Privacy Policy — mortar
*Effective 2026-05-16. Generated from installed modules.*
This document is regenerated automatically whenever a module is installed, upgraded, or removed. The list of personal-data fields, subprocessors, and AI Act impacts below is derived from each module's published manifest — it cannot drift from what the application actually does.
Your rights under GDPR
- Access (Article 15): Request a copy of your personal data via
/api/compliance/dsar/requestwithrequest_type=access. - Portability (Article 20): Request a machine-readable export via
/api/compliance/dsar/requestwithrequest_type=portability. - Erasure (Article 17): Request deletion of your account via
/api/compliance/dsar/requestwithrequest_type=erasure.
All three are subject to a verification step (email confirmation) and complete within 30 days. The audit log of every request is hash-chained and tamper-evident.
What we process and why
Account & Authentication (platform-account v1.0.0)
Operator and team-member sign-up, sign-in, and session management for the mortar control plane.
Personal data we collect:
emailnameauthentication_identifierslogin_ip_address
Subprocessors:
- Clerk (US) — email, name, authentication + session metadata
Product Analytics (platform-analytics v1.0.0)
Pseudonymous product-usage analytics to improve the platform. EU-hosted; no cross-site tracking.
Personal data we collect:
usage_eventspseudonymous_device_id
Subprocessors:
- PostHog (EU Cloud) (DE) — pseudonymous product-usage events
Subscription Billing (platform-billing v1.0.0)
Plan subscriptions, invoicing, and entitlement state for the mortar platform itself.
Personal data we collect:
billing_emailsubscription_idcustomer_idpayment_country
Subprocessors:
- Polar (US) — billing email, subscription + payment metadata
Application Database (platform-data v1.0.0)
Primary datastore for control-plane account records, customer-app metadata, and audit logs.
Personal data we collect:
account_recordsapp_metadata
Subprocessors:
- Neon (DE) — all stored account + application records (EU region)
Edge Delivery & WAF (platform-edge v1.0.0)
CDN, TLS termination, and web-application-firewall protection for all platform traffic.
Personal data we collect:
request_ip_address
Subprocessors:
- Cloudflare (US) — request IP, edge cache + WAF metadata
Transactional Email (platform-email v1.0.0)
Account, billing, and compliance notification emails (no marketing).
Personal data we collect:
email
Subprocessors:
- Resend (US) — recipient email address, message content
Error & Log Monitoring (platform-observability v1.0.0)
Application error reporting and request-log retention for reliability and security.
Personal data we collect:
error_reportsrequest_logs
Subprocessors:
- Sentry (US) — error reports, stack traces
- Better Stack (CZ) — application + request logs
Audit and transparency
Every state-changing operation in this application writes a hash-chained entry to an append-only audit log. The hash chain head is periodically committed to the public Sigstore Rekor transparency log, allowing any third party to verify that the audit history has not been retroactively altered.
Contact
For any data-protection question, write to privacy@mortar.dev. We respond within 30 days as required by GDPR.
*This policy is generated from the `compliance-eu` module. The source of every claim is the manifest of the corresponding module — open source and inspectable.*