# Privacy & Data Handling This page explains, in plain language, what data is processed in connection with Flopsar — by the product itself, by Flopsar Technology Sp. z o.o. as a company, and by the websites operated under the `flopsar.com` domain. It is meant to be readable without legal training; the corresponding legal analysis is in GDPR Considerations. ## At a glance * Flopsar is **on-premise** software. Once it is installed by the customer, no data leaves the customer's environment as part of normal product operation. * **Flopsar Technology Sp. z o.o. does not receive telemetry, usage analytics, or any operational data from running Flopsar deployments.** There is no "phone home" mechanism in the product. * The product **does not require an internet connection** to operate. License activation, when required, is performed using files rather than online activation calls. * The only personal data that Flopsar Technology Sp. z o.o. processes is data we receive directly: support tickets, vulnerability reports, inquiries through web forms, and visits to our websites. None of that data comes from a running Flopsar deployment. * All processing carried out by Flopsar Technology Sp. z o.o. takes place within the **European Union**. ## The on-premise principle Flopsar is installed and operated by the customer, on the customer's own servers, within the customer's own network. The customer chooses what to instrument, which users have access, what to log, and how long to keep data. Flopsar Technology Sp. z o.o. has no remote access to the deployment, no maintenance backdoor, and no built-in mechanism that transmits operational data out of the customer's environment. This is a deliberate design choice. We do not believe an observability product should require its operator to send production data to a third party in order to use it. A consequence of this design is that Flopsar Technology Sp. z o.o. is not in a position to access, view, or otherwise handle any data processed by a customer's deployment, even on request. Where a customer needs us to look at data from their deployment in the course of support (for example, a stack trace or an excerpt of an audit log), the customer must export and share that data with us explicitly. The corresponding contractual context is described in Customer support. ## Data within a customer's Flopsar deployment Although Flopsar Technology Sp. z o.o. does not see this data, customers should know what their own deployment may store, so that they can govern it appropriately. The product distinguishes the following categories: ### Operator user accounts The Flopsar Server maintains a directory of user accounts for the people who log in to the Flopsar Workstation. For each account, the server stores: * a username chosen by the customer's administrator; * an optional display name; * a password hash (computed with **scrypt**; clear-text passwords are never stored); * the role or roles assigned to the account; * the timestamps of account creation, last login, and last password change. Where the customer has enabled LDAP or single sign-on integration, authentication is delegated to the customer's identity provider and the Flopsar Server caches only the attributes needed for authorisation. ### Audit log The Flopsar Server writes an audit log entry for security-relevant events, including: successful and failed logins, account creation, permission changes, configuration changes, certificate updates, and license activations. Each entry contains a timestamp, the identifier of the actor, the source IP address, and a description of the action. The audit log is rotated according to the customer's logging policy (see Logging). ### Application telemetry collected by the agent The Flopsar Agent runs inside the customer's JVM applications and captures performance data. **By default**, the captured data consists of: * the names of the instrumented Java methods; * the time taken by each invocation; * the call stack; * the JVM thread on which the method ran; * garbage collection and resource metrics about the JVM itself. By default, the agent **does not** capture the values of method arguments, the contents of HTTP requests or responses, the contents of SQL statements, or any other end-user-visible payload. Customers may opt in to **deeper instrumentation** that captures method parameter values or exception payloads. In that mode, the data captured may incidentally include personal data of the customer's end users, depending on what the instrumented application processes. The product provides three mechanisms to control this: * Instrumentation profiles, which select the set of methods that are instrumented; * Filters & Services, which exclude entire classes or methods from instrumentation; * Data Masking, which redacts values matching configured patterns before they are persisted. The default instrumentation does not require deeper data capture, and customers who do not need it can leave it disabled. ### Configuration and operational state The Flopsar Server stores its own configuration on disk: the `settings.toml` file, the master key (`master.key`), TLS certificates, and the licensing data. None of this contains personal data of end users. ### Retention The customer determines how long data is retained: * audit log: governed by the customer's logging configuration; * application telemetry: governed by the `[archive]` policy in `settings.toml`, which supports time-bounded retention with automatic purge; * user accounts: retained as long as the account exists; * configuration: retained for the lifetime of the deployment. There is no built-in maximum retention period imposed by the product. ## Data not collected by the product To make the on-premise principle concrete, we list explicitly what the product does **not** do: * It does not send telemetry, usage statistics, performance counters, crash reports, configuration data, or any other operational data to Flopsar Technology Sp. z o.o. * It does not contact any server operated by Flopsar Technology Sp. z o.o. as part of its normal operation. * It does not check for updates automatically. Updates are delivered through the customer's chosen package distribution channel (Linux package repository or container registry); the customer initiates the update. * It does not validate the license online; license activation is performed using a license file generated by Flopsar Technology Sp. z o.o. and applied by the customer. * It does not include any analytics SDK, advertising library, or third-party tracking component. If you observe network traffic from a running Flopsar component to a destination operated by Flopsar Technology Sp. z o.o., please report it to `security@flopsar.com`; we will treat such a report as a potential vulnerability. ## Data processed by Flopsar Technology Sp. z o.o. as a company There are limited contexts in which Flopsar Technology Sp. z o.o. processes personal data directly. These are unrelated to the operation of the product. ### Documentation and corporate website When you visit `docs.flopsar.com` or `flopsar.com`, our servers log the following technical information, which is necessary for the operation and security of the website: * the request URL, HTTP method, response code, and response size; * the timestamp; * the IP address from which the request originated; * the `User-Agent` header sent by your browser; * the `Referer` header, where present. These logs are retained for **``** for security and operational analysis, after which they are deleted. They are not used for advertising or profiling, and they are not shared with third-party analytics services. ### Customer support When a customer contacts us for support, we process the contact details of the person submitting the ticket (name, email address, employer) and the content of the ticket. Where the ticket includes excerpts of logs, configuration files, or other artefacts exported from a Flopsar deployment, we process those too — but only for the duration of the support engagement and only to the extent necessary to resolve the issue.
The customer remains the controller for any operational data they choose to share with us in this context. Our handling of that data is governed by the support agreement that accompanies the customer's license. ### Vulnerability reports When a person reports a vulnerability to `psirt@flopsar.com` or via the [vulnerability disclosure web form](https://flopsar.com/security/report), we process the contact details they provide (if any), the technical content of the report, and any data inadvertently included in the report. The corresponding processing is described in Section 11 of the Vulnerability Disclosure Policy. Reports may be submitted anonymously; in that case, no identifying information is processed. ### Marketing and sales Business contact details voluntarily provided to us — for example, in a request for a demonstration, a sales meeting, or a download — are processed for the purpose for which they were submitted. We do not buy contact lists from third parties. ## Where data is stored All processing carried out by Flopsar Technology Sp. z o.o. takes place **within the European Union**, on infrastructure operated by Flopsar Technology Sp. z o.o. or by EU-based service providers. No personal data is transferred outside the European Economic Area as part of the processing described on this page. ## Sharing with third parties We do not sell personal data. We share personal data with third parties only in the following limited circumstances: * with **service providers** that operate the websites and our internal IT infrastructure, under written contracts that bind them to act on our instructions and to apply equivalent protection measures; * with **national CSIRTs and ENISA**, in connection with the reporting obligations under Article 14 of Regulation (EU) 2024/2847 (the Cyber Resilience Act); * with **public authorities**, where required by law. A list of service providers is available on request. ## Your rights Where Flopsar Technology Sp. z o.o. processes personal data about you as controller, you have the rights granted by Chapter III of the General Data Protection Regulation, including the rights of access, rectification, erasure, restriction, portability, and objection. To exercise these rights, please contact: > **Email:** `` > > **Postal address:** Flopsar Technology Sp. z o.o., ul. Mokotowska 1, 00-640 Warsaw, Poland You also have the right to lodge a complaint with the supervisory authority — in Poland, the Prezes Urzędu Ochrony Danych Osobowych (). For data processed by a **customer's** Flopsar deployment, please contact that customer directly; we have no access to that data and cannot respond on the customer's behalf. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flopsar.com/7/privacy-and-data-handling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.