The Softwarefabrik stores as little as possible. This page lists what technically ends up on our license server, what we deliberately do not collect, how long data is retained and on which legal basis.
What is stored
License ID (UUID, no personal reference)
SHA-256 hash of the email address (with a fixed salt, used only for multi-device detection per user)
SHA-256 hash of the device fingerprint (not reversible to hardware)
Tier (Community / Professional / Enterprise) and deployment (Cloud / Self-Hosted / Air-Gap)
Feature flags per contract as JSON (e.g. max_runs_per_day, team_features)
Issued, last refresh and expiry timestamps
Client version string and country of the IP address (two-letter code, e.g. DE)
The most recently issued JWT, solely for audit purposes
What is NOT stored
The full IP address of the client
The prompts the user sends to the AI
Generated code or any run content
Personal data (name, address, phone)
Enterprise Air-Gap: nothing at all — the license is signed offline, there is no server contact
Retention
Refresh logs are kept individually for 90 days and then aggregated to anonymous monthly statistics
License records remain in place while the license is valid, plus two years after expiry for audit
Revoked licenses are archived so that an issued JWT is correctly rejected until the next refresh cycle
Where does the license server run?
Community / Professional / Enterprise Cloud: Hetzner Cloud, data center location Falkenstein (Germany, EU). Reverse proxy, TLS and backups are operated by softwarefabrik.io.
Enterprise Self-Hosted: on the customer's infrastructure. The license_server_url in the issued JWT points to the internal host.
Enterprise Air-Gap: nowhere — no server is involved, the license is a signed document without a network component.
Legal basis (GDPR)
Community: Art. 6(1)(f) GDPR — legitimate interest in abuse prevention (in particular the 3-device limit)
Professional / Enterprise: Art. 6(1)(b) GDPR — contract performance
A data processing agreement (DPA) is available for enterprise customers on request. With Self-Hosted and Air-Gap deployments no DPA is needed, as no personal data is sent to softwarefabrik.io.
Signature chain and public key
All license JWTs are signed with Ed25519. The public key can be verified in two ways:
Embedded in every client release at app/src/main/resources/license/lease-ed25519-public.pem
Key rotation happens via client updates, not at runtime. An emergency revocation of an individual license is performed server-side by rejecting the next refresh; for Air-Gap only at the next annual certificate exchange.
Feedback welcome: If something is missing or unclear, reach out via the contact form. Transparency is an explicit product decision — we take input seriously.