Privacy Policy
Last updated: 27 June 2026. Applies to caisson.sh and the Caisson software.
Pending final legal review
This policy describes how Caisson handles your data. It is being finalized with legal counsel and may be updated as our data practices are formalized.
What we collect
Email address
When you subscribe to product updates or complete a purchase on this site, we collect your email address. That is the only piece of personally identifying information we ask for at the point of sign-up. Purchase checkout collects the additional information necessary to process payment and deliver your license entitlement (handled by our payment processor — we do not store raw payment card data).
Cloudflare infrastructure metadata
Caisson.sh is served through Cloudflare Pages and Cloudflare's global CDN. Cloudflare processes standard HTTP request metadata (originating IP address, user-agent, referring URL) for the purposes of routing, security filtering, and DDoS protection. This processing is governed by Cloudflare's privacy policy and the Cloudflare Data Processing Addendum. We do not receive or store individual IP addresses or user-agent strings ourselves.
Cookieless page-view analytics
We use Plausible Analytics to understand aggregate traffic patterns. Plausible is cookieless by design: it does not set cookies, does not fingerprint individual browsers, does not track visitors across sites, and does not collect personally identifiable information. The data Plausible reports is aggregate only (page paths, referrers, country-level geography, browser family). No consent banner is required for this analytics implementation.
Why we collect it
Email — product updates and account communications
We collect your email address to send you product-update notifications (new releases, changelog highlights, product news) and to deliver essential account communications such as purchase confirmations, license entitlements, and support correspondence. We will not send marketing email unrelated to Caisson, sell your address, or share it with third parties except as required to operate these communications (Resend — see Data location, below).
Analytics — aggregate site improvement
Aggregate, anonymous page-view data helps us understand which documentation and marketing pages are useful. No individual is identifiable in the data we receive.
Lawful basis for processing
For users in the European Economic Area (EEA) or the United Kingdom, processing is carried out on the following bases:
- Email address (product updates) — consent. You provided your address by submitting the product-updates form, having been told at the point of submission that signing up means occasional product email. You may withdraw consent at any time by requesting deletion of your address (see Your rights, below).
- Email address (purchase / account) — contract. Processing is necessary to perform the contract of sale, deliver your license entitlement, and respond to support requests.
- Cloudflare infrastructure metadata — legitimate interest. Routing and security processing is necessary to deliver the site securely. No alternative exists that does not involve a CDN.
- Plausible analytics — legitimate interest. Cookieless, PII-free aggregate analytics carry a minimal privacy impact while providing a legitimate operational benefit. You may object by using a content blocker that targets plausible.io.
How long we keep it
We retain product-update subscriber email addresses until one of the following occurs:
- You unsubscribe or request deletion.
- We discontinue the product-update mailing list and have no further basis to retain it.
- Three years pass without any active communication (we will delete the record and notify you).
Purchase and account email addresses are retained for as long as required to fulfill the contract and comply with applicable tax and legal obligations, which may exceed the subscription retention period above.
Plausible retains aggregate analytics data per their own retention policy. Because no PII is collected by Plausible, no individual retention period applies on our end.
Where your data lives
Email — Resend
Email addresses are stored and managed by Resend, a transactional email infrastructure provider. Resend is a US-based company. EEA customers may request a Data Processing Addendum (DPA) covering Standard Contractual Clauses. Contact us at the address below if you require a DPA.
Site — Cloudflare
Caisson.sh is served from Cloudflare Pages across Cloudflare's global edge network. Cloudflare is certified under the EU-US Data Privacy Framework. Their data processing terms apply to request metadata processed at the edge.
Analytics — Plausible
Plausible Analytics is EU-based and stores aggregate data on servers in the EU. Because no PII is collected, no cross-border transfer assessment is required for this service.
Access, erasure, and portability
If you are in the EEA, UK, or another jurisdiction with data protection rights, you have the following rights with respect to personal data we hold:
- Access. Request a copy of the personal data we hold about you (in practice: your email address and the date it was submitted).
- Erasure. Request that we delete your email address from our records. We will action this within 30 days, subject to any legal retention obligations.
- Portability. Request your data in a machine-readable format (CSV or JSON). Given the minimal data held, this is a one-line response.
- Objection. Object to processing carried out under legitimate interest. We will assess the objection and respond within 30 days.
- Withdrawal of consent. Withdraw the consent on which product-update email processing is based at any time. This does not affect lawfulness of processing before withdrawal.
To exercise any of these rights, email privacy@gridwork.dev with the subject line “Data request — [right you are exercising]”. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
Changes to this policy
We will post material changes to this page and update the “Last updated” date. If the change materially affects how we use your email address, we will notify you by email before the change takes effect. Continued use of the site after notice constitutes acceptance of the updated policy.
Get in touch
GridWork Digital LLC
Atlanta, Georgia, USA
privacy@gridwork.dev
For general questions about the product, use the docs or the contact link in the site footer.