← Back to DSFrog

Privacy Policy

Last updated: April 26, 2026

1. Who we are

DSFrog is a business-dashboard development service operated from Poland. We build custom dashboards and analytics for businesses worldwide.

Contact: hello@ds-frog.com

This policy covers two distinct relationships: (a) website visitors who fill out our contact form, and (b) dashboard users — clients and their authorized teammates who log into a dashboard we host. For client end-customer data processed on the client's behalf, see our Data Processing Agreement.

2. Website visitors — what we collect

When you use the contact form on this website we collect:

  • Name, email, optional phone — to respond to your inquiry
  • Message content — to understand your needs
  • Page URL of submission and approximate session metadata — to understand context (which page led to the inquiry)

We do not use tracking pixels for advertising and do not sell or share your data with third parties for marketing.

3. Dashboard users — what we collect

When you (or a person authorized by your organization) logs into a dashboard we host, we process:

  • Login (email or username) and password hash — for authentication. Passwords are stored as bcrypt hashes (cost 12); we never see your plaintext password.
  • Two-factor (TOTP) shared secret — generated at first login, stored on our server and never transmitted after enrollment.
  • Login event log — for each login attempt: timestamp, IP address, browser user-agent, success/failure reason. Used for security/audit.
  • Session cookie — a signed JWT, HTTP-only, Secure, SameSite=Strict, valid for 7 days.
  • Reset codes — one-time 6-digit codes sent by email when you request a password reset, valid for 10 minutes.

4. How long we keep data

  • Contact form messages — kept while the conversation/project is active, then up to 12 months for accounting purposes, then deleted.
  • Login event logs — kept indefinitely for security audit, but deleted on account closure on request.
  • Backups — daily encrypted backups in DigitalOcean Spaces, automatically deleted after 30 days.
  • Account credentials — kept while the account is active. Removed within 30 days of contract termination.

5. Cookies

We use only essential cookies — no advertising or third-party analytics trackers:

  • session — signed JWT for authenticated dashboard access (7 days)
  • locale — your selected interface language

No consent banner is shown because we do not use non-essential cookies.

6. Third-party processors (sub-processors)

We use the following infrastructure providers. Each processes only what is strictly required for its function and is bound by their own contractual security commitments:

  • DigitalOcean (United States, with EU data centers) — server hosting and encrypted backup storage (Spaces, region SFO3 or as specified in DPA)
  • Cloudflare (United States) — CDN, DDoS protection, TLS termination, WAF
  • Resend (United States) — transactional email delivery (password reset codes, system alerts)
  • Telegram Messenger Inc. — receiving contact-form submissions and operational alerts
  • Anthropic PBC (United States) — only when AI assistant features are explicitly enabled by a client (see DPA Section 6 if applicable)

Cross-border transfers to U.S. providers rely on EU Standard Contractual Clauses (SCCs) where required by GDPR.

7. Security measures

Concrete technical measures (encryption, isolation, audit, backups, monitoring) are documented separately at /security. That page describes the actual implementation rather than vague promises.

8. Your rights (GDPR)

If you are in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion ("right to be forgotten")
  • Receive a copy of your data in a portable format (JSON or CSV)
  • Object to or restrict certain processing
  • Lodge a complaint with your local supervisory authority (in Poland: UODO)

To exercise any of these rights, contact hello@ds-frog.com. We respond within 30 days; data export and deletion requests are typically completed within 7 days.

9. Personal data breach notification

In the event of a confirmed personal data breach affecting your data, we will notify you (and where required, supervisory authorities) within 24 hours of discovery, with a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active dashboard users by email, and the "Last updated" date above will reflect the change.

11. Contact

Questions about this policy or your data: hello@ds-frog.com