Privacy policy

Last updated: 4 May 2026

In short. nar.pub is a UK service that runs nar-herder instances for you. We hold your email, billing records, and the configuration of the deployments you create. We do not sell your data, market to you, or build profiles of you. Full details below.

nar.pub is a managed nar-herder service operated by Cyclic Systems Limited, a company registered in England and Wales (company number 16878561). This policy explains what personal data we hold about you when you use nar.pub, why, and what your rights are.

This policy covers data we control about you as a nar.pub customer. Content in your nar-herder deployment — including nar files in your own S3 bucket — is your own data; we hold and serve it on your behalf as your data processor. Use of nar.pub is also subject to our Terms and Conditions.

What we hold.

• Your email address (the only identifier we ask for).
• Authentication data: hashed login tokens, your TOTP secret if you set one up, hashed recovery codes.
• Billing records: invoices, balance entries, and — if you pay via Paddle — a customer and subscription identifier from Paddle.
• The configuration and operational state of the deployments you create.
• Error context when something goes wrong: request method, path, and headers with secrets redacted. We do not record request bodies.
• Application logs: method, path, status, and duration. Not your IP address — that's only visible to our hosting provider at the network edge.

Why. We process this data to operate the service you signed up for and to bill you for it (legal basis: performance of a contract). We also rely on legitimate interests for security and abuse prevention (rate limiting, error tracking, two-factor authentication), and on legal obligations to retain accounting records. Where we rely on legitimate interests, we have weighed your rights against ours and limited what we process to what a reasonable user would expect.

Providing your data. Your email address is a contractual requirement: without it we cannot create your account, send you login codes, or contact you about your deployment. Everything else (deployments you create, two-factor authentication, payment via Paddle) is optional and only processed if you choose to use it.

What we don't do. We do not sell your data. We do not use it for marketing, advertising, profiling, or automated decision-making. We only send transactional email — login codes, billing receipts, and service notices — never marketing email. We do not combine analytics data with your account. We do not knowingly process special-category data.

Analytics. We count visits to our public marketing pages so we can see what reaches visitors. Our analytics do not set cookies, do not record IP addresses, do not track visitors across sessions or sites, and are not loaded on signed-in pages. We respect your browser's "Do Not Track" setting. Legal basis: legitimate interest in understanding which pages reach visitors.

Cookies. We use a single strictly-necessary, HMAC-signed session cookie to keep you logged in. We do not set advertising or tracking cookies. Our analytics (see above) is cookieless.

Who we share it with. We use the following sub-processors:

• Fly.io: hosting and database (control plane and your deployments). Receives all data above.
• Resend: transactional email. Receives your email address, message subject, and body.
• Paddle: our merchant of record. When you pay, you go through Paddle's hosted checkout — Paddle collects your name, billing address, and payment details directly and is the data controller for them. We only receive your customer ID and subscription state. See Paddle's privacy policy at paddle.com/legal/privacy.

These are our only sub-processors today. We will update this list before adding any new ones.

International transfers. Some of these providers are based in the United States. Transfers rely on the UK International Data Transfer Addendum and EU Standard Contractual Clauses.

Disclosure to authorities. We may disclose your personal data if we are legally required to — for example in response to a valid court order or a regulatory request. We will tell you when this happens unless we are legally prevented from doing so.

Retention.

• Authentication tokens: deleted hourly once expired.
• Account and deployment data: kept while your account is open; deleted when you close it, except where we are legally required to keep something for longer.
• Billing records: six years, to meet UK accounting and tax obligations.
• Error reports: 90 days.
• Analytics events: 12 months.

Closing your account. You can close your account yourself from the Settings page once any running deployments have been destroyed. Email support@nar.pub if you have questions or problems. If you would like an export of your data first, ask and we will provide it.

Security. All connections to nar.pub use TLS. Authentication tokens and recovery codes are stored as hashes; session cookies are HMAC-signed; passwords are not used. Access to production infrastructure is limited to staff who need it. If a personal data breach is likely to result in a high risk to your rights, we will notify you without undue delay, as required by UK GDPR.

Your rights. Under UK GDPR you have the right to access, correct, delete, restrict, port, or object to our processing of your personal data, and to withdraw consent where consent is the basis. Contact us at privacy@nar.pub to exercise any of these. If you are unhappy with how we have handled your personal data — including how we have responded to a request you make under the rights above — you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. We are not required to appoint a Data Protection Officer and have not done so; privacy enquiries are handled at the address above.

Children. nar.pub is a B2B service not directed at children, and we do not knowingly collect data from anyone under 13.

Changes. We will update the date above when this policy changes and notify account holders by email of any material change.

Contact. Cyclic Systems Limited, 71-75 Shelton Street, London, England, WC2H 9JQ. General support: support@nar.pub. Privacy enquiries: privacy@nar.pub.