Brewale — Privacy Policy
Last updated: June 18, 2026 Effective date: June 18, 2026
This Privacy Policy explains how Ankerstjerne Labs ("Brewale", "we", "us"), CVR 46507266, Denmark, processes personal data when you use the Brewale Service at brewale.dev and mcp.brewale.dev.
Brewale is the data controller for personal data processed about you as an account holder, billing contact, or visitor.
For personal data you upload as Customer Content or that Brewale processes on your behalf in connection with the Service, Brewale acts as a data processor; see the Data Processing Agreement for the controller-processor terms.
1. Contact
- Privacy contact:
privacy@brewale.dev - Legal:
legal@brewale.dev - Security:
security@brewale.dev - Postal: Ankerstjerne Labs, CVR 46507266, Paradisæblevej 54, 4. TH, 2500 Valby, Denmark
Brewale is not required to appoint a Data Protection Officer under GDPR Article 37 and has not done so.
2. Scope
This Privacy Policy covers personal data Brewale collects from and about:
- account holders (administrators and members of organizations)
- billing contacts
- visitors to brewale.dev
- third parties whose data appears in Customer Content or in Integration data (see Section 4)
It does not cover personal data processed by third parties listed in Section 6 under their own privacy notices.
3. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account identity | Name, email address, password (stored as a one-way scrypt hash); or, if you use "Sign in with Google", your email, name, and Google account ID instead of a password | Directly from you, or from Google on your sign-in |
| Organization membership | Organization name, your role, access permissions | Directly from you / your administrator |
| Customer Content | Skills, conventions, configurations you create | Directly from you |
| Integration credentials | OAuth tokens for connected third-party services (GitHub, Asana, custom MCP endpoints you configure) | OAuth flow you initiate |
| Integration data | Data Brewale fetches from connected services to fulfil your Integration requests | Third-party service, on your authorization |
| GitHub integration metadata | Repository owner and name, app installation ID, the user who connected it, and the commit author and SHA of synced or published content | GitHub, on connection |
| Authentication security data | TOTP secret and backup codes for two-factor authentication (stored encrypted) | Directly from you, on 2FA setup |
| Billing identifiers | Name, email, billing address (minimal — payment details handled by Polar) | Directly from you |
| Communications | Support tickets, account-related correspondence | Directly from you |
| Technical and security logs | IP address, user agent, URL path, timestamp, response status, authentication events, application errors | Automatic, on use |
| Service usage metadata | Organization, user, and content identifiers, request timestamps. Not the content body itself. | Automatic, on use |
We do not knowingly collect or process special categories of personal data (GDPR Article 9). You must not upload special-category personal data into Customer Content unless you have implemented appropriate safeguards under GDPR Article 9; the Service is not designed for it.
Where Brewale receives personal data of third parties as part of Customer Content or via Integrations, you are responsible for ensuring those individuals have been informed and that any required legal basis is in place. Brewale acts as a Processor for such data under the DPA.
4. How we use your data, and on what legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and maintain your account, deliver the Service | Contract — Art. 6(1)(b) |
| Process payments via Polar (Merchant of Record) | Contract — Art. 6(1)(b) |
| Send service and transactional emails (verification, password reset, billing notices) | Contract — Art. 6(1)(b) |
| Provide customer support | Contract — Art. 6(1)(b) |
| Security logging, abuse prevention, rate limiting | Legitimate interest — Art. 6(1)(f) |
| Service usage metadata for billing reconciliation and breach forensics | Legitimate interest — Art. 6(1)(f) |
| Retain billing records | Legal obligation — Art. 6(1)(c) (DK bogføringsloven § 12) |
| Defend, establish, or exercise legal claims | Legitimate interest — Art. 6(1)(f) |
| Product analytics (aggregate, cookieless — see Section 12) | Legitimate interest — Art. 6(1)(f) |
| Send marketing communications (when offered in future) | Consent — Art. 6(1)(a) |
For legitimate-interest activities we have balanced our interests against your rights and freedoms. The processing is necessary to operate and protect the Service, is limited to what is needed for the stated purpose, and is what you would reasonably expect when using a hosted Service of this kind.
5. Automated decision-making
Brewale uses automated processes for trial eligibility checks (in cooperation with Polar) and for billing-related access suspension. These do not constitute decisions producing legal or similarly significant effects on you under GDPR Article 22.
6. Recipients of your data
We share personal data only with:
Our processors (subprocessors). A current list, including each subprocessor's location and role, is published at /subprocessors. Subprocessors are bound by data-processing terms equivalent to those in our DPA. Brewale will give reasonable advance notice of new subprocessors so business Customers may object.
Independent controllers.
- Polar Software Inc. (United States) — processes payments as Merchant of Record. Polar receives your name, email, and billing address; payment-card data is collected by Polar directly and is not shared with Brewale. Polar processes this data under its own privacy policy.
- Google Ireland Limited — provides federated sign-in (OAuth) when you choose "Sign in with Google". You authenticate directly with Google under your existing Google account and its own privacy policy; Brewale then receives your email address, name, and a Google account identifier to create or match your Brewale account. Google acts as an independent controller for the authentication itself.
Customer-connected integrations. When you connect an integration — GitHub, Asana, or a custom MCP endpoint you configure — Brewale transmits the relevant Customer Content and credentials to that service at your instruction and to your own account there. That service then processes the data under its own terms and your relationship with it, not as a Brewale subprocessor. See /subprocessors.
Others, only when needed:
- law enforcement, regulators, or courts when required by law or to respond to a lawful request
- professional advisors (lawyer, accountant) under a duty of confidentiality
- a successor in a merger, acquisition, reorganization, or sale of assets (subject to the assignment clause of the Terms of Service)
We do not sell your personal data. We do not use Customer Content to train AI or machine-learning models.
7. International transfers
Brewale's own infrastructure and subprocessors are located in the European Union or European Economic Area.
Transfers arise from the independent controllers in Section 6:
- Polar Software Inc., located in the United States, acts as an independent controller for payment processing. The transfer to Polar is covered by Polar's own transfer mechanism (EU-US Data Privacy Framework and/or Standard Contractual Clauses) and is limited to the minimal billing identifiers described in Section 6.
- Google Ireland Limited acts as an independent controller for "Sign in with Google" federated authentication. While the contracting entity is in the EU, Google may process authentication data in the United States under its own transfer mechanism (EU-US Data Privacy Framework and/or Standard Contractual Clauses). This applies only if you choose to sign in with Google.
Transfers also arise when you connect an integration: the data goes to that service's location. GitHub is located in the United States; a custom MCP endpoint is wherever you point it. These transfers happen on your instruction and configuration of the Service.
8. Retention
| Data | Retention period |
|---|---|
| Account identity (name, email, password hash) | While the account is active; deleted within 30 days after account closure |
| Organization membership and access controls | While the organization exists; deleted within 30 days |
| Customer Content (skills, conventions, integration configs) | While the account is active; 30-day export window after termination, then deleted |
| Backups | 90 days |
| Technical and application logs (request metadata, errors) | 30 days |
| Security and authentication audit logs | 90 days |
| Service usage metadata (organization, user, content identifiers, timestamps) | 90 days |
| Email communications (Brevo records) | 2 years |
| Billing-relevant records held by Brewale | 5 years after the last transaction, as required by DK bogføringsloven § 12 |
| Polar-held billing data | Per Polar's privacy policy |
Where required by law (in particular bookkeeping rules), Brewale retains records for the statutory minimum even if you exercise a right of erasure.
9. Storage and security
Customer data is stored in databases located within the European Union and encrypted at the storage layer by our hosting provider. Sensitive credentials — including OAuth tokens for connected Integrations, and two-factor authentication secrets and backup codes — are additionally encrypted at the application layer using AES-256-GCM before being written. Account passwords are stored as one-way scrypt hashes. OAuth refresh tokens issued by Brewale are stored hashed.
Access to production systems is limited to authorized personnel using strong authentication.
In the event of a personal-data breach affecting your data, Brewale will notify you within 72 hours of confirmation in accordance with GDPR Article 33–34.
10. Your rights
Subject to GDPR you have the right to:
- Access — receive a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — have your data deleted, subject to legal-retention overrides
- Restriction — restrict our processing in certain circumstances
- Portability — receive your data in a machine-readable format and have it transmitted to another controller where technically feasible
- Object — object to processing based on legitimate interest, including profiling
- Withdraw consent — where processing is based on consent, at any time, without affecting prior lawful processing
- Not be subject to automated decisions with legal or similarly significant effects (none currently applied by Brewale; see Section 5)
To exercise any right, email privacy@brewale.dev. We respond within one month and may extend the period by two further months for complex requests, with notice to you.
You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet, https://www.datatilsynet.dk) or the supervisory authority in your country of residence.
11. Children
The Service is intended for users aged 18 or older. Brewale does not knowingly collect personal data from anyone under 18. Accounts identified as belonging to a minor will be terminated and associated data deleted.
12. Cookies and tracking
Brewale uses only strictly necessary cookies to operate the Service. They fall into two categories:
| Category | Purpose | Duration |
|---|---|---|
| Authentication session | Keep you signed in and protect your session | Session-bound; set by our authentication library |
| OAuth flow state | Protect against CSRF and preserve state during sign-in or Integration connection flows (e.g. Asana, GitHub, custom MCP) | Short-lived; deleted automatically when the flow completes |
Strictly necessary cookies are exempt from consent under the ePrivacy Directive as implemented in Denmark, so the Service does not display a cookie consent banner.
Analytics. Brewale uses Plausible Analytics, self-hosted on Brewale's own infrastructure within the European Union. Plausible is cookieless: it sets no cookies or other identifiers on your device, does not track you across sites or over time, and collects only aggregate usage statistics. No personal data is shared with any third party for analytics purposes. Because no cookies or similar identifiers are used, no consent is required for this measurement.
Brewale does not use advertising or third-party tracking cookies on the Service.
13. Changes to this Privacy Policy
Brewale may update this Privacy Policy from time to time. Non-material changes take effect on publication. Material changes — including changes to purposes, legal bases, retention periods, or new categories of recipients — will be communicated by email and in-app banner at least 30 days before they take effect, where you are an account holder.
The subprocessor list at /subprocessors is maintained separately and updated as subprocessors change, with notice as described in Section 6.
14. Complaints
For privacy questions or concerns, contact privacy@brewale.dev. If you remain dissatisfied with our response, you can complain to:
Datatilsynet (Danish Data Protection Authority) Carl Jacobsens Vej 35, 2500 Valby, Denmark https://www.datatilsynet.dk