encrypted in transit (TLS between you and the service, and between the application and the database) and at rest (Google-managed encryption keys for Cloud SQL and Cloud Storage).

Cloud SQL automated backups, including point-in-time recovery, are stored in the same region.

Google Cloud Platform is operated by Google LLC, a US-based company. Although the storage region is in the EU, Google as a service provider may be subject to US legal requests. We provide adequate protection for any such transfers through the Google Cloud Data Processing Addendum, which incorporates the Standard Contractual Clauses and the UK International Data Transfer Addendum as available under applicable law from time to time.

Do We Use Cookies and Other Tracking Technologies?

We use only essential cookies required for the service to function:

  • Session cookie: keeps you logged in.
  • CSRF cookie: protects against cross-site request forgery.

We also store your theme preference (light/dark) in your browser's local storage. We do not use any analytics or advertising cookies.

How Long Do We Keep Your Information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law.

  • Account information: retained until you delete your account.
  • Audit logs: retained for up to one year, then automatically purged.
  • Published packages: retained until you or a project owner removes them.

What Are Your Privacy Rights?

In some regions (like the EEA, UK, and Switzerland), you have certain rights under applicable data protection laws. These may include the right to:

  • Access your personal information.
  • Rectify inaccurate information via your account settings.
  • Delete your account and associated information from your account settings page.
  • Export your personal information — contact us at privacy@sensmetry.com.
  • Withdraw consent at any time where we rely on consent to process your information.
  • Lodge a complaint with your Member State data protection authority.

The easiest way to exercise your rights is by emailing us at privacy@sensmetry.com.

Do We Make Updates to This Policy?

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Last revised" date at the top of this privacy policy. We will notify registered users of material changes by email.

How Can You Contact Us About This Policy?

If you have questions or comments about this policy, you may email us at privacy@sensmetry.com.