Skip to main content

Privacy Policy

Last updated: April 10, 2026

This Privacy Policy describes how Perfbase ("we", "us", "our") collects, uses, stores, and protects information when you use our platform. By using Perfbase, you agree to the practices described in this policy.

1. Information we collect

Account information

When you create an account, we collect:

  • Name and email address.
  • Password (stored as a bcrypt hash; we never store plaintext passwords).
  • Authentication provider details if you sign up via GitHub OAuth or SSO/OIDC (name and email from the identity provider).
  • Two-factor authentication secrets if you enable TOTP-based 2FA (stored encrypted).

Organization and billing information

  • Organization name and slug.
  • Billing email address.
  • Stripe customer ID and subscription identifiers. We do not store credit card numbers, bank account details, or full payment credentials. These are held by Stripe.

Profiling data

When the Perfbase PHP extension profiles your application, it collects:

  • Function call trees with timing data (wall time, CPU time).
  • Memory allocation and deallocation metrics.
  • Normalized database queries (SQL structure only; parameter values and query results are not captured).
  • Outbound HTTP request URLs (scheme, host, and path only; no query parameters, headers, or bodies).
  • Cache, queue, and other subsystem operation metadata.
  • System metrics (CPU usage, memory usage, disk I/O) sampled during the trace.
  • Custom attributes you explicitly set via the SDK (e.g., environment name, application version).

The extension is designed to avoid capturing sensitive data. It does not collect:

  • Database row contents, query results, or query parameter values.
  • Application user passwords, API keys, tokens, or secrets.
  • HTTP request or response bodies.
  • Session data or cookie values.
  • Environment variables or application configuration.
  • File contents read or written by your application.

Trace metadata

Each submitted trace includes metadata:

  • Action name (e.g., "GET /users", the URL path without query parameters).
  • HTTP method, URL path, and response status code.
  • Client IP address, user agent string, and hostname.
  • PHP version, application version, and environment name.
  • Timestamps (when the trace was created and when it was ingested).

Usage data

We collect standard web analytics when you use the Perfbase console:

  • Pages visited and features used.
  • Browser type and version.
  • IP address (used for security and rate limiting).

2. How we use your information

  • To provide the service: Store and process profiling data, render flame graphs and performance analysis, deliver alerts and notifications.
  • To manage your account: Authenticate you, manage organization membership and roles, process invitations.
  • To process payments: Manage subscriptions, send invoices, handle payment failures via Stripe.
  • To communicate with you: Send service notifications (payment receipts, trace limit warnings, trial expiry reminders, security alerts). We do not send marketing emails without your consent.
  • To maintain and improve the service: Monitor service health, diagnose issues, and improve performance.
  • To enforce our terms: Detect abuse, enforce rate limits and usage quotas, and protect the integrity of the platform.

3. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:

  • Contract performance: Processing necessary to provide the service you signed up for (account management, profiling data storage, billing).
  • Legitimate interests: Service security, fraud prevention, product improvement, and usage analytics, balanced against your privacy rights.
  • Legal obligation: Where required to comply with applicable law (e.g., tax records, law enforcement requests).
  • Consent: Where we rely on your consent (e.g., optional marketing communications), you may withdraw it at any time.

4. Data sharing

We do not sell your data. We do not use your data for advertising. We share data only with the following categories of third parties, and only to the extent necessary:

  • Stripe: payment processing. Stripe receives your billing email and payment details. See Stripe's Privacy Policy.
  • Infrastructure providers: cloud hosting, object storage, and database services that store and process your data on our behalf. These providers act as data processors under appropriate data processing agreements.
  • Email delivery: transactional email service for password resets, invitations, and billing notifications.
  • Error monitoring: Sentry for application error tracking. Error reports may include request metadata but never profiling data content.
  • Law enforcement: when required by law, regulation, legal process, or enforceable governmental request.

We do not share profiling data with any third party for their own purposes.

5. Data retention

Profiling data

Trace data is retained according to your subscription plan's retention period:

  • Free plan: 1 day.
  • Basic plan: 14 days.
  • Pro plan: 90 days.

Traces are automatically and permanently deleted after the retention period expires. Trace binary data is stored in S3-compatible object storage and metadata in PostgreSQL, and both are purged on the same schedule.

Account data

Account information (name, email, organization settings) is retained for as long as your account is active. When you delete your account, all associated data is permanently deleted, including traces, organization settings, API keys, audit logs, and notification history.

Billing records

Payment records and invoices are retained by Stripe according to their retention policy and applicable tax law requirements.

Audit logs

Internal audit logs (account actions, billing events, access changes) are retained for security and compliance purposes and are deleted when no longer needed or upon account deletion.

6. Data storage and security

  • All data in transit is encrypted via TLS.
  • Profiling data is stored encrypted at rest in S3-compatible object storage.
  • Passwords are hashed with bcrypt.
  • API keys are signed JWTs scoped to specific organizations and projects.
  • Authentication tokens are short-lived with refresh rotation. Revoked tokens are blocklisted.
  • Rate limiting is applied to authentication endpoints (200 requests per 10 minutes) and API endpoints (3,000 requests per minute) to prevent abuse.
  • Webhook endpoints verify signatures cryptographically before processing.

While we implement industry-standard security measures, no system is perfectly secure. If you discover a security vulnerability, please report it to [email protected].

7. Cookies

We use essential service storage and limited analytics technologies:

  • Theme preference cookie: A functional cookie that keeps your theme choice consistent across Perfbase web properties such as perfbase.com and console.perfbase.com.
  • Authentication cookies: To maintain your login session (JWT stored in localStorage, not cookies, but functionally equivalent).
  • SSO state cookies: Temporary cookies during the SSO/OIDC authentication flow, automatically cleaned up after completion.
  • Analytics cookies and tags: Google Analytics may set cookies or similar identifiers to help us understand site traffic and page usage.

We do not use advertising cookies, and we do not sell personal data for ad targeting or cross-site advertising purposes.

8. Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate personal data via your account settings or by contacting us.
  • Deletion: Delete your account and all associated data from account settings. This is immediate and irreversible.
  • Data portability: Export your profiling data via the API or request an export by contacting us.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

9. International data transfers

Your data may be processed in countries outside your country of residence, including countries outside the EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to countries with an adequacy decision.

10. Children's privacy

Perfbase is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us at [email protected] and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice in the web console at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Data Protection Officer

For data protection inquiries, contact our Data Protection Officer at [email protected].

13. Supervisory authority

If you are in the EEA or UK and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

14. Contact

Questions about this Privacy Policy? Contact us at [email protected].