Privacy Policy
Last Updated: February 2026
EventCatalog Ltd is a company registered in England and Wales (company number 15764703). We are the data controller for the personal information described in this policy.
This policy explains what data we collect, why, and how we handle it. We collect very little - EventCatalog is self-hosted, so your content and data stay on your infrastructure.
1. Information We Collect​
Account and billing information - when you create an account or purchase a license, we collect your name, email address, company name, and billing details. Payments are processed securely by Stripe; we do not store full card numbers.
License validation data - the Software connects to EventCatalog's servers at build time to verify your license status. This connection transmits your license key and basic request metadata (such as IP address). No catalog content or user data is transmitted during validation.
Telemetry data - the Software collects limited, anonymised usage data during builds and catalog creation, including: build frequency, catalog creation events, and aggregate resource counts. This data is not linked to individual users or the content of your catalogs. There is currently no option to opt out of telemetry.
Website analytics - we collect anonymous, aggregate analytics on our website (eventcatalog.dev) to understand traffic and usage patterns.
2. Self-Hosted Users​
EventCatalog is a self-hosted product. Your documentation, diagrams, event definitions, schemas, and all other content remain entirely under your control on your own infrastructure. We do not access, store, or process any of that data.
The only data sent to EventCatalog from a self-hosted Instance is: (i) the license validation check at build time, and (ii) the anonymised telemetry described above.
We are not a data processor for any personal data you process through the Software. No Data Processing Agreement (DPA) is required.
3. How We Use Your Information​
We use your information for the following purposes:
- Account management - to create and maintain your account, manage your license, and communicate with you about your subscription.
- Payment processing - to process payments and comply with tax obligations.
- License validation - to verify that your license is valid and active.
- Product improvement - to understand how the Software is used in aggregate and improve it.
- Support - to respond to your enquiries and provide technical assistance.
4. Legal Basis (UK GDPR)​
We process your personal data on the following bases:
- Contract - processing your account and billing information is necessary to perform our contract with you (our Terms of Service).
- Legitimate interests - telemetry and analytics help us improve the product. We've assessed that this processing is proportionate given the data is anonymised and aggregate.
- Legal obligation - we retain billing records as required by UK tax law.
5. Third-Party Services​
We share information with the following providers, each of which processes data under its own privacy policy:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Billing and payment details |
| Supabase | Authentication and database | Account information, license data |
| PostHog | Product telemetry | Anonymised build and usage events |
| Simple Analytics | Website analytics | Anonymous page view data |
| Resend | Transactional email | Email address, message content |
We do not sell your data to anyone.
6. International Transfers​
Some of our third-party providers process data outside the UK. Where this occurs, we rely on appropriate safeguards as required by UK GDPR, including adequacy decisions and standard contractual clauses.
7. Data Retention​
- Account data - deleted within 90 days of account closure.
- Billing and payment records - retained for 7 years to comply with UK tax and legal obligations.
- Telemetry and analytics - stored only in anonymised, aggregate form.
- Support correspondence - retained for the duration of your subscription plus 12 months, then deleted.
8. Cookies​
Our website does not use cookies.
9. Data Security​
We store minimal personal data (email addresses, license keys, and account information) securely in Supabase. For details on infrastructure security, see Supabase's security documentation.
For self-hosted users, the security of your hosting environment and the data within it is your responsibility. We recommend keeping your EventCatalog installation up to date, as we regularly release security patches.
10. Your Rights​
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (subject to legal retention requirements).
- Export your data in a portable format.
- Object to processing based on legitimate interests.
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe your rights have been infringed.
To exercise any of these rights, contact us at support@eventcatalog.dev.
11. Children​
EventCatalog is a business product and is not directed at children. We do not knowingly collect personal data from anyone under 18.
12. Changes to This Policy​
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Website at least 30 days before they take effect. The "Last Updated" date above will always reflect the current version.
13. Contact​
For privacy-related questions, contact: support@eventcatalog.dev
EventCatalog Ltd Company registered in England and Wales (15764703).