PyVMProtect - Privacy Policy

1. What we receive

When you use PyVMProtect you submit two kinds of data:

Account data. Email address and hashed password.
Source material. The Python files you upload for protection, plus any build configuration you set in the Forge.

In addition, like every web service, our servers automatically record technical logs (IP address, request timestamps, and request metadata) when you visit the site or call the API.

Providing an email address is required to create an account; without it we cannot provide the service. Everything else is provided only when you choose to use the corresponding feature.

2. Why we process your data

Everything we do with your data has a specific reason behind it:

Account data (email, password hash): needed to create and run your account.
Uploaded source code and build configuration: used for one thing only, performing the build you requested.
Build history metadata (timestamps, file sizes, target Python version): kept so you can see your past builds, and so we can keep the service secure and prevent misuse.
Abuse and malware screening (section 5): we screen submitted builds to stop the service from being used to produce malware, to protect other users and third parties, and to defend ourselves legally. Where the law requires us to cooperate with authorities, we do.
Technical server logs: kept for security, debugging, and abuse prevention.

None of this relies on your consent, so there is nothing to withdraw. If we ever add something that does rely on it, a newsletter for example, we will ask for it separately and you will be able to change your mind at any time.

3. How we store your source code

Your source code is treated as ephemeral build input, not as stored content.

Uploads travel over TLS and are written to an isolated job directory on our build infrastructure, located in France (European Union).
Each build runs in a per-job workspace. Workspaces are not shared across users or jobs.
Once the build finishes and the resulting .pyd is downloaded, the source files and build artefacts are deleted from disk.
If a build fails or is abandoned, the workspace is purged automatically within 24 hours.

Retention summary. Source code lives on our systems only for the duration of the build and long enough for you to download the protected output. It is not archived and not used to train any model. We do not create backups of your source code ourselves; our hosting provider's routine infrastructure backups may retain short-lived copies for up to 30 days before they roll off.

Personal data inside your uploads

Your source code may itself contain personal data, like names in comments or test data. That content stays your responsibility, and we handle it strictly on your behalf: we touch it only to perform the build you requested, under this policy and our Terms of Service, and we delete it as described above. Make sure you actually have the right to submit what you upload. The only thing we do with uploads on our own initiative is the abuse screening described in section 5.

4. Access

Access to the build infrastructure is restricted to operators of PyVMProtect acting under confidentiality obligations. We do not inspect customer source code as a matter of practice, and we do not share it with anyone except the service providers and circumstances described in this policy.

5. Malware and abuse

PyVMProtect is not a tool for malware authors. When automated or manual review identifies content that is plausibly malicious, abusive, or illegal, we reserve the right to:

Refuse the build and terminate the associated account.
Retain a copy of the submitted material for up to 12 months from detection, extended only while a specific law-enforcement request, investigation, or legal claim concerning it is pending.

This is the only scenario in which uploaded source code is kept beyond the normal build lifecycle. We disclose retained material only in response to requests that are valid and binding under European Union or French law.

Automated screening may flag or pause a build, but no account is terminated and no material is retained under this section without review by a human operator. If you believe a decision was made in error, contact privacy@pyvmprotect.com and a person will re-review it.

6. Account data and cookies

We store the minimum required to run your account: email, password hash, and build history metadata (timestamps, file sizes, target Python version). We do not sell this data. We use first-party cookies only for session management; these are strictly necessary cookies and require no consent banner.

7. Service providers and international transfers

We use a single service provider, who processes data on our behalf under a data-processing agreement:

Alwaysdata SARL (Paris, France), our web host. Production servers sit in datacenters in Paris, and daily backups are stored in a separate datacenter, also in the Paris region. Everything is hosted in the European Union, and Alwaysdata has its own Data Protection Officer.

We do not sell personal data and we do not share it with anyone else, except competent authorities where section 5 applies or where we are under a legal obligation to do so.

International transfers. All personal data is stored and processed within the European Union (France). We do not transfer personal data outside the EU. Web fonts and all page assets are served from our own domain, so visiting this site does not send your IP address to any third-party font or analytics service.

8. How long we keep data

Source code and build artefacts: duration of the build plus the download window; failed or abandoned builds purged within 24 hours (see section 3).
Account data and build history metadata: for as long as your account exists, then deleted within 30 days of account deletion.
Technical server logs: 12 months, then deleted.
Material retained under section 5 (abuse): 12 months from detection, extended only while a specific law-enforcement request, investigation, or legal claim concerning it is pending.
Hosting-provider backups: our host makes automatic daily backups of files, databases, and email, kept on a rolling basis for at most 30 days. Data deleted from our live systems therefore disappears from those backups automatically within at most 30 further days. Backups are used only for disaster recovery, never to restore deleted personal data.

9. Your rights

You can ask us at any time to see the personal data we hold about you, fix it, get a copy of it in a portable format, delete it, freeze its processing, or object to the processing we do for our own legitimate interests (including abuse screening). These rights apply to every user, wherever you are located. Just write to privacy@pyvmprotect.com. We will respond within one month; for complex requests this can stretch by up to two further months, and we will tell you if that happens. We may ask you to confirm control of your account email before acting on a request.

You can also complain to a data-protection authority. Ours is the French CNIL (Commission Nationale de l'Informatique et des Libertés), www.cnil.fr, though you can just as well go to the authority of your own EU member state.

Account deletion removes your login and build history within 30 days, after which copies in rolling host backups expire automatically (see section 8). One exception: material retained under section 5 while an abuse or law-enforcement matter is pending. Source code uploaded during your use of the service has already been deleted as described in section 3, so no separate deletion step is required for it.

10. Self-hosted option

For organisations that cannot send source code to a third party, we offer a self-hosted build of the compiler. In that configuration your code never leaves your own infrastructure : no uploads, no build servers, no data sharing. Contact sales to discuss this option.

11. Changes to this policy

If we change how we handle data, we will update this page and record the change date at the top. Material changes will be announced in-product before they take effect.

12. Controller and contact

PyVMProtect is operated as a personal project by an individual based in France, who is the data controller for all processing described in this policy. For privacy questions and any of the requests described in section 9, write to privacy@pyvmprotect.com. We do not have a Data Protection Officer; a service of this size is not required to appoint one, and the contact above handles all privacy matters.

The service is hosted by Alwaysdata SARL, 91 rue du Faubourg Saint-Honoré, 75008 Paris, France.