Vallenta StudioVallenta Studio

Privacy Policy

Last updated: April 2026

1. Introduction

This Privacy Policy explains how Vallenta ("we", "us", "our") collects, uses, and protects your personal data when you use the VSDelphi website and the VSDelphi VS Code extension (collectively, the "Service"). VSDelphi is a professional Delphi development environment for Visual Studio Code offering project management, code editing, debugging, and subscription-based premium features.

We are committed to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. For our company details, please see our Imprint.

2. Data Controller

The data controller responsible for the processing of your personal data is Vallenta. Contact details are available on our Imprint page.

3. Information We Collect

3.1 Account Data

When you register for an account, we collect:

  • Email address — used for authentication, account recovery, and transactional emails
  • Password — stored securely by our authentication provider (Supabase); we never have access to your plaintext password
  • Name — first name, last name, and display name
  • OAuth provider data — if you sign in via Google or Apple, we receive your name, email, and profile picture from the provider

3.2 Profile and Billing Data

You may voluntarily provide additional information in your profile:

  • Phone number
  • Profile picture (avatar)
  • Billing address (street, city, postal code, state, country)
  • Company name, customer type (individual or company)
  • VAT ID and tax number

3.3 Payment Data

When you subscribe to VSDelphi Pro, payments are processed by Stripe. We store:

  • Stripe customer ID and subscription ID
  • Card brand, last four digits, and expiration date
  • Subscription status and billing period dates

We never store your full credit card number. All payment processing is handled by Stripe in compliance with PCI DSS standards.

3.4 Extension Session Data

When you authenticate the VSDelphi VS Code extension, we collect:

  • Device ID — a unique identifier for your VS Code installation
  • Device information — your computer name, used to help you identify active sessions
  • Session timestamps — when the session was created and last used

Extension sessions use JWT tokens (access and refresh tokens) for authentication. Refresh tokens are stored as cryptographic hashes only.

3.5 Technical Data

During your use of the Service, we automatically collect:

  • IP address — used for rate limiting and abuse prevention; not stored persistently
  • HTTP request metadata — method, path, User-Agent, and Referer headers for server monitoring and error diagnostics

We do not use third-party analytics or tracking services.

4. Cookies

We use cookies and provide a consent banner where you can manage your preferences. Our cookie categories are:

4.1 Necessary Cookies (always active)

Essential cookies required for the website to function:

  • Authentication session cookies — maintain your logged-in state (managed by Supabase)
  • Cookie consent cookie — stores your cookie preferences (validity: 365 days, integrity-protected with HMAC-SHA256)

4.2 Analytics Cookies (optional)

Cookies that help us understand how visitors interact with the website. Currently not in active use.

4.3 Marketing Cookies (optional)

Cookies used for personalized advertisements and campaign tracking. Currently not in active use.

You can change your cookie preferences at any time through the cookie consent banner on our website.

5. How We Use Your Information

We process your personal data for the following purposes and legal bases:

Performance of contract (Art. 6(1)(b) GDPR):

  • Provide and operate the Service (account, authentication, extension access)
  • Process payments and manage subscriptions
  • Send transactional emails (welcome, verification, password reset, payment receipts)
  • Manage extension device sessions and enforce session limits per subscription tier

Legitimate interest (Art. 6(1)(f) GDPR):

  • Rate limiting and abuse prevention
  • Server monitoring and error diagnostics

Consent (Art. 6(1)(a) GDPR):

  • Send product updates and marketing emails (only with your opt-in)

6. Email Communications

We send the following types of emails:

  • Transactional emails — welcome message, email verification, password reset, and payment receipts. These are necessary for the operation of the Service and cannot be opted out of.
  • Product updates and marketing emails — information about new features and offers. You can opt in or out of these at any time via your notification settings.

7. Third-Party Services

We use the following third-party services to operate the Service:

  • Supabase — Authentication and database hosting. Data shared: account data, profile data. Privacy policy: supabase.com/privacy
  • Stripe — Payment processing. Data shared: email, billing data, payment details. Privacy policy: stripe.com/privacy
  • SMTP provider — Email delivery. Data shared: email address, name (in email content). Privacy policy depends on the configured provider.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

8. Data Retention

We retain your data for the following periods:

  • Account and profile data — as long as your account is active; upon deactivation, data is retained for legal compliance and then deleted
  • Payment and subscription data — as long as required by tax and commercial law (typically 7–10 years for financial records)
  • Extension refresh tokens — 30 days (automatically deleted after expiry)
  • Extension sessions — 30 days of inactivity (automatically cleaned up)
  • Extension authorization codes — short-lived, automatically deleted after use or expiry
  • Cookie consent preferences — 365 days
  • Server logs — retained for a limited period for diagnostics, then automatically purged

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • All data is transmitted over encrypted connections (HTTPS/TLS)
  • Passwords are hashed by our authentication provider and never stored in plaintext
  • Extension refresh tokens are stored as cryptographic hashes
  • JWT access tokens are signed using ES256 (Elliptic Curve) and have a short lifetime (1 hour)
  • Rate limiting is applied to authentication endpoints to prevent brute-force attacks
  • Security headers (Content Security Policy, HSTS, X-Frame-Options) are configured on all pages
  • Administrative access to user data is restricted to authorized personnel

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data via your profile page
  • Right to erasure (Art. 17) — request deletion of your personal data
  • Right to restriction (Art. 18) — request that we restrict processing of your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time (e.g., for marketing emails via notification settings)

To exercise any of these rights, please contact us using the details on our Imprint page. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates data protection law.

11. Extension-Specific Data Processing

The VSDelphi VS Code extension communicates with our servers for:

  • Authentication — verifying your identity and subscription tier to unlock features (Free, Trial, Pro, Beta)
  • Session management — tracking active device sessions to enforce per-tier session limits
  • Token refresh — periodically renewing your access token without requiring re-login

The extension does not:

  • Collect or transmit your source code
  • Access files outside of Delphi project directories
  • Send telemetry or usage analytics to our servers

12. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us so we can delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us using the details on our Imprint page.