Privacy and Data Portability

v1.1.0Updated for ɳSelf v1.1.0

You own your data. ɳSelf Cloud is built on the same open-source stack you can self-host, which means there is no proprietary data format, no vendor lock-in, and no hidden data processing. Any Cloud customer can export or delete their account at any time, on demand.

Core privacy principles

• Your data is physically isolated on your dedicated VPS — no shared Postgres
• We do not share customer data with advertisers, analytics vendors, or AI training providers
• Off-site backups stay within the same legal jurisdiction as your primary region
• All data at rest is encrypted (LUKS on the VPS, AES-256 for off-site backups)
• All data in transit uses TLS 1.3

Exporting your data

Open Dashboard → Settings → Privacy → Export my data, or trigger from the CLI:

nself cloud exec myapp -- nself export --all
# Generates a timestamped tarball and uploads to secure staging storage.
# You receive a signed download link by email.

The export tarball contains:

Database dump: A pg_dump of your entire Postgres database in both custom binary format (for fast restore via pg_restore) and plain SQL format (for inspection and portability).
Object storage: Your MinIO bucket contents, preserving object metadata, content-type headers, and directory structure. Compatible with any S3-compatible storage target for migration.
Configuration: Your .env (non-secret fields), docker-compose.yml, Nginx site configs, plugin manifests, and the full nself.toml project config.
Logs: The last 7 days of logs from every service (Hasura, Auth, Nginx, Postgres, plugins) in plain text.
Invoice history: Your Stripe invoice history as JSON, including line items, amounts, and PDF download URLs.

The tarball is staged to object storage and you receive a signed download link by email. Links expire 7 days after generation. The staged tarball is deleted after 14 days. You can generate an export at any time — there is no limit on how often you export.

Importing to a self-hosted instance

Because Cloud runs the same open-source stack, your export restores cleanly to any self-hosted ɳSelf instance:

# On your self-hosted server
tar xzf nself-export-myapp-20260507.tar.gz
cd nself-export-myapp-20260507

# Restore database
pg_restore -U postgres -d your_db_name backup.dump

# Restore MinIO objects
mc mirror ./minio-export/ myminio/yourbucket/

# Copy config
cp .env /path/to/your/nself/project/.env
cp docker-compose.yml /path/to/your/nself/project/
nself build && nself start

Taking ownership of your Hetzner server

Instead of exporting, you can take direct ownership of the Hetzner VPS. This transfers the server to your own Hetzner account:

Create a Hetzner account and project if you do not have one
Open a support ticket in the ɳSelf dashboard with the subject "Request server transfer"
Provide your Hetzner account email and project ID
We initiate a Hetzner server transfer — no data loss, same IP, same VPS
Once transferred, you manage the server directly and your ɳSelf Cloud subscription is cancelled

Server transfers typically complete within one business day. Your subscription is prorated to the transfer date.

Deleting your account

Open Dashboard → Settings → Privacy → Delete my account. You must confirm by re-entering your email address.

What happens in sequence:

Immediate: Your Stripe subscription is cancelled. No further charges.
Day 0–7 (grace period): Your server keeps running normally. You can cancel the deletion with one click from the dashboard. Your data is untouched.
Day 7 (grace period ends):
- Your VPS is destroyed via the Hetzner API
- All Hetzner snapshots associated with the server are deleted
- Off-site backups (Postgres dumps and MinIO exports) are deleted from our backup storage
Day 7 (account anonymization):
- Email address, display name, billing address, and phone number are scrubbed
- API keys and session tokens are invalidated and deleted
- A hashed identifier derived from your email is retained for tax compliance (7 years per applicable law)
- Invoice records are retained in anonymized form for tax compliance — amounts and line items kept, PII removed
Within 30 days: All telemetry and analytics data attributable to your account ID is deleted from our data warehouse.

After the deletion process completes, we email you a signed deletion receipt. This receipt documents what was deleted, when, and can be used to satisfy downstream compliance requests from your own customers or auditors.

GDPR rights

ɳSelf Cloud is operated from Hetzner's EU infrastructure and complies with GDPR for EU/EEA customers. The self-service export and delete tools satisfy:

Article 20 — Data portability: Export provides your data in standard, machine-readable formats (SQL, JSON, plain files).
Article 17 — Right to erasure: Delete triggers complete erasure of all personal data within 30 days.

For other GDPR rights (Article 15 access, Article 16 rectification, Article 18 restriction of processing, Article 21 objection), email privacy@nself.org. We acknowledge within 3 business days and fulfill within 30 days, as required by GDPR Article 12.

CCPA rights (California)

California residents have the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information.

§1798.110 (right to know): See the "What we collect" section below.
§1798.105 (right to delete): Use the self-service Delete tool or email privacy@nself.org.
Sale of personal information: We do not sell personal information. We do not share it with third parties for cross-context behavioral advertising.

What we collect

The following personal data is collected and processed when you use ɳSelf Cloud:

Category	What	Why	Retention
Account	Email, display name	Authentication, communication	Until deletion
Billing	Name, billing address, Stripe customer ID	Payment processing, invoicing	7 years (tax law)
Infrastructure	Server IP, region, instance name	Provisioning, DNS, SSL	Until server deleted
Telemetry	CLI version, command names (no args), error codes	Product analytics, bug detection	90 days rolling
Support	Ticket content, email exchanges	Issue resolution	2 years after resolution

We do not collect the contents of your database, your MinIO objects, your application code, or any data your users submit through your API. All application data stays on your dedicated VPS.

Data location and residency

Primary data is hosted in the region you chose at provisioning time:

Region code	Location	Backup region	Jurisdiction
`fsn1`	Falkenstein, Germany	Helsinki, Finland	EU
`hel1`	Helsinki, Finland	Falkenstein, Germany	EU
`ash1`	Ashburn, Virginia, USA	Ashburn (different DC)	USA
`sin1`	Singapore	Singapore (different DC)	Singapore

Off-site backups remain within the same legal jurisdiction as the primary region. EU data does not leave the EU. US data does not leave the US. Singapore data does not leave Singapore.

Control plane infrastructure (the system that manages your servers) runs in Falkenstein, Germany. It processes your account data (email, subscription status) but never your application data.

Subprocessors

The following third parties process personal data on our behalf:

Subprocessor	Purpose	Data processed	Location
Hetzner Online GmbH	VPS hosting, backups	All application data on your VPS	EU, USA, Singapore
Cloudflare Inc.	DNS, TLS, edge networking	Domain names, IP addresses, TLS handshakes	Global
Stripe Inc.	Payment processing	Card data (not stored by us), billing address, invoices	USA/EU
ElasticEmail	Transactional email	Email address, email content	USA/EU

We do not use any subprocessors for advertising, behavioral analytics, or AI model training. We will update this list and notify customers by email when we add or change subprocessors.

Contact

For privacy-related requests, questions, or to exercise your rights: privacy@nself.org. Response within 3 business days, fulfillment within 30 days for GDPR requests.

For urgent data security incidents: security@nself.org.

Support — how to file a ticket
Billing — cancellation and data deletion timeline
Getting started — provision your first server

Privacy and Data Portability

v1.1.0Updated for ɳSelf v1.1.0

Core privacy principles

• Your data is physically isolated on your dedicated VPS — no shared Postgres
• We do not share customer data with advertisers, analytics vendors, or AI training providers
• Off-site backups stay within the same legal jurisdiction as your primary region
• All data at rest is encrypted (LUKS on the VPS, AES-256 for off-site backups)
• All data in transit uses TLS 1.3

Exporting your data

Open Dashboard → Settings → Privacy → Export my data, or trigger from the CLI:

nself cloud exec myapp -- nself export --all
# Generates a timestamped tarball and uploads to secure staging storage.
# You receive a signed download link by email.

The export tarball contains:

Database dump: A pg_dump of your entire Postgres database in both custom binary format (for fast restore via pg_restore) and plain SQL format (for inspection and portability).
Object storage: Your MinIO bucket contents, preserving object metadata, content-type headers, and directory structure. Compatible with any S3-compatible storage target for migration.
Configuration: Your .env (non-secret fields), docker-compose.yml, Nginx site configs, plugin manifests, and the full nself.toml project config.
Logs: The last 7 days of logs from every service (Hasura, Auth, Nginx, Postgres, plugins) in plain text.
Invoice history: Your Stripe invoice history as JSON, including line items, amounts, and PDF download URLs.

Importing to a self-hosted instance

Because Cloud runs the same open-source stack, your export restores cleanly to any self-hosted ɳSelf instance:

# On your self-hosted server
tar xzf nself-export-myapp-20260507.tar.gz
cd nself-export-myapp-20260507

# Restore database
pg_restore -U postgres -d your_db_name backup.dump

# Restore MinIO objects
mc mirror ./minio-export/ myminio/yourbucket/

# Copy config
cp .env /path/to/your/nself/project/.env
cp docker-compose.yml /path/to/your/nself/project/
nself build && nself start

Taking ownership of your Hetzner server

Instead of exporting, you can take direct ownership of the Hetzner VPS. This transfers the server to your own Hetzner account:

Create a Hetzner account and project if you do not have one
Open a support ticket in the ɳSelf dashboard with the subject "Request server transfer"
Provide your Hetzner account email and project ID
We initiate a Hetzner server transfer — no data loss, same IP, same VPS
Once transferred, you manage the server directly and your ɳSelf Cloud subscription is cancelled

Server transfers typically complete within one business day. Your subscription is prorated to the transfer date.

Deleting your account

Open Dashboard → Settings → Privacy → Delete my account. You must confirm by re-entering your email address.

What happens in sequence:

Immediate: Your Stripe subscription is cancelled. No further charges.
Day 0–7 (grace period): Your server keeps running normally. You can cancel the deletion with one click from the dashboard. Your data is untouched.
Day 7 (grace period ends):
- Your VPS is destroyed via the Hetzner API
- All Hetzner snapshots associated with the server are deleted
- Off-site backups (Postgres dumps and MinIO exports) are deleted from our backup storage
Day 7 (account anonymization):
- Email address, display name, billing address, and phone number are scrubbed
- API keys and session tokens are invalidated and deleted
- A hashed identifier derived from your email is retained for tax compliance (7 years per applicable law)
- Invoice records are retained in anonymized form for tax compliance — amounts and line items kept, PII removed
Within 30 days: All telemetry and analytics data attributable to your account ID is deleted from our data warehouse.

GDPR rights

ɳSelf Cloud is operated from Hetzner's EU infrastructure and complies with GDPR for EU/EEA customers. The self-service export and delete tools satisfy:

Article 20 — Data portability: Export provides your data in standard, machine-readable formats (SQL, JSON, plain files).
Article 17 — Right to erasure: Delete triggers complete erasure of all personal data within 30 days.

CCPA rights (California)

California residents have the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information.

§1798.110 (right to know): See the "What we collect" section below.
§1798.105 (right to delete): Use the self-service Delete tool or email privacy@nself.org.
Sale of personal information: We do not sell personal information. We do not share it with third parties for cross-context behavioral advertising.

What we collect

The following personal data is collected and processed when you use ɳSelf Cloud:

Category	What	Why	Retention
Account	Email, display name	Authentication, communication	Until deletion
Billing	Name, billing address, Stripe customer ID	Payment processing, invoicing	7 years (tax law)
Infrastructure	Server IP, region, instance name	Provisioning, DNS, SSL	Until server deleted
Telemetry	CLI version, command names (no args), error codes	Product analytics, bug detection	90 days rolling
Support	Ticket content, email exchanges	Issue resolution	2 years after resolution

We do not collect the contents of your database, your MinIO objects, your application code, or any data your users submit through your API. All application data stays on your dedicated VPS.

Data location and residency

Primary data is hosted in the region you chose at provisioning time:

Region code	Location	Backup region	Jurisdiction
`fsn1`	Falkenstein, Germany	Helsinki, Finland	EU
`hel1`	Helsinki, Finland	Falkenstein, Germany	EU
`ash1`	Ashburn, Virginia, USA	Ashburn (different DC)	USA
`sin1`	Singapore	Singapore (different DC)	Singapore

Off-site backups remain within the same legal jurisdiction as the primary region. EU data does not leave the EU. US data does not leave the US. Singapore data does not leave Singapore.

Control plane infrastructure (the system that manages your servers) runs in Falkenstein, Germany. It processes your account data (email, subscription status) but never your application data.

Subprocessors

The following third parties process personal data on our behalf:

Subprocessor	Purpose	Data processed	Location
Hetzner Online GmbH	VPS hosting, backups	All application data on your VPS	EU, USA, Singapore
Cloudflare Inc.	DNS, TLS, edge networking	Domain names, IP addresses, TLS handshakes	Global
Stripe Inc.	Payment processing	Card data (not stored by us), billing address, invoices	USA/EU
ElasticEmail	Transactional email	Email address, email content	USA/EU

We do not use any subprocessors for advertising, behavioral analytics, or AI model training. We will update this list and notify customers by email when we add or change subprocessors.

Contact

For privacy-related requests, questions, or to exercise your rights: privacy@nself.org. Response within 3 business days, fulfillment within 30 days for GDPR requests.

For urgent data security incidents: security@nself.org.

Support — how to file a ticket
Billing — cancellation and data deletion timeline
Getting started — provision your first server

Privacy and Data Portability

Core privacy principles

Exporting your data

Importing to a self-hosted instance

Taking ownership of your Hetzner server

Deleting your account

GDPR rights

CCPA rights (California)

What we collect

Data location and residency

Subprocessors

Contact

Related

Privacy and Data Portability

Core privacy principles

Exporting your data

Importing to a self-hosted instance

Taking ownership of your Hetzner server

Deleting your account

GDPR rights

CCPA rights (California)

What we collect

Data location and residency

Subprocessors

Contact

Related