Privacy Policy

Effective date: 6 March 2026

Reumbra OÜ · Registry code: 16937677 · VAT: EE102715497
Kvartsi 4-22, Tartu, Tartu Vald, 50415, Estonia · info@reumbra.com

1. Data Controller

The controller of personal data collected through forge.reumbra.com is Reumbra OÜ (details above). Reumbra OÜ has not designated a separate data protection officer. Data protection inquiries should be directed to info@reumbra.com.

Note: Payments for Forge DevKit are processed by Lemon Squeezy, Inc. (Merchant of Record). Lemon Squeezy independently processes payment card data and related financial information. That processing is governed by Lemon Squeezy's Privacy Policy. Reumbra OÜ does not receive or store your payment card details.

2. Personal Data Collected

Reumbra OÜ collects and processes the following categories of personal data:

  • E-mail address - provided at checkout; used to deliver the license key and for customer support communications.
  • IP address - collected automatically when you visit forge.reumbra.com or activate the CLI tool; used for security, abuse prevention, and anonymised website analytics.
  • Machine ID (pseudonymised device identifier, stored as a SHA-256 hash) - collected by the Forge DevKit CLI tool upon setup, after explicit consent is given during the setup wizard. Used to associate a license with a specific device and to detect unauthorised license sharing.
  • Device label - a human-readable name for the device where the CLI tool is installed (e.g. "MacBook Pro - Work"), collected after explicit consent during the setup wizard. Used together with the Machine ID to allow the user to manage their licensed devices.
  • User-submitted content (feedback and bug reports) - free-text comments that users voluntarily submit through the CLI tool's feedback or bug-report functionality. May contain personal information at the user's own discretion. Collected only with explicit consent confirmed during CLI setup.
  • Purchase history - order date, product name, license tier, and license key status; used to manage and verify the license and to resolve disputes.

Reumbra OÜ does not collect delivery addresses, phone numbers, or payment card data. Payment data is processed exclusively by Lemon Squeezy, Inc.

3. Purposes and Legal Basis of Processing

3.1 Fulfilling the License Agreement

Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

  • Delivering the license key to the e-mail address provided at checkout
  • Verifying license validity and device association when the CLI tool is activated (using Machine ID and device label)
  • Managing license renewals, cancellations, and refund requests

3.2 Customer Support

Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

  • Responding to support requests, questions, or complaints sent to info@reumbra.com
  • Reviewing user-submitted feedback and bug reports to improve the Service

3.3 Legal Obligations

Legal basis: compliance with a legal obligation (GDPR Art. 6(1)(c)).

  • Retaining purchase and accounting records as required by Estonian accounting law

3.4 Legitimate Interest

Legal basis: legitimate interest of the controller (GDPR Art. 6(1)(f)).

  • Retaining purchase history data to resolve potential consumer disputes and to verify license entitlement
  • Processing IP addresses for website security and protection against abuse

A legitimate interest assessment for the above purposes is available upon request by e-mail to info@reumbra.com.

3.5 Consent (CLI Setup)

Legal basis: consent (GDPR Art. 6(1)(a)).

Collection and processing of Machine ID, device label, and user-submitted feedback and bug reports. Consent is obtained explicitly during the Forge DevKit CLI setup wizard before any of this data is collected. You may withdraw consent at any time by contacting info@reumbra.com; withdrawal will result in deactivation of device-level license features.

3.6 Direct Marketing (with Consent)

Legal basis: consent (GDPR Art. 6(1)(a)).

Reumbra OÜ may send product update announcements or relevant communications to your e-mail address if you have explicitly consented to receiving such messages. You may withdraw consent at any time by clicking the unsubscribe link in any marketing e-mail or by contacting info@reumbra.com.

4. Data Processors and Recipients

Reumbra OÜ uses the following third-party service providers to operate the Service. Data processors act on documented instructions from Reumbra OÜ and are bound by contractual data protection obligations under GDPR Art. 28.

4.1 Lemon Squeezy, Inc. - USA

Role: Independent data controller (Merchant of Record).
Purpose: Payment processing, tax collection, billing, and refunds.
Data shared: Name, e-mail address, product purchased, transaction metadata.
Transfer basis: EU–US Data Privacy Framework (July 2023) and Standard Contractual Clauses.
Privacy policy: lemonsqueezy.com/privacy

4.2 Resend, Inc. - USA

Role: Data processor.
Purpose: Transactional e-mail delivery (license key delivery, order confirmation, customer support replies).
Data processed: Recipient e-mail address, name, e-mail content.
Transfer basis: Standard Contractual Clauses (EU 2021/914) incorporated in Resend's DPA.
DPA reference: resend.com/legal/dpa - SOC 2 Type II certified.

4.3 Supabase, Inc. - USA (servers: EU region)

Role: Data processor.
Purpose: Cloud database hosting for the license activation server.
Data processed: E-mail address, license key, license tier, activation status, timestamps.
Data location: European Union hosting region (eu-west-1 / Frankfurt).
Transfer basis: Standard Contractual Clauses (EU 2021/914) incorporated in Supabase's DPA.
DPA reference: supabase.com/legal/dpa

4.4 Amazon Web Services - USA / EU

Role: Data processor.
Purpose: Cloud infrastructure for the license activation server.
Data processed: Server-level logs and infrastructure metadata.
Transfer basis: Standard Contractual Clauses in the AWS GDPR Data Processing Addendum.
DPA reference: aws.amazon.com/service-terms (section 1.14)

4.5 Cloudflare, Inc. - USA

Role: Data processor.
Purpose: Website hosting and delivery (Cloudflare Pages); privacy-preserving web traffic analytics (Cloudflare Web Analytics).
Data processed: IP addresses and request metadata at the network edge.
Transfer basis: Standard Contractual Clauses in the Cloudflare Customer DPA.
DPA reference: cloudflare.com/cloudflare-customer-dpa

4.6 Google LLC / Google Ireland Limited - USA / Ireland

Role: Data processor (for analytics).
Purpose: Website usage analytics (Google Analytics 4).
Data processed: Pseudonymised identifiers, browser and device parameters, page interaction events, approximate location.
Legal basis: Consent (GDPR Art. 6(1)(a)). Google Analytics is activated only after the visitor accepts the cookie consent banner.
Transfer basis: EU–US Data Privacy Framework and Standard Contractual Clauses.
Privacy policy: policies.google.com/privacy

4.7 Meta Platforms Ireland Limited / Meta Platforms, Inc. - Ireland / USA (planned)

Role: Independent data controller (joint controllership under GDPR Art. 26).
Purpose: Conversion measurement and advertising effectiveness tracking for Instagram and Facebook campaigns. This tool will be activated only when Reumbra OÜ runs paid advertising on Meta platforms. This Privacy Policy will be updated to confirm activation at that time.
Legal basis: Consent (GDPR Art. 6(1)(a)). The Meta Pixel will only be activated after the visitor accepts the cookie consent banner.
Transfer basis: EU–US Data Privacy Framework and Standard Contractual Clauses.
Data subjects may exercise their rights against Meta directly via: facebook.com/privacy/policy

4.8 Legal and Regulatory Authorities

Personal data may be disclosed to courts, law enforcement agencies, or regulatory authorities where required by applicable law. Reumbra OÜ does not sell personal data to third parties and does not share personal data for advertising or profiling purposes outside of what is described above.

5. International Data Transfers

Several processors listed above are US-based. Personal data transfers to each are covered by the following safeguards:

  • Resend: Standard Contractual Clauses (EU 2021/914) under Resend's DPA.
  • Supabase: Standard Contractual Clauses under Supabase's DPA. Database hosted in EU region.
  • AWS: Standard Contractual Clauses in the AWS GDPR Data Processing Addendum.
  • Cloudflare: Standard Contractual Clauses in the Cloudflare Customer DPA.
  • Google Analytics: EU–US Data Privacy Framework and Standard Contractual Clauses.
  • Meta Platforms: EU–US Data Privacy Framework and Standard Contractual Clauses (joint controllership).
  • Lemon Squeezy: EU–US Data Privacy Framework and Standard Contractual Clauses.

Details of specific safeguards for each processor are available upon request at info@reumbra.com.

6. Security

Reumbra OÜ applies appropriate technical and organisational security measures to protect personal data. These measures include:

  • Encrypted data transmission (TLS/HTTPS) for all connections to forge.reumbra.com and the license activation server
  • License keys transmitted only to the verified e-mail address provided at checkout
  • Access to personal data restricted to Reumbra OÜ personnel on a need-to-know basis
  • Regular monitoring for security vulnerabilities

7. Data Retention

  • License and purchase data: Retained for the duration of the active license and for three years after expiry.
  • Accounting records: Retained for seven years in accordance with Estonian accounting law.
  • Customer support correspondence: Retained for two years after the matter is resolved.
  • IP addresses and server logs: Retained for up to 90 days.
  • Marketing consent and communications: Retained until consent is withdrawn, then promptly deleted.

8. Your Rights

As a data subject under the GDPR, you have the following rights:

8.1 Right of Access

You may request confirmation of whether Reumbra OÜ processes your personal data, and if so, receive a copy of the data. Requests should be sent to info@reumbra.com. We will respond within one month.

8.2 Right to Rectification

If your personal data is inaccurate or incomplete, you may request that it be corrected by contacting info@reumbra.com.

8.3 Right to Erasure

You may request the deletion of your personal data by e-mailing info@reumbra.com. We will respond within one month and specify the erasure timeline.

8.4 Right to Restriction

If your data is inaccurate, incomplete, or processed unlawfully, you may request that processing be restricted while the matter is resolved.

8.5 Right to Data Portability

You may request that personal data you have provided to us be transferred to you or to another controller in a structured, commonly used, machine-readable format. We will respond within one month.

8.6 Right to Object

You have the right to object to the processing of your personal data where processing is based on legitimate interest (GDPR Art. 6(1)(f)). If you object to marketing processing, we will cease immediately.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent, contact info@reumbra.com or use the unsubscribe link in any marketing e-mail.

9. Right to Lodge a Complaint

If you believe your personal data has been processed in violation of applicable data protection law, you have the right to lodge a complaint with:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
E-mail: info@aki.ee
Website: aki.ee

You may also lodge a complaint with the supervisory authority in your country of residence within the EU.

10. Changes to This Privacy Policy

Reumbra OÜ may update this Privacy Policy from time to time. If changes are material, you will be notified by e-mail at least 14 days before they take effect. The current version is always available at forge.reumbra.com/privacy.

Get Forge →