Privacy Policy
Version 2.1 · Effective May 15, 2026
Macyou LLC (“we”, “our”, or “us”) is a limited liability company registered in Georgia (entity ID 445839503) that operates the MacYou platform at macyou.co. This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it. By using our services you agree to the practices described here.
1. Introduction
MacYou provides dedicated Apple Mac Mini servers — both Bare Metal and VM instances — on a rental basis. This policy covers all data processing activities that occur when you visit our website, create an account, provision servers, or otherwise interact with the MacYou platform and services.
We take your privacy seriously. We collect only what is necessary to deliver and improve our services, and we do not sell your personal data to third parties under any circumstances.
2. Information We Collect
Account Data
When you register, we collect your name, email address, and — if you set a password — a bcrypt hash of that password. If you sign in via an OAuth provider (e.g. GitHub or Google), we receive your profile information from that provider, including your name, email, and profile picture, as permitted by the OAuth scope you approve.
Server & Usage Data
We log actions taken within your account: server provisioning and termination events, SSH key additions, API calls, dashboard page views, and billing operations. This data is stored in our PostgreSQL database on Supabase and used for activity auditing, billing accuracy, and support.
Payment Data
When payment processing is active, we use a third-party payment processor as our Merchant of Record. Your card details, billing address, and payment history are collected and stored by the payment processor directly. MacYou never sees or stores raw card numbers or full payment credentials. We receive only the information necessary to issue invoices and confirm successful charges (e.g. masked card last four digits, transaction IDs, invoice amounts).
Technical & Log Data
Our infrastructure providers (Vercel for hosting, Upstash Redis for rate limiting) automatically collect certain technical data: IP addresses, browser user-agent strings, HTTP request paths, response codes, and timestamps. IP addresses are stored transiently in Redis for rate-limiting purposes (TTL typically 60 seconds to 1 hour) and may appear in Vercel's server access logs for up to 90 days.
Cookies
We set a session cookie when you log in (see Section 8 for details). No third-party advertising or analytics cookies are placed on your device.
3. How We Use Information
- Service delivery: Provisioning, managing, and monitoring your Mac Mini servers; authenticating your identity; routing API requests.
- Billing: Generating invoices, processing payments, and maintaining financial records required by Georgian tax law.
- Support: Diagnosing technical issues, responding to support tickets, and auditing account activity logs.
- Security: Detecting abuse, enforcing rate limits, investigating suspicious activity, and protecting platform integrity.
- Communications: Sending transactional emails (server status alerts, invoices, password resets) via Resend. We do not send marketing emails without your explicit opt-in.
- Platform improvement: Aggregated, anonymized usage patterns help us improve performance and plan new features. We do not profile individual users for advertising.
4. Legal Basis for Processing
Under the GDPR and equivalent frameworks, we process personal data on the following legal bases:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation & authentication | Performance of contract (Art. 6(1)(b)) |
| Server provisioning & management | Performance of contract (Art. 6(1)(b)) |
| Billing & invoicing | Performance of contract + Legal obligation (Art. 6(1)(b), (c)) |
| Transactional emails (alerts, invoices) | Performance of contract (Art. 6(1)(b)) |
| Security monitoring & rate limiting | Legitimate interest (Art. 6(1)(f)) — platform integrity |
| Fraud prevention (Turnstile, IP logging) | Legitimate interest (Art. 6(1)(f)) — fraud prevention |
| Abuse prevention & AUP enforcement | Legitimate interest (Art. 6(1)(f)) — network safety |
| Marketing emails & product updates | Consent (Art. 6(1)(a)) — opt-in only |
| Tax record retention (7 years) | Legal obligation (Art. 6(1)(c)) — Georgian tax law |
| Terms acceptance logging | Legal obligation (Art. 6(1)(c)) — contract evidence |
5. Data Sharing & Sub-processors
We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed below, each bound by data processing agreements, and only to the extent necessary:
Server-side request logs, access logs, deployment artifacts.
All structured application data (accounts, servers, invoices, activity logs).
IP addresses and request counters (short TTL).
Your email address and the content of transactional messages.
We may also disclose data where required by applicable law, court order, or governmental authority, and only to the extent legally compelled.
6. Data Storage & Security
All application data is stored in PostgreSQL hosted on Supabase. Connections to the database use TLS 1.3. Credentials and secrets (API keys, OAuth tokens) stored in the database are encrypted at rest using AES-256-GCM. User passwords are never stored in plaintext — they are hashed with bcrypt before being written to the database.
All traffic between your browser and our platform is encrypted with TLS 1.2+ (TLS 1.3 preferred). Our production infrastructure runs behind Cloudflare with Full (Strict) SSL enabled, HSTS enforced, and automatic HTTPS rewrites active.
Access to production databases and infrastructure is restricted to authorized MacYou personnel with strong authentication requirements. We conduct regular vulnerability scanning and maintain an incident response procedure. In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law.
7. Data Retention
| Data category | Retention period | Basis |
|---|---|---|
| Account data | Duration of account + 7 days after deletion request | Contract performance |
| Server credentials (SSH/VNC) | Duration of server lifecycle, encrypted at rest (AES-256-GCM) | Contract performance |
| Activity logs | 90 days, then purged | Legitimate interest (security) |
| Terms acceptance records | 7 years | Legal obligation |
| Invoices & financial records | 7 years (Georgian tax law) | Legal obligation |
| Rate-limiting data (Redis) | 60 seconds to 1 hour (TTL) | Legitimate interest (security) |
| Server access logs (Vercel) | Up to 90 days (Vercel policy) | Legitimate interest (security) |
| IP addresses (registration) | Duration of account | Legitimate interest (fraud prevention) |
| Data export requests | 7 days after delivery | Contract performance |
When you request account deletion, your personal data is anonymized within 7 days. Financial records required by Georgian tax law are retained for 7 years with customer-identifying fields redacted.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
Access
Request a copy of the personal data we hold about you.
Correction
Ask us to correct inaccurate or incomplete data.
Deletion
Request erasure of your personal data, subject to legal retention requirements.
Export / Portability
Receive your data in a machine-readable format.
Objection
Object to certain processing activities, including direct marketing.
Complaint
Lodge a complaint with a data protection authority in your jurisdiction.
Self-service options
You can exercise your right to data export, account deletion, and email preference management directly from your Dashboard → Settings page — no email required.
For all other requests, email [email protected]. We will respond within 30 days of receipt, as required by GDPR. We may need to verify your identity before processing the request.
10. International Transfers
Macyou LLC is registered in Georgia. Our production infrastructure (dedicated Apple Silicon nodes) is located in our Tbilisi, Georgia data center. Our sub-processors — Supabase, Vercel, Upstash, and Resend — may store or process data in the United States and/or the European Union, depending on the data center regions they use.
Where personal data originating in the EEA is transferred to sub-processors in the United States or other countries without an EU adequacy decision, we rely on the EU Standard Contractual Clauses (SCCs) 2021, Module 2 (Controller-to-Processor) executed with each sub-processor. For personal data originating in the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
Our Data Processing Agreement is available to all customers and incorporates the SCCs by reference, with Annexes I–III populated.
11. Children's Privacy
MacYou is a professional cloud infrastructure platform intended solely for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected] and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Effective date” at the top of this page and, where the changes are material, notify registered users by email via Resend. Your continued use of the platform after changes become effective constitutes your acceptance of the updated policy. We recommend reviewing this page periodically.
13. Contact Us
For privacy-related questions, data subject requests, or to report a concern, please contact:
Company: Macyou LLC (entity ID 445839503)
Jurisdiction: Georgia
Privacy contact: [email protected]
Website: macyou.co
EU Representative (GDPR Art. 27): [email protected] — vendor details published on /legal/imprint.
UK Representative (UK GDPR Art. 27): [email protected]
We aim to respond to all privacy inquiries within 30 days of receipt.
Version 2.1, effective May 15, 2026 (EU and UK GDPR Article 27 Representative section added to §13 Contact). Previous versions (2.0, April 20, 2026; 1.0, April 18, 2026) are available upon request at [email protected].