Legal
Privacy Policy
EZLogs is a product that captures activity from your applications and turns it into plain-English logs. This policy explains what data we collect, why we collect it, where we store it, and what rights you have over it.
1. Who we are
EZLogs is operated by Razvan Dezsi, a sole trader and tax resident in Spain (NIE Y8228368V). For privacy-related questions, contact hello@ezlogs.io.
For the purposes of the EU General Data Protection Regulation (GDPR), Razvan Dezsi is the data controller for personal data we collect about you (the EZLogs customer). For the event data your application sends to EZLogs, we act as a data processor on your behalf — see Section 5.
EZLogs has not designated a Data Protection Officer because we fall below the thresholds set out in Article 37 GDPR (we do not carry out large-scale processing of special-category data and our core activities do not require regular and systematic monitoring of data subjects on a large scale). The privacy contact above is your point of contact for all data-protection matters.
2. What data we collect
2.1 Account data
When you sign up for an EZLogs account we collect:
- Email address — used for authentication, billing receipts, and product communication.
- Hashed password — we never store plaintext passwords; they are hashed with bcrypt before being written to the database.
- Organization / company name — the workspace label you choose.
- Billing information — processed by Stripe; we never see or store your card number. We receive only the last four digits, card brand, country, VAT ID (if you supply one), and billing email.
2.2 Event data sent by your application
The EZLogs agent (Ruby gem ez_logs_agent or npm package ezlogs-nextjs) sends us structured events about activity inside your application. Each event contains:
- HTTP request metadata (path, method, status code, duration, requesting user ID if your app sets one).
- Background job metadata (job class name, queue, duration, success/failure).
- Database change metadata (table name, primary key, the operation, and a redacted set of before/after column values).
We do not store request bodies, response bodies, or full database rows unless you explicitly opt in. Field-level redaction is on by default at the agent for any column or parameter whose name matches password, token, secret, api_key, credit_card, and additional patterns we widen over time. You are responsible for configuring the agent’s sensitive-keys list to cover any further fields that carry personal data your end users would not expect us to see.
Because the event data describes actions performed by your end users, it may include personal data about individuals who never interact with EZLogs directly (for example, the email of one of your customers whose action triggered a captured event). For the purposes of Article 14 GDPR, the source of this data is your application, and the lawful basis for its processing is the contract we have with you as the data controller (Section 3). You remain responsible under your own privacy notice for informing your end users that you use EZLogs as a processor.
2.3 Technical data
When you use the EZLogs web application, our servers automatically log standard technical information: IP address, browser type, pages visited, timestamps. We use this only to operate and secure the service, and we delete these logs after 90 days.
2.4 Cookies and analytics
We use one strictly necessary cookie (your authentication session) and, if you accept analytics, we load Google Analytics 4 to measure aggregate site usage. We do not load Google Analytics unless you accept the cookie banner. See Cookies below for the full list.
3. Why we use your data (legal bases)
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the EZLogs service to you | Account data, event data | Contract (Art. 6(1)(b)) |
| Bill you and comply with tax law | Billing data | Contract + legal obligation (Art. 6(1)(b), (c)) |
| Secure the service against abuse | Technical data, account data | Legitimate interest (Art. 6(1)(f)) |
| Send product updates and security notices | Email address | Legitimate interest (Art. 6(1)(f)); opt-out anytime |
| Measure aggregate website usage | Analytics cookies | Consent (Art. 6(1)(a)) — via the cookie banner |
4. Where your data lives
All EZLogs production data is stored in the European Union, specifically on servers operated by Hetzner Online GmbH in Germany. Backups are stored in the same jurisdiction. Some of the subprocessors listed in Section 5 are based in the United States; transfers to those subprocessors are governed by the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), with supplementary technical measures (encryption in transit, minimized payloads, contractual no-training terms for AI providers) as described in our DPA.
5. Third parties (subprocessors)
To run EZLogs we rely on a small number of trusted service providers. Each one only receives the data it needs to perform its function. The current list is published at ezlogs.io/subprocessors and we will notify you of material changes in advance.
For the AI-generated explanations feature: when EZLogs renders a plain-English explanation of an action, the structured (already-redacted) event data is sent to a large-language-model provider — currently Anthropic, PBC and/or OpenAI, L.L.C., both US-based — for the explanation generation. We use these providers’ commercial API tiers, whose terms contractually prohibit training models on inference inputs (Anthropic Commercial Terms; OpenAI Business Terms). We cache and reuse explanations so the same event is not sent twice.
We do not sell customer data. We do not license it, trade it, or share it with any third party for any purpose other than the operation of the service as described above and in our subprocessor list. We do not use customer event data to train our own machine-learning models.
6. Cookies
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
_session (app) | Keeps you signed in | Session / 30 days | Strictly necessary |
ezlogs.cookieConsent (localStorage) | Remembers your cookie choice | Persistent | Strictly necessary |
_ga, _ga_* | Google Analytics 4, aggregate usage | Up to 13 months | Analytics (opt-in) |
7. How long we keep your data
- Account data: for as long as your account is active. When you delete your account through Settings → Profile, or when an admin deletes your company through Settings → Company, the records are permanently deleted from the live database within minutes; there is no recovery window. Backups age out within 14 days (Section 9).
- Event data: per the retention window of your plan — 14 days (Free), 30 days (Solo), 90 days (Team), 180 days (Business), or 365 days (Scale; custom on Enterprise). Older events are automatically deleted by a daily prune job.
- Billing records: 7 years, as required by the EU VAT Directive (2006/112/EC, Art. 244–250) as implemented in Spanish tax law (Ley General Tributaria 58/2003).
- Technical logs: rotated automatically; live logs retained no longer than 90 days, backups no longer than 14 days.
8. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and personal data ("right to be forgotten").
- Export your account data in a portable format.
- Object to or restrict certain processing.
- Withdraw consent (e.g. analytics) at any time.
- Lodge a complaint with your local data protection authority. In Spain, that is the Agencia Española de Protección de Datos.
To exercise any of these rights, email hello@ezlogs.io. We will respond within 30 days.
9. Automated decision-making
EZLogs does not make decisions that produce legal effects or similarly significant effects on you using automated processing alone (GDPR Article 22). Our AI features (action explanations, chat answers) are informational narratives generated for human readers; they do not determine outcomes for you or anyone else. Account-level decisions such as suspension or termination are made by humans.
10. Security
We protect your data with TLS 1.2+ in transit, filesystem encryption at rest on our production hosts, bcrypt-hashed credentials, SSH-key-only access to production, multi-tenant isolation enforced at every database query, and rate-limiting against abuse. The architectural foundation is that EZLogs is read-only by design — we never write back into your application. See our Security page and our DPA Section 9 for full detail.
11. Children
EZLogs is a B2B developer tool and is not directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has used the service, contact us and we will delete the account.
12. Changes to this policy
We may update this policy as the product evolves. The effective date at the top reflects the most recent change. For material changes we will email account owners at least 14 days before they take effect.
13. Contact
Privacy questions: hello@ezlogs.io. Postal address available on request. Spanish data subjects may also lodge complaints with the Agencia Española de Protección de Datos (AEPD).
← Back to home