Data Protection & Sovereignty Matrix

Privacy Policy

Sartillum Global Infrastructure Data Processing & Privacy Framework.

Last Updated: May 31, 2026
Compliance: UK GDPR / Data Protection Act 2018
Classification: Public

EXECUTIVE PRIVACY SUMMARY

Sartillum acts as both a Data Controller (for our registered customers' accounts) and a Data Processor (for the Next.js applications, repositories, and environment variables you host on our servers). This document details our absolute commitment to technical encryption, strict access boundaries, and statutory compliance under United Kingdom data protection statutes. We never rent, trade, or monetize your source code, configuration values, or operational datasets.

1. Corporate Identification and Regulatory Preamble

This global Privacy Policy establishes the legal, technical, and operational architecture governing the collection, indexing, preservation, transmission, and protection of data assets managed by Sartillum Limited ("Sartillum", "We", "Us", or "Our"), a corporate body established and operating under the regulatory laws of the United Kingdom.

As a premier developer-centric infrastructure enterprise specializing in managed Next.js hosting environments, serverless computing loops, edge routing stacks, and global domain name services (DNS), our operational framework touches complex varieties of data. This document outlines your precise constitutional rights, security entitlements, and our legally binding duties under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable international cross-border data protection treaties.

2. Architectural Classifications: Data Controller vs. Data Processor

To provide maximum clarity and absolute loophole-free accountability, Sartillum distinguishes its legal data processing positions into two separate, well-defined operational categories:

2.1 Sartillum as a Data Controller

Sartillum operates strictly as a Data Controller regarding the core biographical, financial, administrative, and configuration profiles submitted by you to establish and fuel your account on our dashboard interface. This category encompasses account registration metrics, name configurations, primary corporate email addresses, linked payment metadata, and telemetry datasets pulled from developer interaction loops.

2.2 Sartillum as a Data Processor

Sartillum operates strictly as a Data Processor regarding any and all third-party end-user datasets, transactional records, log streams, Application Source Code repositories, operational databases, and configurations compiled, stored, pulled, or routed through the Next.js application profiles that you deploy onto our infrastructure clusters.

You retain absolute, individual status as the Data Controller for your specific application's consumer files. You guarantee to Us that you maintain full constitutional authorization, clear legal consent, or appropriate statutory legal grounds to handle and process such end-user data blocks on our hosting network.

3. Taxonomy of Data Fields Collected and Processed

We process minimal, highly deliberate data fields that are strictly necessary to provision, optimize, protect, and invoice your managed high-performance hosting clusters.

3.1 Account Infrastructure and Administrative Details

During administrative platform initialization or update steps, we log:

  • Identity Metadata: First and last name, corporate organization designation, signature keys, and geographical tax residences.
  • Communication Records: Corporate electronic email addresses, telephone contact links, and contextual logs of your technical support inquiries submitted through our contact channels.
  • Cryptographic Authentication Keys: Salted and hashed credential vectors, platform access tokens, OAuth identifiers transmitted via integrated Git platform entities (such as GitHub, GitLab, and Bitbucket).

3.2 Transactional and Enterprise Subscription Records

To handle premium recurring subscription tiers, dynamic overage tracking, or add-on compute scaling blocks, we process billing details. Financial processing is managed securely via automated merchant-of-record networks and third-party payment gateways. We retain structured logs detailing billing histories, subscription variants, currency preferences, the last four digits of primary credit instruments, card expiration timelines, and transaction references. Full raw payment card numbers are never stored on our database engines.

3.3 Hosting Infrastructure Payload Data (The Deployment Stack)

To fulfill our managed hosting commitments for your Next.js software environments, our network engines programmatically parse and ingest:

  • Application Source Code: Raw and compiled software scripts, code blocks, component structures, asset pipelines, and package configurations transmitted through webhook automations.
  • Environment Variables and Configuration Secrets: Cryptographic keys, API tokens, database connection endpoints, and operational system configurations injected by you to fuel your localized applications.
  • Domain Information & DNS Settings: Global routing logs, zone files, TLS/SSL certificate states, and canonical mapping records applied to guide live web audiences to our host nodes.

4. Internal Access Rights, System Visibility, and Secret Management

Because our platform provisions managed hosting configurations, our infrastructure layers utilize specific architectural visibility matrices to secure, run, and scale your application instances.

4.1 Engineering Access and Troubleshooting Disclosures

Our engineering team does not read or parse your private application code files or database structures out of idle curiosity. Access to your live code repositories, active server containers, and raw system files is strictly limited to situations where it is required by automated orchestration scripts, or where an authorized Sartillum engineer is actively responding to an operational incident, performance degradation, infrastructure exploit, or a formal technical support request initiated by you.

4.2 Isolation and Storage of Sensitive Environment Variables

We recognize that your Next.js Environment Variables contain your most sensitive enterprise secrets, database credentials, and external API integrations. Sartillum encrypts these variables at rest within our orchestration configuration databases.

However, you acknowledge and accept that to compile, optimize, and run your Next.js application, these variables must be decrypted, parsed, and injected as plain-text arguments into the isolated serverless runtimes, edge isolates, or container systems that run your code. Our underlying systems and platform management utilities retain technical visibility into these variables during normal execution. You are responsible for ensuring that your application does not unintentionally expose these variables via public log outputs or error tracking screens.

5. Legal Grounds for Data Processing Loops

Under the UK GDPR framework, Sartillum relies on specific legal bases to process your information:

  • Contractual Performance: Processing is required to fulfill our obligations under our Terms and Conditions, including establishing your account, processing your subscription payments, and running your web builds.
  • Legitimate Interests: To protect our infrastructure from malicious cyber attacks, DDoS attacks, and systemic platform abuse, and to optimize the performance of our global edge delivery networks.
  • Legal Compliance: To comply with mandatory corporate accounting regulations, tax rules, anti-money laundering laws, and official requests from United Kingdom law enforcement or judicial authorities.

6. Third-Party Sub-Processors and Data Distribution

Sartillum does not sell or distribute your personal details, corporate contact info, or source code systems to data brokers, ad networks, or third-party marketing companies. To provide high-performance cloud hosting services, we share specific data with a limited number of trusted sub-processors:

  • Cloud Infrastructure Providers: Bare-metal hosting suppliers, Tier-3 data center nodes, and global Anycast CDN networks located within the UK, EU, and global edge points to run our server networks.
  • Payment Processors: Enterprise payment platforms (e.g., Stripe) used to securely manage automated subscription invoicing.
  • Analytics and Logging Utilities: Centralized error tracking, log aggregation tools, and internal performance analytics used to monitor platform metrics and network health.

7. Data Retention Boundaries and Deletion Timelines

We retain your account profile data and transactional records for as long as your corporate administrative account remains active on Sartillum.

If you choose to delete your account or cancel your premium subscription tiers, we initiate an automated data retention timeline. All hosted Next.js application repositories, compiled serverless build folders, static assets, domain configurations, and decrypted Environment Variables are permanently purged from our active operational server directories following a standard safety interval of thirty (30) days. This safety window allows for account recovery in the event of accidental deletion.

Once this safety interval expires, these files are completely erased and cannot be recovered. Backups and system logs may persist within encrypted cold-storage archives for a maximum of ninety (90) additional days before being completely overwritten. Minimal accounting, billing logs, and tax records are retained longer to comply with UK corporate reporting statutes.

8. International Data Transfers and Global Routing Realities

Sartillum is headquartered within the United Kingdom, and we prioritize storing your core account details and build files within UK and European data centers. However, because our service includes edge content delivery networks (CDNs) and Anycast DNS routing networks, your application's public web assets, API routes, and network traffic will be dynamically mirrored, cached, and processed across a distributed network of global edge nodes.

This means data packets may be processed in jurisdictions outside the UK or European Economic Area (EEA) that have different data privacy laws. When making these international transfers, Sartillum ensures that appropriate safety measures are in place, including Standard Contractual Clauses (SCCs), to guarantee that your information receives an equivalent level of legal protection wherever it is handled. By using our services, you acknowledge and accept these distributed global routing patterns.

9. Definitive Constitutional Rights Under UK GDPR

If you access our services from the United Kingdom or the European Union, you possess comprehensive legal rights regarding your personal information under the UK GDPR and the Data Protection Act 2018. You can exercise these rights at any time:

  • The Right of Access: You can request a complete, structured copy of all personal details and account records that Sartillum holds about you.
  • The Right to Rectification: You can demand that we immediately correct any inaccurate, outdated, or incomplete data fields in your profile.
  • The Right to Erasure ("Right to be Forgotten"): You can request that we permanently delete your administrative account records and deployment assets, subject to our statutory tax reporting duties.
  • The Right to Restrict Processing: You can request that we temporarily suspend processing your data while you challenge its accuracy or our legal processing grounds.
  • The Right to Data Portability: You can request that we export your core account data in a clean, machine-readable, structured JSON format so you can transfer it to another provider.

To exercise any of these rights, please submit a formal request to our compliance team through our verified legal intake portal at sartillum.co.uk/contact. We will review and respond to your request within thirty (30) calendar days, free of charge, after verifying your identity credentials.

10. Cookies, Session Tokens, and Telemetry Tracking

Sartillum utilizes technical cookies, local storage blocks, and cryptographic session tokens on our dashboard website. These identifiers are strictly necessary to maintain your authenticated login state, keep your control panel secure, prevent cross-site request forgery (CSRF) attacks, and manage premium subscription checkouts.

We also track basic, anonymized developer usage telemetry, such as dashboard loading speeds, build success percentages, and button clicks. This data helps us optimize our UI workflows and find performance bugs in our Next.js compilation pipelines. We do not run intrusive third-party cross-site advertising cookies or behavioral tracking networks on our developer platform. You can disable cookies in your web browser settings, but doing so may cause the Sartillum control panel to stop functioning correctly.

11. Information Security Architecture and Incident Response Protocols

We implement comprehensive, modern security measures to protect your application code, environment secrets, and personal information. These include transport layer security (TLS/SSL) encryption for all incoming and outgoing data, isolated container sandboxing for all runtime execution loops, strict access controls for our infrastructure engineers, and regular security patching.

However, no web application or cloud infrastructure network is completely immune to security threats. In the event of a security incident, data breach, or unauthorized infrastructure intrusion that impacts your account data, Sartillum will initiate our incident response protocol. We will notify the United Kingdom Information Commissioner's Office (ICO) and contact you directly via your registered administrative email address within seventy-two (72) hours of confirming the breach, providing details on the nature of the incident, the risks involved, and our remediation steps.

12. Revisions to this Privacy Framework

Sartillum reserves the right to modify, adjust, or rewrite this Privacy Policy at any time to reflect updates to our hosting infrastructure, new feature rollouts, or changes to international data protection laws.

When we make material updates to this policy that affect how we handle your personal data or reduce your privacy rights, we will provide at least thirty (30) days of advance notice. We will communicate these updates through notifications on your platform dashboard control panel or via direct email dispatches to your primary account email. Your continued use of our hosting network after the updated policy takes effect constitutes your full acceptance of the revised privacy framework.

13. Compliance Contacts and Regulatory Oversight

If you have questions, concerns, or complaints regarding this Privacy Policy, our data handling methods, or our compliance with UK GDPR, please contact our compliance team directly through our verified portal:

Official Privacy Intake Portal

All formal data protection inquiries must be submitted electronically.

sartillum.co.uk/contact

If you feel that Sartillum has not addressed your privacy concerns adequately, you have the statutory right to lodge a formal complaint with the UK supervisory authority: the Information Commissioner's Office (ICO) via their website at ico.org.uk.

Sartillum Cloud Security & Infrastructure Protection Registry. All platform actions logged under UK Compliance protocols.