Legal

Privacy Policy

Last updated 1 July 2026

This policy explains what personal data Bowline collects when you use the Bowline website and dashboard, why we collect it, and the choices you have.

The short version: Bowline is built so your code, environment variables, and secrets stay under your control. We do not read them, and we never sell your data.

1. Who we are

Bowline is operated by Tristan Manchester ("Bowline", "we", "us"), an independent developer based in Germany. We are the data controller for the personal data described here. For anything in this policy, or to exercise your rights, email hello@bowline.sh.

2. What this policy covers

This policy covers the hosted Bowline service: the website at bowline.sh, your account, and the dashboard. The open-source Bowline CLI and daemon run on your own machines under the Apache 2.0 license. Software you run locally is not changed by this policy.

3. What we collect and why

We collect only what we need to run the service and bill for it. Each category below lists what we collect, who handles it, and our lawful basis under the GDPR.

  • Account and identity. When you sign in, our authentication provider (WorkOS) handles your name, email address, and login identifiers so we can create and secure your account. Basis: performance of our contract with you.
  • Billing. Payments run through Polar, which acts as the Merchant of Record. Polar collects and processes your payment details directly. We receive your subscription status and the invoices tied to your account, not your card number. Basis: performance of a contract.
  • Workspace and device metadata. To run sync and trust, we store records about the machines and agents you authorize, your workspace status and health, and the lifecycle of your Recovery Keys. Basis: performance of a contract.
  • Technical and log data. Our hosting provider (Cloudflare) processes standard request data, such as your IP address and basic request details, to keep the service secure and available. Basis: our legitimate interest in a secure, reliable service.
  • Support messages. If you email us, we keep your message and our reply so we can help and keep a record. Basis: our legitimate interest in answering you.

4. What we do not collect

Bowline is built so your work stays yours. Your source, environment variables, and secrets sync between the devices and agents you authorize. Where the service stores them, it stores them encrypted and cannot read their contents.

We do not use your code or environment for anything other than moving it where you told it to go. We do not sell it, and we do not use it for advertising or profiling.

5. Cookies

The website uses a small number of cookies to keep you signed in and to run the dashboard. Our authentication provider sets these, and the service needs them to work. We do not use advertising or cross-site tracking cookies.

6. Who processes data for us

We rely on a few providers to deliver the service. Each one only processes data for its part of the service, under its own privacy terms.

  • WorkOS handles authentication and account sign-in.
  • Polar handles payments and billing, as our Merchant of Record.
  • Convex runs the application database and backend.
  • Cloudflare provides hosting, content delivery, and security.

7. International transfers

Some of these providers are based in the United States. Where your data moves outside the European Economic Area, the transfer relies on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism.

8. How long we keep data

We keep your account and workspace data for as long as your account is open. If you close your account, we delete or anonymize your personal data within a reasonable period, except where the law requires us to keep some records, such as invoices for tax and accounting. Technical logs are kept for a short period and then removed.

9. Your rights

Under the GDPR you can ask us to do the following with your personal data:

  • Get a copy of it (access).
  • Correct it if it is wrong (rectification).
  • Delete it (erasure).
  • Restrict or object to how we use it.
  • Receive it in a portable format, or have it sent elsewhere.
  • Withdraw consent at any time, where we rely on consent.

To exercise any of these, email hello@bowline.sh. You also have the right to complain to a data protection supervisory authority. In Germany, that is the data protection authority for your federal state.

10. Children

Bowline is a developer tool and is not directed at children. Do not use it if you are under 16.

11. Changes to this policy

We may update this policy. When we do, we change the date at the top. For material changes, we will give you notice through the service or by email before they take effect.

12. Contact

Questions about privacy? Email hello@bowline.sh and we will get back to you.