Privacy policy

Last updated: March 12, 2026

Data controller

Sysand Index is operated by UAB Sensmetry, company code 305079257, J. Jasinskio g. 16A, LT-03163 Vilnius, Lithuania.

For privacy inquiries, contact us at privacy@sensmetry.com.

What we collect

We collect the following personal data when you use Sysand Index:

  • Account information: username, display name, email address, and hashed password.
  • Authentication data: if you sign in via Google, Microsoft, GitHub, or GitLab, we receive your email address and profile name from the provider. We do not store your OAuth tokens.
  • Audit logs: we log security-relevant actions (login, password changes, token management) along with your IP address for incident response.
  • Uploaded content: packages you publish, including metadata such as publisher name, project name, and version.
  • Avatar images: we generate an MD5 hash of your email address and send it to Gravatar (operated by Automattic) to retrieve your profile picture. This request is made from our server, not your browser — your IP address is never shared with Gravatar. If you have a Gravatar account, your avatar is displayed; otherwise a generated geometric pattern is shown.

How we use your data

  • To provide and maintain the Sysand Index service.
  • To authenticate you and secure your account.
  • To send transactional emails (token creation, invitations, account changes).
  • To investigate and respond to security incidents via audit logs.

We do not sell your data. We do not use your data for advertising. We do not use third-party analytics or tracking services.

Legal basis (GDPR)

We process your personal data on the following bases:

  • Contract: processing necessary to provide the service you signed up for (account management, package hosting).
  • Legitimate interest: security audit logging and incident response.

Data sharing

Your public profile (username, display name) and published packages are visible to all users. We do not share your private data with third parties except:

  • Infrastructure providers that host the service (US-based).
  • Gravatar (Automattic, US-based) — receives MD5 hashes of email addresses to serve avatar images. No other personal data is shared.
  • Email delivery services for transactional emails.
  • When required by law.

Data hosting

Your data is hosted in the United States. For transfers from the EEA/UK, we rely on Standard Contractual Clauses as a safeguard.

Cookies

We use only essential cookies required for the service to function:

  • Session cookie: keeps you logged in.
  • CSRF cookie: protects against cross-site request forgery.

We also store your theme preference (light/dark) in your browser's local storage. We do not use any analytics or advertising cookies.

Data retention

  • Account data: retained until you delete your account.
  • Audit logs: retained for up to 1 year, then automatically purged.
  • Published packages: retained until you or a project owner removes them.

Your rights

Under GDPR, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data via your account settings.
  • Delete your account and associated data from your account settings page.
  • Export your data — contact us at privacy@sensmetry.com.
  • Lodge a complaint with your national data protection authority.

Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email.