Back to login

Privacy Policy

Last updated: March 22, 2026

1. Introduction

Boxmarshall LLC ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Reoclo platform ("the Platform"). We have designed our systems with data protection principles at their core, in alignment with the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data Controller

Boxmarshall LLC is the data controller for personal data processed through the Platform. For questions or requests regarding your data, contact our data protection team at [email protected].

3. Data We Collect

We collect and process the following categories of personal data:

Account Information

Email address, name, and organization membership. Provided during account provisioning by your administrator.

Authentication Data

Hashed passwords (PBKDF2-SHA256 with per-user salt), WebAuthn security key registrations, and session tokens. We never store plaintext passwords.

Infrastructure Configuration

Server connection details (hostnames, IP addresses), application configurations, domain names, and deployment settings you provide to the Platform.

Encrypted Secrets

Environment variables, SSH keys, and registry credentials. These are encrypted at rest using AES-256-GCM envelope encryption and are only decrypted in isolated worker processes during deployment operations.

Audit Logs

Records of actions taken within the Platform, including who performed the action, what changed, and when. Sensitive field values are excluded from audit output.

Operational Logs

Container logs and system journal logs from your servers, when you use our log management features. These logs originate from and belong to your infrastructure.

Usage Data

Platform usage patterns such as login timestamps, feature usage, and API request metadata. We do not use third-party analytics or tracking tools.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Service delivery: To operate the Platform, deploy your applications, manage your servers, and provide the features you use.
  • Authentication and security: To verify your identity, manage sessions, and protect your account from unauthorized access.
  • Audit and compliance: To maintain audit trails of actions taken within the Platform for accountability and security purposes.
  • Communication: To notify you of service changes, security events, or incidents affecting your infrastructure.
  • Platform improvement: To understand usage patterns and improve the Platform. We do not sell your data or use it for advertising.

5. Legal Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

  • Contractual necessity: Processing required to provide the Platform services you or your organization have contracted for.
  • Legitimate interest: Security monitoring, fraud prevention, and Platform improvement, balanced against your privacy rights.
  • Legal obligation: Where we are required to retain data by law.

6. Data Storage and Security

We implement the following technical measures to protect your data:

  • Encryption at rest: All secrets (environment variables, SSH keys, registry credentials) are encrypted using AES-256-GCM with an envelope encryption pattern (KEK/DEK).
  • Encryption in transit: All connections to the Platform use TLS. WebSocket connections for terminal access and real-time updates are encrypted.
  • Password security: Passwords are hashed using PBKDF2-SHA256 with unique per-user salts. We never store or log plaintext passwords.
  • Tenant isolation: Data is logically isolated between tenants at the database level. Cross-tenant data access is prevented by design.
  • Minimal privilege: Secrets are only decrypted in isolated worker processes during the specific operations that require them.

7. BYOS Model and Your Data

Reoclo operates on a Bring Your Own Server model. Your applications, application data, and container workloads run entirely on infrastructure you own and control. We do not have access to your application databases, user data, or business data unless you explicitly configure the Platform to collect logs from those systems.

When you use browser terminal access, commands are relayed through the Platform but are not logged or stored by us. The terminal session exists only for the duration of your connection.

8. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:

  • Within your organization: Tenant administrators can view team member accounts and audit logs within their tenant.
  • Infrastructure providers: We use third-party infrastructure to host the Platform (not your servers). These providers process data under our instructions and appropriate data processing agreements.
  • Legal requirements: If required by law, court order, or regulatory authority, we may disclose data as necessary to comply.

9. Data Retention

We retain your account data for the duration of your organization's use of the Platform. Audit logs are retained according to your organization's configured retention policy. Upon account termination, you may request a full data export within 30 days. After this period, we will delete your personal data from our active systems within 90 days, except where retention is required by law.

10. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we limit how we process your data in certain circumstances.
  • Objection: Object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

11. Cookies and Local Storage

The Platform uses httpOnly cookies for authentication session management. We use browser local storage for user preferences such as theme selection. We do not use advertising cookies, third-party tracking cookies, or analytics cookies.

12. International Data Transfers

If your data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the Platform dashboard or email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Supervisory Authority

If you are located in the European Economic Area or the UK and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

15. Contact

For any questions about this Privacy Policy or your personal data, contact us at [email protected].