Privacy Policy

Controller

This Privacy Policy explains how Boilerplate Ventures UG (haftungsbeschränkt), Galenusstraße 63D, 13187 Berlin, Germany, registered with the commercial register of Amtsgericht Charlottenburg under HRB 273526 B, represented by its managing director Fridland Dimitri, processes personal data in connection with Frontman.

You can contact us at [email protected].

Scope

This Privacy Policy applies to the Frontman website, hosted Frontman service, accounts, support, billing-related interactions, product analytics, and related communications.

When a business customer uses Frontman to process personal data contained in its own codebase, prompts, logs, screenshots, DOM data, or project history, the customer is usually the controller and we act as processor. In that case, our Data Processing Agreement applies in addition to this Privacy Policy.

Categories of Personal Data

We may process the following categories of personal data:

• account data, such as name, email address, login information, business information, and account settings;
• billing and transaction data, such as billing address, subscription status, tax information, payment status, and Stripe or Link transaction identifiers;
• support and communication data, such as messages, requests, feedback, and related metadata;
• website usage data, such as pages visited, referrers, approximate location, device information, browser information, cookie consent status, and marketing analytics events;
• product usage data, such as feature usage, interaction events, session metadata, diagnostics, error reports, performance data, and product analytics events;
• Customer Content processed through Frontman, such as prompts, instructions, source-code snippets, project files, generated output, DOM structure, component information, screenshots, logs, routes, source maps, build errors, tool results, and task history;
• credentials and connection data, such as encrypted API keys, OAuth connection metadata, provider identifiers, and provider configuration;
• security data, such as IP addresses, authentication events, audit logs, abuse indicators, and fraud-prevention signals.

Purposes and Legal Bases

We process personal data for the following purposes and legal bases under the GDPR:

• to provide, operate, secure, and maintain Frontman, based on contract performance or pre-contractual steps under Article 6(1)(b) GDPR;
• to manage accounts, subscriptions, trials, billing, and customer support, based on contract performance under Article 6(1)(b) GDPR;
• to process payments, fraud prevention, tax, invoices, and subscription administration through Stripe or Link, based on contract performance, legal obligations, and legitimate interests under Articles 6(1)(b), 6(1)(c), and 6(1)(f) GDPR;
• to improve and debug the service, analyze product usage, and understand feature adoption, based on legitimate interests under Article 6(1)(f) GDPR or consent where required;
• to use marketing analytics on the website, based on consent under Article 6(1)(a) GDPR where required;
• to send service, security, billing, and support communications, based on contract performance or legitimate interests under Articles 6(1)(b) and 6(1)(f) GDPR;
• to comply with legal obligations, enforce rights, prevent abuse, and protect the service, based on Articles 6(1)(c) and 6(1)(f) GDPR.

Customer Content and AI Providers

Frontman is an agentic development tool. To provide the service, Frontman may process Customer Content including prompts, code context, screenshots, DOM information, logs, source maps, build errors, project files, generated output, and task history.

Frontman uses a bring-your-own-key model. You choose and connect third-party AI providers using your own credentials or provider-authorized connection. When you use Frontman with a selected AI provider, we transmit the Customer Content needed for your request to that provider as instructed by you.

We do not use Customer Content to train or fine-tune AI models. Third-party AI providers process data according to their own terms, privacy notices, and data processing arrangements with you or with the relevant account holder.

API Keys and Credentials

API keys and provider credentials stored in the hosted service are encrypted server-side using application-level encryption. Authorized Frontman personnel and systems may access or decrypt credentials where necessary to provide, secure, maintain, troubleshoot, or support the service.

You should only connect credentials that you are authorized to use and should configure provider-side permissions, limits, and billing controls appropriately.

Cookies, Consent, and Analytics

We use essential cookies, local storage, and similar technologies to operate the website and service, remember consent choices, authenticate users, secure sessions, and provide core functionality.

On the marketing website, we use Google Analytics only after consent where required. Google Analytics helps us understand aggregate website usage such as pages visited, referrers, and marketing interactions.

Inside the authenticated hosted Frontman service, we use Heap Analytics to understand product usage, improve onboarding, and identify usability issues. Where consent is required, Heap is used based on consent; otherwise it is used based on our legitimate interest in improving and operating a B2B SaaS product.

You can manage cookie and analytics consent through the consent banner and browser settings. If you clear local storage or cookies, you may need to set your preferences again.

Error Monitoring and Diagnostics

We use Sentry for error monitoring and diagnostics. Sentry may process error messages, stack traces, device and browser information, IP address, user identifiers, performance data, and related diagnostic metadata.

We configure diagnostics to reduce the risk of collecting secrets, API keys, and Customer Content in error payloads. Because diagnostic filtering can be imperfect, you should avoid intentionally placing secrets in prompts, filenames, logs, URLs, or other fields that may appear in diagnostic data.

Payments and Billing

Paid subscriptions may be processed through Stripe Managed Payments. For eligible transactions, Stripe or its affiliate acts as merchant of record and the customer may see the transaction as sold through Link.

Stripe or Link may process payment details, billing address, tax information, invoices, receipts, fraud-prevention data, dispute data, subscription status, and transaction-level support data. Stripe or Link may communicate directly with you about payments, subscriptions, receipts, invoices, refunds, disputes, and order management.

We do not receive full card numbers from Stripe. Payment data is processed according to Stripe's and Link's applicable terms and privacy notices.

Hosting and Storage

The hosted Frontman service is hosted in the European Union using Hetzner infrastructure.

Conversation and task history is stored until you delete it. When you delete history, it is deleted from active systems, but backup copies may retain deleted data for up to 3 months before automatic backup expiry.

Some data may need to be retained longer where required for billing, tax, security, legal compliance, dispute resolution, or enforcement of rights.

Recipients and Subprocessors

We may share personal data with service providers and subprocessors that help us provide, secure, analyze, bill, and support Frontman. Our current list is available at Subprocessors.

We may also disclose personal data where required by law, court order, governmental request, payment network rules, Stripe or Link transaction processes, or to protect rights, security, and service integrity.

International Transfers

We primarily host the Frontman service in the European Union. Some providers, including analytics, payment, error monitoring, or customer-selected AI providers, may process data outside the European Economic Area.

Where required, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, supplementary measures, or other lawful transfer mechanisms.

Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy, unless longer retention is required or permitted by law.

Typical retention periods include:

• account data for the duration of the account;
• Customer Content and task history until user deletion, subject to backup retention up to 3 months;
• billing and tax records for statutory retention periods;
• support communications for as long as needed to handle the request and maintain business records;
• security logs and diagnostic data for a limited period needed for security, debugging, and abuse prevention;
• analytics data according to the retention settings of the relevant analytics provider.

Your Rights

Subject to legal requirements, you may have the right to request access, rectification, erasure, restriction, portability, and objection to processing of your personal data. Where processing is based on consent, you may withdraw consent at any time with effect for the future.

You may exercise your rights by contacting [email protected].

You also have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for Berlin is the Berliner Beauftragte fuer Datenschutz und Informationsfreiheit.

Security

We use technical and organizational measures designed to protect personal data, including encryption in transit, encrypted storage for sensitive credentials, access controls, backups, monitoring, and operational security processes. No internet-based service can be guaranteed to be absolutely secure.

Additional security measures are described in our Technical and Organizational Measures.

Children's Data

Frontman is a B2B service and is not intended for children. We do not knowingly collect personal data from children.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and provide additional notice where required by law.

Contact

For privacy questions or requests, contact us at [email protected].