Privacy Policy

1. Introduction

This Privacy Policy explains how Tocka obrt ("we", "us", "our"), operating as DjangoCommand, collects, uses, and protects your personal data when you use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Authentication data (OAuth tokens from GitHub or Google, if used)
• Company/organization name (if provided)

2.2 Payment Information

Payments are processed by Paddle.com, who acts as our Merchant of Record. We do not store your credit card details. Paddle collects and processes payment information according to their Privacy Policy.

2.3 Service Usage Data

When you use DjangoCommand, we store data you create in our dashboard:

• Projects: Project name and timeout settings you configure
• API keys: Stored as cryptographic hashes (the full key is shown once at creation)
• Command configurations: Presets you create (name, argument restrictions, timeout overrides)
• Schedules: Recurring jobs you set up (name, cron expression, target command)
• Execution records: Arguments you provide when running commands, plus timestamps, duration, status, and exit code
• Notification preferences: Your email alert settings for command failures

We also automatically collect data from your connected Django application:

• Discovered commands: Management command names and help text synced from your Django project
• Agent metadata: Connection timestamps, agent version, Python version, and server hostname

2.4 Command Output Data

When commands run, we capture and store the real-time terminal output (stdout and stderr streams) produced by your Django management commands. This is the same output you would see if running the command in a terminal.

This output may contain data from your application, which could include personal data of your end users. See Section 5 for important information about your responsibilities regarding this data.

2.5 Newsletter Subscribers

If you join our waitlist or newsletter, we collect your email address. This is processed by Kit.com (formerly ConvertKit) according to their Privacy Policy.

2.6 Technical Data

Our web servers automatically record certain information in access logs as part of standard operation:

• IP addresses (yours when using the dashboard; your server's when the agent connects)
• Pages requested and timestamps
• HTTP response codes
• Browser identification (the User-Agent header sent by your browser, which typically includes browser name, version, and operating system)

We use cookies to maintain your logged-in session. See Section 11 for details on cookies.

2.7 Website Analytics

On our public marketing website (djangocommand.com), we use Umami, a privacy-focused analytics service, to understand how visitors find and use our site. Umami collects:

• Page views and navigation paths
• Referrer URLs (how you found us)
• Browser and operating system type
• Country (derived from IP address, which is then discarded)
• Device type (desktop, mobile, tablet)

Umami does not use cookies, does not track you across websites, and does not collect personally identifiable information. We can see aggregate statistics but cannot identify individual visitors.

Note: This analytics tracking is only present on our public marketing website. The DjangoCommand application (dashboard) does not include any analytics tracking.

3. How We Use Your Information

We use your information to:

• Provide and maintain the DjangoCommand service
• Process your subscription and payments
• Send transactional emails (execution alerts, account notifications)
• Send marketing communications (only with your consent)
• Improve our service and develop new features
• Ensure security and prevent abuse
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract: Processing necessary to provide the service you've subscribed to
• Legitimate Interest: Analytics, security, and service improvement
• Consent: Marketing communications and newsletter
• Legal Obligation: Tax records, fraud prevention

5. Command Output Data — Your Responsibilities

When your Django management commands produce output, that output is stored on our servers. This output may contain personal data of your end users (names, emails, database records, etc.).

5.1 Our Role

For command output data, we act as a Data Processor on your behalf. You (our customer) remain the Data Controller for any personal data contained in command outputs.

5.2 Your Responsibilities

As the Data Controller for command output data, you are responsible for:

• Ensuring you have a lawful basis to process any personal data in command outputs
• Avoiding commands that output sensitive data (passwords, API keys, authentication tokens, secrets, financial data, health information)
• Informing your end users about data processing where required
• Responding to data subject requests regarding data in command outputs

5.3 Data Processing Agreement

Enterprise customers may request a Data Processing Agreement (DPA) by contacting legal@djangocommand.com.

5.4 Recommendations

We strongly recommend:

• Sanitizing command output to remove personal data where possible
• Using our service primarily for operational commands rather than data exports
• Reviewing command outputs before enabling commands in production

6. Data Retention

We retain data according to your subscription plan:

After the retention period, command output logs are automatically deleted. Account data is retained for the duration of your account plus 7 years for tax/legal purposes.

7. Data Sharing

We share data with the following third parties:

• Paddle.com — Payment processing (Merchant of Record)
• Kit.com — Email marketing and newsletters
• Amazon Web Services EMEA SARL — Cloud infrastructure and data storage (Frankfurt, Germany region)
• Umami Cloud — Privacy-focused website analytics for our marketing site only (no personal data collected; no cookies)

We do not sell your personal data to third parties.

A complete list of subprocessors is available upon request at legal@djangocommand.com.

8. International Data Transfers

Your data is stored and processed in the European Union, specifically in Amazon Web Services' Frankfurt (eu-central-1) data center in Germany.

While your data remains in the EU, Amazon Web Services is part of a US-headquartered corporate group. To address any potential concerns regarding US jurisdiction:

• AWS EMEA SARL (Luxembourg) is our contracting entity
• We have executed the AWS Data Processing Addendum, which includes Standard Contractual Clauses
• AWS is certified under the EU-US Data Privacy Framework

For our other service providers (Paddle, Kit.com), we rely on Standard Contractual Clauses and/or the EU-US Data Privacy Framework as appropriate.

9. Your Rights (GDPR)

Under GDPR, you have the right to:

• Access — Request a copy of your personal data
• Rectification — Correct inaccurate personal data
• Erasure — Request deletion of your personal data
• Restriction — Limit how we use your data
• Portability — Receive your data in a portable format
• Object — Object to processing based on legitimate interest
• Withdraw Consent — Withdraw consent at any time

To exercise these rights, contact privacy@djangocommand.com.

You also have the right to lodge a complaint with your local data protection authority. In Croatia, this is the Personal Data Protection Agency (AZOP).

10. Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS/HTTPS)
• Encryption at rest for sensitive data
• Access controls and authentication
• Regular security reviews

11. Cookies

We use the following types of cookies in our application:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Preference cookies: Remember your settings (e.g., theme, timezone). You can disable these in your browser.

We do not use third-party advertising or tracking cookies. Our website analytics (Umami) does not use cookies, which is why we do not display a cookie consent banner.

Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We do not currently respond to DNT signals because there is no industry-standard interpretation. However, since we do not use third-party tracking cookies, the practical effect is the same.

12. Children's Privacy

DjangoCommand is not intended for children under 16. We do not knowingly collect personal data from children.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you. All significant decisions regarding your account or service are made by humans.

14. Third-Party Links

Our website and service may contain links to third-party websites (e.g., documentation, OAuth providers). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our service. The "Last updated" date at the top indicates when this policy was last revised.

16. Contact Us

For privacy-related questions or concerns: