Transparency

What the license server knows about you.

The Softwarefabrik stores as little as possible. This page lists what technically lands in our license server, what is deliberately not collected, how long data are kept and on which legal basis.

no tracking offline-verifiable just email + fingerprint

What is stored

  • License ID (UUID, no personal reference)
  • SHA-256 hash of the email address (with a fixed salt, only for multi-device detection per user)
  • SHA-256 hash of the device fingerprint (not reversible to hardware)
  • Tier (Community / Professional / Enterprise) and deployment (Cloud / Self-Hosted / Air-Gap)
  • Feature flags as per contract, as JSON (e.g. max_runs_per_day, team_features)
  • Time of issuance, last refresh and expiry
  • Client version string and country of IP address (two-letter code, e.g. DE)
  • The last issued JWT, exclusively for audit

What is NOT stored

  • The full IP address of the client
  • The prompts the user sends to the AI
  • The generated code or run content of any kind
  • Personal data (name, address, phone)
  • For Enterprise air-gap: nothing — the license is offline-signed, there is no server contact

Retention

  • Refresh logs are kept individually for 90 days, then aggregated into anonymous monthly statistics
  • License records stay as long as the license is valid, plus two years after expiry for audit purposes
  • Revoked licenses stay archived so an issued JWT is recognised as "rejected" until the next refresh cycle

Where does the license server run?

  • Community / Professional / Enterprise Cloud: Hetzner Cloud, data centre Falkenstein (Germany, EU data area). Reverse proxy, TLS and backups operated by softwarefabrik.io.
  • Enterprise self-hosted: on the customer's infrastructure. The license_server_url in the issued JWT points to the internal host.
  • Enterprise air-gap: nowhere — no server runs, the license is a signed document without network component.

Legal basis under GDPR

  • Community: Art. 6 (1) (f) GDPR — legitimate interest in misuse prevention (notably 3-device limit)
  • Professional / Enterprise: Art. 6 (1) (b) GDPR — contract performance

A data processing agreement (DPA) is available on request for Enterprise operation. For self-hosted and air-gap deployments no DPA is required, as no personal data flow to softwarefabrik.io.

Signature chain and public key

All license JWTs are signed with Ed25519. The public key can be verified in two forms:

Key rotation happens via client updates, not at runtime. A potential emergency revocation of an individual license happens server-side via rejection at the next refresh; for air-gap only at the next annual certificate exchange.

Feedback welcome: If something is missing or unclear, contact me via the contact form. Transparency is explicitly a product decision — I take pointers seriously.