SysML Studio

Privacy Policy

Version 1.0 · Last updated: April 8, 2026

This Privacy Policy describes how [Your Legal Name / Company] (referred to as "we," "us," or "SysML Studio") collects, uses, and protects your personal data when you use the SysML Studio service available at sysml.pro (the "Service"). We are committed to protecting your privacy and complying with applicable data protection laws worldwide, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and Chile's Ley 19.628 (as amended by Ley 21.719).

If you have any questions about this policy, contact us at privacy@sysml.pro.

1. Who we are

Data controller: [Your Legal Name / Company], [Your Address], [City, Country]

Data Protection Officer: dpo@sysml.pro

Legal contact: legal@sysml.pro

2. Data we collect

We collect only the data needed to provide and improve SysML Studio. Specifically:

2.1 Account data

  • Email address — required for authentication, password recovery, and important service notifications.
  • Password hash — stored exclusively by our authentication provider (Supabase) using industry-standard hashing (bcrypt). We never see or store plaintext passwords.
  • Display name (optional) — if you sign in with Google OAuth, we receive your name as provided by Google.

2.2 Content you create

  • Diagrams and projects — the SysML v2 code, diagram types, element positions, titles, and collaboration metadata you create.
  • Sharing tokens — unique identifiers that let you share projects with others.

2.3 Technical data (collected automatically)

  • IP address — logged by our hosting provider (Cloudflare) and error-monitoring service (Sentry) for security and debugging.
  • User-agent (browser and OS) — for compatibility troubleshooting.
  • Approximate country — derived from IP address by Cloudflare Web Analytics (cookieless, aggregated).
  • Error reports — JavaScript exceptions, stack traces, and breadcrumbs captured by Sentry when something goes wrong.

2.4 Usage data (only with your consent)

  • Session Replay — if you accept analytics cookies, Sentry records masked interactions (clicks, scrolls) on a small percentage of sessions to help us reproduce bugs. Text content and media are always masked.
  • Product usage events — which features you use and how often, without capturing the content of your diagrams.

3. Why we collect it (legal basis under GDPR)

  • Contract performance (Art. 6(1)(b)): authentication, saving your work, collaboration, and all core functionality.
  • Legitimate interest (Art. 6(1)(f)): security monitoring, error tracking, fraud prevention. You may object at any time, but disabling these would degrade the service's safety.
  • Consent (Art. 6(1)(a)): Session Replay, product analytics, and any marketing communication. You can withdraw at any time.
  • Legal obligation (Art. 6(1)(c)): responding to lawful government requests, tax records.

4. Who we share it with (subprocessors)

We use the following third-party services to operate SysML Studio. Each is a data processor acting on our instructions under a Data Processing Agreement (DPA):

  • Supabase Inc. (USA) — authentication, database, realtime collaboration. Data location: EU region when available. Privacy policy.
  • Sentry (Functional Software, Inc.) (USA, with EU data residency in Frankfurt) — error monitoring, session replay, user feedback. Our DSN routes to ingest.de.sentry.io. Privacy policy.
  • Cloudflare, Inc. (USA) — content delivery, DDoS protection, cookieless Web Analytics. Privacy policy.
  • Google LLC (USA) — only if you choose to sign in with Google OAuth. Privacy policy.

We do not sell your personal data to anyone. We do not share your data with advertisers. We do not use your diagrams to train machine-learning models.

5. International transfers

Because some of our subprocessors are based in the United States, your data may be transferred outside the European Economic Area. Where this happens, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and additional safeguards recommended by the EDPB. For users in the EU/EEA, we prefer EU data residency wherever our providers offer it (e.g., Sentry events go to Frankfurt).

6. How long we keep it

  • Account and diagrams: for as long as your account is active.
  • After account deletion: 30 days in encrypted backups, then permanently deleted.
  • Error reports: 90 days.
  • Session replay recordings: 30 days.
  • Usage events: 24 months, in aggregated form after 6 months.
  • Support conversations: 2 years.

7. Your rights — European Union (GDPR)

If you are in the EU/EEA, Switzerland, or the UK, you have the right to:

  • Access your personal data (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erase your data ("right to be forgotten," Art. 17).
  • Restrict processing in certain situations (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint with your local supervisory authority.

To exercise these rights, email privacy@sysml.pro. We will respond within 30 days. In most cases, you can exercise access, erasure, and portability directly from the app: sign in, open the user menu, and choose "Export my data" or "Delete my account."

8. Your rights — California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) gives you additional rights:

  • Right to know what personal information we collect, the categories of sources, the business purposes, and the categories of third parties with whom we share it. All of this is disclosed in sections 2–4 above.
  • Right to delete the personal information we have collected from you, subject to certain legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell or share your personal information as those terms are defined under California law. We do not engage in cross-context behavioral advertising.
  • Right to limit the use of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the service.
  • Right to non-discrimination for exercising any of these rights.

To exercise any of these rights, email privacy@sysml.pro with the subject line "California Privacy Request." We will verify your identity before acting on the request.

Global Privacy Control: we honor the Sec-GPC header and navigator.globalPrivacyControl signal. If your browser sends this signal, we automatically treat analytics cookies as declined.

9. Your rights — other U.S. state residents

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Indiana, Tennessee, or Minnesota, you have rights substantially similar to those listed in Section 8 above — including the rights to access, delete, correct, and port your personal data, and to opt out of targeted advertising and sales (again, we engage in neither). To exercise these rights, email privacy@sysml.pro.

10. Your rights — Chile and LATAM

If you are a resident of Chile, your rights under Ley 19.628 (as amended by Ley 21.719, which takes effect in 2026) include access, rectification, cancellation (deletion), and opposition (the "ARCO" rights). You may also file a complaint with the Chilean Data Protection Agency once it is fully operational. Contact us at privacy@sysml.pro to exercise your rights.

Residents of Brazil (LGPD), Colombia (Ley 1581), Argentina (Ley 25.326), and Mexico (LFPDPPP) enjoy analogous rights and may also contact us at the same address.

11. Children's privacy (COPPA)

SysML Studio is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact privacy@sysml.pro and we will delete it immediately.

12. Security

We take reasonable and appropriate technical and organizational measures to protect your data: HTTPS (TLS 1.3) everywhere, HSTS preloading, Content Security Policy, subresource integrity, encrypted-at-rest storage at Supabase, regular backups, and a strict least-privilege access model. No system is perfectly secure, but we continuously improve our posture and welcome vulnerability reports at security@sysml.pro (see also our security.txt).

13. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by law, notify the competent supervisory authority within 72 hours (GDPR) or as required by applicable state breach-notification laws (including New York SHIELD Act and California's breach notification law).

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app at least 30 days before taking effect. The version number and last-updated date at the top of this page always reflect the current version.

15. Contact

For any privacy-related question or request, contact: