Privacy Policy

1. Who We Are (Data Controller)

Dotfiles Market is operated by an individual based in the European Union. We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR).

For any privacy-related questions or requests, contact us at contact@dotfiles.market.

2. Information We Collect

2a. Information you provide directly

• Account information: Email address, username, and hashed password (if using email/password sign-up). Optional profile fields: display name, bio, avatar, GitHub username, Twitter/X username, website URL.
• Content you create: Showcases (title, description, uploaded files, screenshots), comments, collections, and other content you publish on the platform.
• Communications: Messages you send to us via email.

2b. Information collected automatically

• Session data: When you log in, we store a session token along with your IP address and browser user agent. This is used to secure your session and detect suspicious access.
• Usage data: Anonymised visitor counts per showcase (using a temporary visitor identifier, not linked to your account unless you are logged in), and download records including IP address. For website analytics, we use Umami, a self-hosted, privacy-focused platform that completely anonymises your web traffic.
• Cookies: We use a single essential session cookie to keep you logged in. We do not use advertising, tracking, or analytics cookies.

2c. Information from third-party sign-in providers

If you sign in via GitHub or Google OAuth, we receive your email address, display name, and profile avatar from that provider. We store an access token provided by the OAuth provider to maintain your sign-in session. We do not receive your password from these providers.

3. How We Use Your Information and Legal Basis

Under GDPR, we must have a lawful basis for processing your personal data. The table below explains what we use your data for and the legal basis we rely on.

4. Data Retention

We retain your data only as long as necessary for the purposes described above. Specific retention periods:

• Account data: Retained until you delete your account.
• Session records: Deleted after 30 days of inactivity.
• Email verification and password reset tokens: Deleted within 24 hours of creation or upon use, whichever comes first.
• Download and view records: Retained for up to 90 days, then purged or anonymised.
• Moderation logs: Retained for up to 2 years for platform safety purposes.
• Purchase and payment records: Retained for 7 years to satisfy EU accounting and tax record-keeping obligations.
• After account deletion: Most personal data is deleted within 30 days. Residual copies in system backups are purged within 90 days. Anonymised aggregate statistics may be retained indefinitely.

5. Sharing Your Information

We do not sell your personal data. We share data only in the following circumstances:

• Third-party service providers who process data on our behalf (see Section 6 below).
• Public content: Showcases, comments, and profile information you choose to make public are visible to all visitors.
• Legal requirements: If required by law, court order, or to protect our legal rights or the safety of others.

6. Third-Party Services and International Transfers

Some of our service providers are based outside the European Economic Area (EEA). Where personal data is transferred internationally, we rely on the European Commission's Standard Contractual Clauses or the provider's EU-U.S. Data Privacy Framework certification to ensure adequate protection.

• Stripe (US) — Payment processing and seller payouts (when payments are enabled). Your payment card data is processed directly by Stripe and never stored on our servers. Stripe is certified under the EU-U.S. Data Privacy Framework. Stripe Privacy Policy
• Loops.so (US) — Transactional email delivery (account verification, password reset, purchase confirmations). We share your email address and username with Loops for this purpose only. Loops Privacy Policy
• GitHub (US) — Optional OAuth sign-in provider. If you use GitHub to sign in, GitHub shares your email and profile with us. GitHub Privacy Statement
• Google (US) — Optional OAuth sign-in provider. If you use Google to sign in, Google shares your email and profile with us. Google Privacy Policy
• File storage (self-hosted) — Uploaded files (showcase ZIP archives and images) are stored on infrastructure we control directly. No third-party cloud provider processes this data.

7. Cookies

We use one essential session cookie to keep you signed in. This cookie is strictly necessary for the service to function and does not require your consent under the ePrivacy Directive. We do not use any advertising, analytics, or tracking cookies (our self-hosted analytics tool, Umami, is entirely cookie-less). You can delete this cookie by signing out or clearing your browser cookies, but doing so will end your session.

8. Data Security

We implement technical and organisational measures appropriate to the risk, including: encrypted connections (HTTPS/TLS) for all data in transit, bcrypt password hashing, HTTP-only secure session cookies, rate limiting, and security headers. However, no internet transmission is completely secure and we cannot guarantee absolute security. If you become aware of a security issue, please contact us immediately at contact@dotfiles.market.

9. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Erasure (Art. 17): Request deletion of your personal data. You can also delete your account directly from your account settings.
• Portability (Art. 20): Request a machine-readable copy of data you have provided to us.
• Objection (Art. 21): Object to processing based on legitimate interest.
• Restriction (Art. 18): Request that we restrict processing in certain circumstances.

To exercise any of these rights, email contact@dotfiles.market. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

If you are unsatisfied with how we handle your request, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your national authority at edpb.europa.eu.

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us at contact@dotfiles.market and we will delete the account promptly.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email or by a prominent notice on the platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For any questions about this Privacy Policy or how we handle your personal data, contact us at contact@dotfiles.market.