Privacy Policy

This Privacy Policy explains how SharpCrafters s.r.o. collects and uses personal data in connection with the website postsharp.net (the "Website"), the customer portal, and the PostSharp and Metalama software products (the "Software"). It covers visitors to the Website, people who hold or use an account, and developers who use the Software.

This Privacy Policy pertains to the latest versions of our products. Earlier versions may collect or transmit data differently.

Where this Privacy Policy conflicts with the License and Support Services Agreement (the "LSSA") or another agreement between you and us regarding a specific product or service, that agreement governs for the matters it covers.

1. Who is responsible (controller)

SharpCrafters s.r.o., registered office at Praha 5, nám. 14. října 1307/2, Postal Code 150 00, the Czech Republic, ID 28953690, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 155506, doing business as "PostSharp Technologies" ("we", "us", "our"), is the controller of the personal data described in this Privacy Policy.

For privacy questions or to exercise your rights, contact [email protected]. Our data protection contact is [email protected].

2. The personal data we collect, and why

2.1 Website visitors

When you browse the Website we collect, through analytics and server logs, technical data such as pages viewed, referring page, approximate location, device and browser type, and IP address.

We use Matomo analytics, provided by Matomo Cloud (InnoCraft) and served through our analytics.postsharp.net subdomain, to understand and improve how the Website is used. Our analytics are configured to minimize the personal data involved: the cookies are set as first-party cookies on our own domain; we anonymize IP addresses; the visitor identifier is a random value that we rotate every week, and reduce to session-only if your browser sends a "Do Not Track" signal; we strip identifiers such as license keys and newsletter-subscriber ids from the URLs and page titles we record; and we disable browser-feature fingerprinting.

Cloudflare operates as the reverse proxy and content-delivery network in front of our Website: all traffic to the Website passes through Cloudflare's network, which processes technical request data (including your IP address and request headers) for essentially every visitor. We also use Cloudflare for security and anti-bot protection (including an invisible Cloudflare Turnstile / Bot Management check).

We use Google reCAPTCHA to protect certain forms and sign-in against automated abuse, which sends device and interaction signals (including your IP address) to Google.

We make a reasonable, risk-based effort to limit the personal data we process. In particular, we do not use third-party advertising networks or cross-site tracking technologies, and we do not use cookies for advertising – we removed Google Analytics for this reason. The third parties named in this Policy provide security, anti-bot, performance, monitoring, payment, or communication functions, not advertising.

2.2 Forms you submit

When you request a quote, contact us, request support, or download the Software, we collect the information you provide, which may include your first and last name, company name, email address, country, job title, and (optionally) telephone number, together with the content of your request.

Public issue tracker. If you interact with us through our public issue tracker on GitHub, that platform is operated by GitHub under its own privacy policy. Anything you post there is publicly visible, so please do not include sensitive personal data or license keys.

2.3 Account holders and the Customer Portal

If you have an account, we process the data needed to manage your relationship with us, including: company name and billing/shipping address, tax/VAT number, account contacts (name, email, role) that you or your administrators create, your subscriptions and entitlements (including license keys, products, quantities and dates), and your invoices and order history. Account administrators can create, edit, and archive contacts and can manage source-code (Git) access credentials on behalf of the account; we keep an audit record of those administrative actions, which includes the email address of the person performing them.

Signing in. The portal uses one-time "magic links" sent to your registered email address; we do not use passwords. To operate this securely we briefly store a hashed token and a short verification code, and we log sign-in attempts (success, expiry, reuse, invalid code) to prevent abuse and apply rate limits.

The PostSharp and Metalama software collect data in the ways described below. The mechanism is the same in both products except where noted.

2.4 License audit

Both PostSharp and Metalama include a license-audit mechanism that works in much the same way, except for the use of our analytics provider, noted below.

Under the terms of licenses subject to it (LSSA §5.7), the software sends a daily usage report that lets us count the number of distinct daily users — the metric on which these licenses are priced. Each report contains the license key, the license type, the product edition, build date and version, the date of use, a one-way hash of your operating-system user name, and a one-way hash of a machine identifier that rotates monthly.

These reports are sent to our own servers (bits.postsharp.net), where the full license key is used to verify license compliance and count distinct users. For Metalama, a copy containing only the pseudonymous identifiers — never the license key, in any form — is additionally sent, through an independent channel, to our analytics provider Matomo Cloud (InnoCraft) for aggregate statistics. PostSharp sends its reports only to our own servers, never to Matomo.

License audit does not transmit a usage description or your source code.

We do not collect your IP address as a data field; as with any network request, your IP is visible at the point of contact, where it is anonymized, and we do not store it.

2.5 Telemetry

Telemetry (also called the Customer Experience Improvement Program) collects technical and diagnostic data to help us improve the products: computer and operating-system configuration, feature usage, performance and reliability data, project metrics, and redacted error reports.

Reports carry randomly generated, pseudonymous identifiers that rotate monthly, and we use a separate salt for each destination, so that telemetry data cannot be linked to license-audit data. We also use different salts between our own servers and Matomo.

In PostSharp, telemetry is off by default: you are asked, it is available on Windows only, and it runs only if you turn it on.

In Metalama, telemetry is on by default and can be turned off at device level, user level, or repository level.

We do not collect your source or compiled code. Telemetry is sent to our own servers over an encrypted channel. For Metalama, it is additionally sent, through an independent channel, to Matomo Cloud (InnoCraft); PostSharp telemetry is not sent to Matomo.

2.6 Exception and performance reports

Unless you opt in for automatic sending, you can review error reports before they are uploaded to our servers. Error reports are minimized before upload: we omit the exception message and any exception data, and we remove identifying data such as file paths, type names and namespaces, and recognizable secrets.

We do not store your IP address with the reports sent to our servers. On Matomo, IP addresses are truncated.

2.7 News feed

PostSharp and Metalama periodically fetch a product news feed from our servers to display announcements. We do not collect any data through this feature; as with any web request, your IP address is visible to our server at the point of contact, but we do not use it to build a profile and we do not store it.

The news feed can be turned off using a user setting. If telemetry is disabled at machine- or repository-level, the news feed is also disabled.

2.8 Purchases

Online purchases are processed by our payment provider, PayPro Global (located in Canada), which acts as the merchant of record. When you place an order, we transfer the order and customer data you provided (such as name, company, billing address, and the products purchased) to PayPro to complete the purchase; PayPro collects your payment details directly and returns the completed order, including billing data, to us so we can fulfil it and issue invoices. We do not receive or store your payment card details – card payments are handled entirely by PayPro under its own privacy terms. Purchases can also be made by bank transfer.

Our PDF quotes and invoices are generated from HTML by EuroPDF, a document-rendering service operated by DIE ANTWORT and hosted in Germany. The content we send it (which includes your name, company, and billing details) is deleted immediately after the PDF is produced.

2.9 Communications and marketing

We use your email address to send transactional and service messages relating to your account, orders, and the Software. If you subscribe to our newsletter, we process your email address (and any details you provide) for that purpose; you can unsubscribe at any time. You can subscribe to the newsletter from the Website. Our newsletter is operated using a third-party email service, Kit (operated by ConvertKit, LLC).

We rely on the following legal bases under the GDPR: performance of a contract (managing your account, subscriptions, orders, invoices, support, the portal, and Automatic License Auditing, which is a condition of the licenses subject to it under the LSSA); legitimate interests (securing and improving the Website and Software, Website and application analytics, and fraud and abuse prevention – balanced against your interests); consent (the newsletter, and PostSharp telemetry, which you can withdraw at any time); and compliance with legal obligations (for example, retaining invoices under tax law).

4. Cookies and similar technologies

We use first-party cookies for analytics and for security / anti-bot protection. We do not use third-party advertising or cross-site tracking cookies. Security and anti-bot components from Cloudflare, and Google reCAPTCHA, may set or read their own cookies and receive your IP address as part of providing those functions.

  • analytics_visitor_id (Matomo, first-party) – a random visitor identifier; rotated weekly (expires the following Monday), or session-only if "Do Not Track" is enabled.
  • human_verified (first-party) – records that an anti-bot check was passed so it need not be repeated; up to 365 days.
  • cf_clearance (Cloudflare) – set when a security / anti-bot challenge is passed, so it is not repeated; short-lived.

You can block or delete cookies in your browser; some Website features may then work less well. We do not rely on the browser "Do Not Track" signal as it is not consistently supported.

5. Children

The Website and Software are intended for professional and business use and are not directed to children. We do not knowingly collect personal data from children.

6. Recipients and processors

We do not sell your personal data. We share it only as needed to operate our business, with the categories of recipients below, and where required by law (for example, to comply with a court order or to protect our rights). We may disclose your name, company affiliation, email address, and telephone number to our authorized reseller for your region. In a merger, acquisition, or sale of the business, our successor will be bound by this Privacy Policy.

  • Microsoft – Azure (hosting and infrastructure), Microsoft 365 / Office 365 (business email and document storage and collaboration, which may contain your correspondence and details), and Dynamics 365 (CRM – customer and order records). Hosted in the EU.
  • InnoCraft / Matomo Cloud – provides our Website analytics (via analytics.postsharp.net) and receives pseudonymous license-audit and telemetry beacons from the Metalama software (postsharp.matomo.cloud), hosted in the EU. These beacons do not include the license key, in any form. Metalama telemetry is also sent, through an independent channel, to our own bits.postsharp.net. PostSharp license-audit and telemetry go only to our own servers (licensing.postsharp.net, bits.postsharp.net), not to Matomo.
  • Cloudflare – reverse proxy / CDN in front of the Website: all traffic passes through it, so it processes technical request data (IP address, headers) for essentially all visitors; also security / anti-bot protection (Bot Management, Turnstile). United States; see Section 7.
  • Google – reCAPTCHA (bot protection on forms and sign-in). United States; see Section 7.
  • PayPro Global – online payment processing / merchant of record. Canada; see Section 7.
  • Amazon Web Services – transactional email delivery (SES). Hosted in the EU.
  • EuroPDF / DIE ANTWORT – renders our PDF quotes and invoices from HTML; the document content is deleted immediately after rendering. Hosted in Germany (EU).
  • Kit (ConvertKit) – newsletter delivery, if you subscribe. United States; see Section 7.
  • Our authorized resellers – for customers who purchase through a reseller, and for regional reseller referrals.

7. International transfers

Where we transfer personal data outside the European Economic Area, we rely on an appropriate safeguard under Chapter V of the GDPR – Standard Contractual Clauses, the EU–US Data Privacy Framework, or an adequacy decision, as applicable to each recipient.

Recipients that process data outside the EEA:

  • Cloudflare (United States) – reverse proxy / CDN, security / anti-bot; under Cloudflare's standard data protection terms, relying on Standard Contractual Clauses / the EU–US Data Privacy Framework.
  • Google (United States) – reCAPTCHA; under Google's data protection terms, relying on Standard Contractual Clauses / the EU–US Data Privacy Framework.
  • Kit / ConvertKit (United States) – newsletter delivery; under Kit's standard data protection terms, relying on Standard Contractual Clauses.
  • PayPro Global (Canada) – payment merchant of record; Canada benefits from an EU adequacy decision, and the transfer is also necessary to perform the purchase you requested.

Recipients and infrastructure within the EU (no international transfer):

  • Microsoft – Azure, Microsoft 365, and Dynamics 365 (EU).
  • Amazon Web Services – SES transactional email (EU).
  • EuroPDF / DIE ANTWORT – PDF rendering of quotes and invoices (Germany, EU).
  • Matomo Cloud / InnoCraft – Website analytics and Metalama beacons (EU; InnoCraft, as a New Zealand entity, also benefits from an EU adequacy decision).
  • Our own servers – licensing.postsharp.net and bits.postsharp.net (EU).

8. Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy and to meet our legal obligations:

  • Invoices and accounting records – 10 years, as required by Czech accounting and tax law.
  • Customer identity, address, and contracts – 10 years after the last invoice, as part of the accounting record.
  • Orders, license keys, and contact records – 3 years after the last order.
  • Sign-in logs (kept for security and abuse detection) – 3 months. Magic-link tokens and verification codes expire within minutes.
  • Telemetry and license-audit data – 24 months for raw data; aggregated, anonymized data may be kept indefinitely.
  • Website analytics (Matomo) – 730 days for raw data; aggregated data may be kept indefinitely.

When personal data is no longer needed, we delete or anonymize it.

9. Your rights

Subject to applicable law, you have the right to access, correct, update, or delete your personal data, to restrict or object to certain processing, to data portability, and to withdraw consent where processing is based on consent. You can manage much of your account data by signing in to the customer portal, or contact [email protected] and we will respond within the time required by law. You also have the right to lodge a complaint with a supervisory authority; in the Czech Republic this is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).

10. Security

We take reasonable technical and organizational measures to protect personal data against unauthorized access, use, or disclosure, including access controls and encryption in transit. Access to systems holding personal data is limited to authorized personnel and contractors. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. For more detail on how we handle security issues in the Software, see our Security policy.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version, with its effective date, is always available on this page. Minor or clarifying changes take effect when posted. For material changes – such as new purposes, new categories of recipients, or a change of legal basis – we will give reasonable notice by appropriate means, which may include a notice on the Website or in the customer portal; where a change requires your consent, we will obtain it before that change applies to you. This Privacy Policy is governed by the laws of the Czech Republic.