Privacy Policy
Last updated: February 14, 2026
1. Data Controller
FireCustos ("we", "our", "us") is a project operated by an individual based in Bosnia and Herzegovina. We are the data controller for your personal data under applicable data protection law (BiH Personal Data Protection Law / GDPR for EU-based users).
- Email: [email protected]
- Web: firecustos.com
For firefighter personal data entered into the system by a Department, the Department is the data controller and FireCustos acts as the data processor under applicable data protection law.
2. What Data We Collect
- Account data: first name, last name, email address, password (hashed), department name, system role.
- Firefighter profiles: first name, last name, contact details, date of birth, competencies and certifications.
- Operational data: interventions, incidents, vehicles, equipment, service records, fuel logs, wiki pages.
- Usage analytics: usage data via PostHog analytics (only with your consent) — pages visited, device, country. PostHog is hosted in the EU.
- Technical data: IP address, browser type, operating system (recorded in server access logs).
3. Purpose and Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Providing the service (account management, department data) | Performance of contract (GDPR Art. 6(1)(b)) |
| Sending system notifications and emails | Performance of contract (GDPR Art. 6(1)(b)) |
| Usage analytics | Consent (GDPR Art. 6(1)(a)) |
| System security and abuse prevention | Legitimate interest (GDPR Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (GDPR Art. 6(1)(c)) |
4. Data Retention Periods
- Account data: retained while your account exists. After deletion, data is permanently removed within 30 days.
- Operational data: retained while the department account exists.
- Server access logs: 90 days.
- Analytics data: PostHog retains data for up to 12 months.
5. Third-Party Processors
We share your data only with service providers necessary for operating the platform:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server and database hosting | Falkenstein, Germany (EU) |
| Brevo (Sendinblue) | Transactional email | EU |
| PostHog | Usage analytics (consent-only) | EU (Frankfurt) |
| Cloudflare | CDN and DNS for landing page | Global, with EU processing |
We do not sell or share your data with third parties for marketing purposes.
6. Your Rights
Under applicable data protection law, you have the following rights:
- Right of access — request a copy of your personal data.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data.
- Right to data portability — export your data in a machine-readable format (CSV, Excel, PDF).
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — withdraw analytics consent at any time via cookie settings.
- Right to lodge a complaint — file a complaint with your local data protection authority.
To exercise your rights, contact us at [email protected]. We will respond within 30 days.
7. Cookies and Analytics
We use analytics cookies via PostHog only with your consent. A cookie notice will be shown on your first visit.
- If you accept: PostHog collects anonymized usage data.
- If you reject: no analytics cookies are set.
You can change your decision at any time by clearing your browser cookies.
We do not use marketing cookies or third-party tracking cookies.
8. Data Security Measures
- All communication is secured with TLS (HTTPS) encryption.
- Passwords are stored using one-way hashing (bcrypt).
- Full data isolation between departments (multi-tenant architecture).
- Data access is restricted by role (RBAC) and ownership (ABAC).
- Regular security patches and updates.
- Database hosted in the EU (Hetzner, Germany).
9. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be posted on this page with an updated date. For material changes, we will notify registered users via email or in-app notification.
10. Contact
For any questions about data protection or to exercise your rights, contact us:
- Email: [email protected]
- General contact: [email protected]