Privacy Policy — civo-cloud-manager.app website
Effective date: May 2026
Scope of this notice
This policy covers the marketing website civo-cloud-manager.app only — what happens when you load the page in your browser. The privacy policy for the CivoCloudManager macOS app itself (Civo API key in macOS Keychain, direct connections from the app to Civo, the user's Kubernetes API endpoint and Object Store, IP-detection providers and Apple StoreKit) is the separate document shown on the App Store listing and bundled inside the app.
1. Service provider
The website civo-cloud-manager.app is offered under the DigitalFreedom brand. The data controller (Art. 4(7) GDPR) is:
Berger & Rosenstock GbR (trading as DigitalFreedom)
Dieselstr. 22e · 61231 Bad Nauheim · Germany
Authorized Representatives: Marcel R. G. Berger, Jasmin Rosenstock
VAT-ID: DE455096022
Data protection inquiries: data-protection@digitalfreedom.co.za
General inquiries: hello@digitalfreedom.co.za
CivoCloudManager is an independent native macOS client for the Civo Cloud platform operated by Civo Ltd. “Civo” is a trademark of Civo Ltd.; the publisher of CivoCloudManager is not affiliated with Civo Ltd.
2. GDPR as the global baseline
We adopt the EU General Data Protection Regulation (GDPR) as the strictest baseline and apply it as a global floor — every visitor, in every country, benefits from at least the GDPR-level protections set out here. We additionally respect any applicable local data-protection law (UK GDPR, Swiss FADP, CCPA/CPRA, PIPEDA, Australian Privacy Act, LGPD, APPI, PIPA, DPDP Act, POPIA, etc.); where it is more protective for you, the more protective standard applies.
3. What we collect on this website
3.1 Hosting (server log data)
The site is hosted on GitHub Pages. When you load a page, GitHub processes:
- IP address
- browser user-agent string
- requested URL and timestamp
- referrer URL (where available)
Purpose: deliver the page and protect against abuse (rate limiting, anti-DDoS). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a secure website). Retention: per GitHub's policies. International transfer is covered by the EU-US Data Privacy Framework. See GitHub's General Privacy Statement.
3.2 Browser local storage
The site sets two keys in your browser's localStorage:
theme— your light/dark preference, only when you actively switch the theme. No personal data, never transmitted to a server.cookie-consent— your decision on the cookie banner (grantedordenied). Set when you click Accept or Decline.
You can clear both entries any time in your browser settings. Legal basis: § 25(2) No. 2 TTDSG (strictly necessary for the user-chosen function).
3.3 Google Analytics 4 with Consent Mode v2
Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (for users in the EU).
We use Google Analytics 4 to understand which content works. Cookies and personalised measurement only run after you accept the cookie banner.
Before consent, only cookieless, aggregated pings are sent to Google — Consent Mode v2 defaults (ad_storage, ad_user_data,
ad_personalization, analytics_storage) are all set to denied before gtag.js loads.
Data processed after consent: pseudonymous client ID, IP address (anonymised on Google's side), page URL, referrer, language, screen size, time on page, interactions with the cookie banner. Purpose: aggregated reach and engagement measurement. Retention: 14 months (GA4 default).
Legal basis:
- Cookies and personalised measurement: Art. 6(1)(a) GDPR (consent) + § 25(1) TTDSG.
- Cookieless aggregated pings before consent: Art. 6(1)(f) GDPR (legitimate interest in aggregated reach measurement).
International transfer: data may be processed in the United States. Google relies on the EU-US Data Privacy Framework and EU Standard Contractual Clauses as the legal basis for transfers outside the EU.
You can withdraw consent at any time via the “Cookie settings” link in the footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
3.4 What we do not do on this website
- no marketing tracking pixels (Meta, LinkedIn, X)
- no third-party fonts (Geist is self-hosted from this domain — no connection to Google Fonts)
- no payment or checkout — purchases happen on Apple's Mac App Store
- no account creation, login or contact form on this website
- no newsletter signup on this website
- no audio, video or session-replay recording
4. Sub-processors used by this website
For the website itself, the following parties may process data on our behalf or as independent controllers:
| Party | Role | Location |
|---|---|---|
| GitHub, Inc. | Static site hosting (GitHub Pages), DNS routing, abuse protection | USA (EU-US DPF) |
| Google Ireland Ltd. (Google Analytics) | Aggregated analytics; cookieless before consent, full GA4 after consent | EEA, with onward transfer to Google LLC (USA) under EU-US DPF / SCCs |
| INWX GmbH & Co. KG | DNS hosting for the civo-cloud-manager.app zone | Germany |
CivoCloudManager (the macOS app) has no publisher backend. When you use the app, it talks directly to (a) the Civo REST API at
api.civo.com with your API key, (b) your own Kubernetes API endpoint via PKCS#12 client-certificate mTLS, (c) your own Object Store
endpoint over S3 with AWS Signature V4, (d) three public IP-detection services (ipify.org, ifconfig.me, icanhazip.com)
for firewall rule scoping, and (e) Apple's StoreKit for the In-App Purchase. Berger & Rosenstock GbR does not operate any server in the loop and
receives no data from your use of the app.
5. International data transfers
Transfers to the United States (GitHub, Google) are covered by the EU-US Data Privacy Framework (adequacy decision of 10 July 2023, Art. 45 GDPR) and additionally by EU Standard Contractual Clauses where required. We rely on the providers' contractual safeguards and on supplementary technical measures (TLS in transit, anonymisation on the provider's side).
6. Your rights
Under GDPR you have the right to:
- access the personal data we hold about you (Art. 15 GDPR)
- rectification (Art. 16 GDPR)
- erasure (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- object to processing on grounds of legitimate interest (Art. 21 GDPR)
- withdraw consent at any time, with effect for the future (Art. 7(3) GDPR)
- lodge a complaint with a supervisory authority — competent in Hesse: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Postfach 3163, 65021 Wiesbaden
To exercise any of these rights, email data-protection@digitalfreedom.co.za.
6.1 Additional regional rights
- California (CCPA/CPRA): right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, and non-discrimination. We do not sell or share personal information for cross-context behavioural advertising.
- UK (UK GDPR): equivalent rights to the EU GDPR list above. Supervisory authority: Information Commissioner's Office (ICO).
- Switzerland (FADP): equivalent rights; supervisory authority: FDPIC (Bern).
- Canada (PIPEDA): access, challenge accuracy, withdraw consent.
- Australia (Privacy Act): access, correction, complaint to OAIC.
- Brazil (LGPD): confirmation, access, correction, anonymisation/blocking/deletion, portability, information about shared data, consent revocation.
7. Children's privacy
This website is not directed at children. We do not knowingly collect personal data from children under 16 (or the applicable age of consent in your jurisdiction).
8. Changes to this policy
We may update this policy when the website's data flows change (for example if new analytics or hosting providers are introduced). The current version is always available at this URL with the effective date at the top.
9. Contact
DigitalFreedom — a brand of Berger & Rosenstock GbR
Dieselstr. 22e · 61231 Bad Nauheim · Germany
Data protection: data-protection@digitalfreedom.co.za
General: hello@digitalfreedom.co.za
© 2025–2026 DigitalFreedom — Berger & Rosenstock GbR. All rights reserved.