Privacy Notice

Last Updated: October 28, 2025

1. Introduction

This Privacy Notice explains how Happenstance ("we", "us", "our") collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

We are committed to protecting your privacy and giving you control over your personal information.

Data Controller:
Epode Studio
Frejavägen 3, 222 70 Lund, Sweden
Org.nr: 199602203532
Email: hello@happenstance.click
DPO: hello@happenstance.click

2. What Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Name: Your full name
  • Email address: For account access and communication
  • GitHub account data: Username, avatar, and email (if you sign in via GitHub OAuth)
  • Organization details: Company name, team member information

2.2 Billing Information

For paid subscriptions:

  • Payment information: Processed and stored by Paddle (our payment processor), not by us
  • Billing address: Required for VAT compliance
  • Invoice details: Transaction history and receipts

Important: We never see or store your credit card details. All payment processing is handled securely by Paddle in compliance with PCI DSS standards.

2.3 Analytics Data You Collect

When you use our service to track analytics on your applications, we process:

  • Event data: User interactions, button clicks, page views
  • Hashed IP addresses: One-way encrypted for privacy (GDPR-compliant)
  • User agent strings: Sanitized to remove identifying information
  • Session data: Anonymized session identifiers
  • Error logs: Stack traces and error messages

You are the data controller for analytics data collected from your users. We act as a data processor, storing and processing this data on your behalf.

2.4 Technical Data

We automatically collect:

  • Log data: API requests, response times, error codes
  • Device information: Browser type, operating system (non-identifying)
  • Cookies: Session cookies for authentication (see Section 8)

2.5 Communication Data

When you contact us, we collect:

  • Support tickets and correspondence
  • Feedback and survey responses

3. Legal Basis for Processing

Under GDPR, we process your personal data based on:

Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary to provide our services, manage your account, and process payments.

Legitimate Interests (Art. 6(1)(f) GDPR)

Improving our services, fraud prevention, security monitoring, and customer support.

Consent (Art. 6(1)(a) GDPR)

Marketing communications, optional analytics, and cookies (where required).

Legal Obligation (Art. 6(1)(c) GDPR)

Tax compliance, financial record-keeping, and responding to legal requests.

4. How We Use Your Data

We use your personal data to:

  • Provide services: Account management, analytics processing, API access
  • Billing: Process payments, issue invoices, manage subscriptions
  • Communication: Send service updates, security alerts, and support responses
  • Improvement: Analyze usage patterns to improve our platform (anonymized)
  • Security: Detect and prevent fraud, abuse, and security threats
  • Legal compliance: Meet tax, accounting, and legal obligations
  • Marketing: Send product updates and offers (with your consent; you can opt-out anytime)

5. Data Sharing and Transfers

5.1 Third-Party Service Providers

We share data with trusted processors who help us operate our services:

Paddle (Payment Processing)

Processes payments, subscription management, and invoicing.

Location: UK/EU | GDPR Compliant | DPA in place

Nhost (Database Hosting)

Hosts our database and provides backend infrastructure.

Location: EU (Germany) | GDPR Compliant | DPA in place

Vercel/Netlify (Hosting)

Hosts our web application.

Location: EU regions | GDPR Compliant

Anthropic (AI Processing)

Provides AI-powered code analysis for analytics integration.

Location: US | Privacy Shield successor mechanisms | DPA available

5.2 International Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer data internationally, we ensure:

  • Adequacy decisions under GDPR (e.g., transfers to countries with adequate data protection)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional safeguards where necessary (encryption, access controls)

5.3 Other Disclosures

We may disclose your data if:

  • Required by law or legal process
  • Necessary to protect our rights, property, or safety
  • In connection with a merger, acquisition, or sale of assets (with notice to you)

6. Your Rights Under GDPR

As an EU data subject, you have the following rights:

📄 Right to Access (Art. 15)

Request a copy of your personal data we hold.

Response time: 1 month | Free of charge

✏️ Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

Available in account settings or via support

🗑️ Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Subject to legal retention requirements

⏸️ Right to Restrict Processing (Art. 18)

Limit how we use your data in certain circumstances.

📦 Right to Data Portability (Art. 20)

Receive your data in a machine-readable format (JSON/CSV).

Available via API or export tool

🚫 Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

⚖️ Right to Withdraw Consent (Art. 7(3))

Withdraw consent for marketing or optional processing at any time.

📢 Right to Lodge a Complaint

File a complaint with your local data protection authority.

EU DPA list: https://edpb.europa.eu/about-edpb/board/members_en

To exercise your rights: Contact us at hello@happenstance.click or use our privacy dashboard.

7. Data Retention

We retain your data for as long as necessary to provide services and comply with legal obligations:

Data TypeRetention PeriodLegal Basis
Account dataUntil account deletion + 30 daysContract
Analytics events (Free)30 daysContract
Analytics events (Startup)1 year (configurable)Contract
Billing records7 yearsLegal obligation (tax law)
Support tickets3 yearsLegitimate interest
Security logs90 daysLegitimate interest

We automatically delete data according to these schedules. You can request earlier deletion (subject to legal requirements).

8. Cookies and Tracking

We use cookies to provide and improve our services:

Cookie TypePurposeDurationRequired?
AuthenticationJWT session token7 days✅ Yes (Essential)
CSRF ProtectionSecurity tokenSession✅ Yes (Security)
PreferencesUI theme, language1 year❌ No

You can control cookie settings in your browser. Disabling essential cookies may affect service functionality.

9. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access controls: Role-based access, multi-factor authentication
  • Hashing: Bcrypt for API keys, SHA-256 for IP addresses
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Audits: Regular security audits and penetration testing
  • Backups: Daily encrypted backups with 30-day retention
  • Incident response: 72-hour breach notification (GDPR Art. 33)

10. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at hello@happenstance.click.

11. Changes to This Notice

We may update this Privacy Notice to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Email notification (for significant changes)
  • In-app notification
  • Updating the "Last Updated" date

Continued use of our services after changes constitutes acceptance. If you do not agree, you may close your account.

12. Contact Us

For privacy-related questions or to exercise your rights:

Company: Epode Studio

Privacy Team: hello@happenstance.click

Data Protection Officer: hello@happenstance.click

Address: Frejavägen 3, 222 70 Lund, Sweden

Org.nr: 199602203532

Swedish Supervisory Authority:
Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection)
Website: www.imy.se
Phone: +46 8 657 61 00
Email: imy@imy.se

You may also find other EU data protection authorities at: https://edpb.europa.eu/about-edpb/board/members_en

Questions about your privacy? Contact hello@happenstance.click