Imprint & Privacy Policy

Operators

Maximilian Leodolter & Tobias Leodolter
Austria

Contact

Email: contact@caprail.io

EU Dispute Resolution

The European Commission provides a platform for online dispute resolution (OS): ec.europa.eu/consumers/odr. We are neither obligated nor willing to participate in dispute resolution proceedings before a consumer arbitration board.

1. Data Controller

The data controller for this website is Maximilian Leodolter & Tobias Leodolter, Austria. You can reach us at contact@caprail.io.

2. What Data We Collect

We collect data that you provide directly when creating an account or using our service, such as your name and email address. We also collect technical data automatically, including your IP address, browser type, operating system, referring URL, and pages visited. This data is processed to provide and improve our service based on Art. 6(1)(b) and Art. 6(1)(f) GDPR.

3. Cookies & Analytics

We use PostHog (PostHog Inc., USA) for web analytics and the Reddit Pixel (Reddit Inc., USA) for ad conversion measurement. PostHog sets cookies to identify sessions and returning visitors. Analytics requests are proxied through our own domain to ensure reliable delivery; no data is shared with additional third parties through this proxy. Both PostHog analytics and the Reddit Pixel are disabled by default and only activated if you give explicit consent via our cookie banner, pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time by clearing your browser cookies or contacting us.

In addition, we store campaign attribution parameters (such as UTM tags and ad identifiers from the URL you used to reach our site) in your browser's local and session storage. This first-party data is used solely to measure which campaigns and ad creatives lead to sign-up completion. Attribution records are retained for up to 30 days and are never sent to third parties. This storage does not require consent as it is technically necessary to attribute your visit to the correct campaign, pursuant to Art. 6(1)(f) GDPR.

4. Authentication

We offer sign-in via third-party OAuth providers such as Google and GitHub. When you authenticate this way, we receive your name, email address, and profile picture from the provider. We do not receive or store your password. This processing is based on Art. 6(1)(b) GDPR as it is necessary to provide your account.

5. SDK Integration

Caprail enforces rate limits and circuit-breaker policies on your Next.js route handlers and Server Actions via the @caprail/nextjs SDK. When a policy check fires, the SDK forwards lightweight metadata — such as the rate-limit key you supply (for example a hashed IP address or API key identifier), the policy identifier, a timestamp, and the allow/deny outcome — to our servers to evaluate against your configured rules. We do not receive or store request bodies, response bodies, headers, or user content from your application traffic. This processing is based on Art. 6(1)(b) GDPR as it is necessary to provide the service you have configured.

6. Data Protection & Security

We implement the following measures to protect your data:

• Encryption in transit — all communication between your browser, your application, and our servers is encrypted via TLS / HTTPS.
• Encryption at rest — policy configuration, rate-limit counters, and API tokens are stored encrypted server-side in our database.
• Minimal data caching — we retain only the counters, outcomes, and aggregate telemetry required to enforce your windowed policies and to power your dashboard. Request and response payloads from your application are never stored.
• Cache lifecycle — rate-limit counters expire automatically at the end of each policy window. Telemetry and account data are fully deleted when you disconnect a project or delete your Caprail account.
• Access controls — project data is accessible only to the authenticated account owner and any members you invite. API tokens are never exposed to client-side code.
• No secondary use — we do not use your telemetry for advertising, market research, or AI / ML model training.

7. Hosting & Sub-processors

Our application is hosted on infrastructure provided by third-party services including Vercel (frontend), Convex (backend), and PostHog (analytics, when consented). These providers may process data on our behalf in accordance with data processing agreements. Data may be transferred to the United States under appropriate safeguards (EU Standard Contractual Clauses).

8. Data Retention

We retain your personal data only as long as your account is active or as needed to provide the service. If you delete your account, we will erase your personal data within 30 days, except where we are legally required to retain it (e.g. invoices under Austrian tax law for 7 years).

9. Your Rights

Under the GDPR, you have the right to access, rectify, erase, or restrict the processing of your personal data. You may also request data portability or object to processing. To exercise any of these rights, contact us at contact@caprail.io. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at dsb.gv.at.

10. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you via email or a prominent notice on our website. Your continued use of the service after such changes constitutes your acceptance of the updated policy.