Privacy Policy

This is a plain-English privacy policy for instanode.dev, a developer tool that provisions ephemeral Postgres databases, Redis caches, and webhook receivers via HTTPS. It is operated by a solo founder as a sole proprietorship based in India.

What we collect

• Email address — only if you sign in. We use GitHub OAuth (client_id Ov23li1CzSDf0s5c1zI9) to read your primary email. Nothing else from your GitHub profile.
• Payment identifiers — Razorpay order IDs, subscription IDs, and payment IDs. We never see or store card numbers, CVVs, or bank details. Those live with Razorpay.
• Provisioning fingerprint — a SHA-256 hash of your IP's /24 subnet (or /48 for IPv6) plus the network ASN. We use this only to rate-limit free-tier abuse (5 provisions/day). We do not store raw IPs against your account.
• Resource connection logs — query timing, error rates, connection counts on databases we provision for you. Used for debugging and enforcing tier limits. We do not read the contents of your tables, keys, or webhook payloads.
• Session cookie — a JWT used to keep you logged in. Expires when you log out or when the token expires.

What we do not collect

• No third-party analytics. No Google Analytics, no Mixpanel, no Segment, no ad pixels.
• No tracking cookies. The only cookie is your auth session.
• No data inside your provisioned databases. It's yours. We can see that storage is used, not what's in it.

Where it lives

All infrastructure runs on DigitalOcean NYC1 (US-East). Data at rest is encrypted via DigitalOcean block storage encryption. Connections to pg.instanode.dev and the API use TLS with certificates issued by Let's Encrypt.

Retention

• Anonymous resources — deleted automatically 24 hours after creation, along with their logs.
• Claimed (Developer tier) resources — kept until you delete them or cancel your subscription. After cancellation, resources are retained for 7 days so you can export, then permanently deleted.
• Account records — your email and billing references are kept while your account exists, and for up to 12 months after closure for tax and fraud-prevention purposes required by Indian law.

Sub-processors

These are the third parties who touch your data on our behalf:

• DigitalOcean — hosting, block storage, managed databases.
• Razorpay — payment processing. Subject to their privacy terms.
• GitHub — OAuth login only.
• Let's Encrypt — TLS certificate issuance.
• New Relic — server performance metrics (if enabled; no user data is forwarded, only aggregate request timings).

Your rights

Under GDPR and comparable laws, you can request: access to the data we hold about you, correction of it, and deletion of it ("right to be forgotten"). Email admin@instanode.dev and we'll action it within 30 days. Deletion of your account also deletes all resources, logs, and fingerprints associated with it.

Security

TLS everywhere. AES-256-GCM encryption on stored connection strings. Block-storage encryption at rest. We do not claim SOC 2, ISO 27001, or HIPAA compliance — this is a small operation and we will not pretend otherwise.

Changes

If this policy changes materially, we'll update the date at the top and notify signed-in users by email before the change takes effect.

Contact

Questions, deletion requests, or anything else: admin@instanode.dev.