Privacy Policy

Last updated: April 28, 2026

1. Introduction

Potions ("we," "us," or "our") provides a platform for deploying and managing Phoenix and Elixir applications on your own infrastructure. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By using Potions, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address and a hashed version of your password. We never store your password in plain text.

OAuth Tokens and API Credentials

When you connect third-party services, we store:

  • DigitalOcean - OAuth access tokens and refresh tokens, used to manage servers on your behalf
  • GitHub - OAuth tokens and GitHub App installation identifiers, used to access your selected repositories for deployment

All OAuth tokens and API credentials are encrypted at rest using AES-256-GCM encryption before being stored in our database. They are only decrypted when actively needed to perform actions on your behalf.

SSH Keys

We generate SSH key pairs for server access. Private keys are encrypted at rest using AES-256-GCM encryption. These keys are used solely to manage and deploy to your servers.

Server and Application Configuration

We store configuration data related to your servers and applications, including:

  • Server metadata (name, IP address, region, status)
  • Application settings (name, repository, domain configuration)
  • Environment variables - encrypted at rest using AES-256-GCM
  • Database credentials - encrypted at rest using AES-256-GCM

Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription details (plan, status, billing period) but we do not store your credit card number or full payment details. For information on how Stripe handles your payment data, please refer to Stripe's Privacy Policy.

Deployment and Operational Data

We collect deployment logs, server metrics, and operational data generated during the normal use of the Service. This data is used to provide deployment history, monitoring, and troubleshooting capabilities.

Analytics

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies, does not track individuals across sites, and does not collect personal information. Plausible provides aggregate statistics only, such as page views and referral sources.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Provision and manage servers on your connected infrastructure accounts
  • Deploy and manage your applications
  • Process payments and manage your subscription
  • Send transactional communications (account verification, deployment notifications, security alerts)
  • Provide customer support
  • Monitor and improve the security and performance of the Service
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising purposes.

4. Data Storage and Security

We implement the following security measures to protect your data:

  • Encryption at rest - Sensitive data including OAuth tokens, SSH private keys, environment variables, and database credentials are encrypted using AES-256-GCM before storage
  • Encryption in transit - All communications between your browser and our servers are encrypted using TLS
  • Password hashing - Passwords are hashed using a strong, one-way hashing algorithm and are never stored in plain text
  • Access controls - Access to production systems and user data is restricted to authorized personnel only

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

We share data with the following third-party services as necessary to provide the Service:

  • DigitalOcean - We use your OAuth tokens to provision and manage servers on your DigitalOcean account. We transmit server configuration data as needed for provisioning. DigitalOcean Privacy Policy
  • GitHub - We access your selected repositories to facilitate deployments. We do not store your source code; it is fetched at build time and used only for deployment. GitHub Privacy Statement
  • Stripe - We transmit billing-related information to process your subscription payments. Stripe handles all payment card data. Stripe Privacy Policy
  • Plausible Analytics - We use Plausible for privacy-focused, cookie-free website analytics. No personal data is collected or shared. Plausible Data Policy

We do not share your data with any other third parties except as required by law.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account deletion:

  • Your account data, stored credentials, and configuration are deleted from our systems
  • Deployment logs and operational history associated with your account are deleted
  • Backup copies may persist for a limited period as part of our routine backup processes before being automatically purged
  • Data already deployed to your servers remains on those servers under your control

We may retain certain information as required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes).

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

For All Users

  • Access - Request a copy of the personal data we hold about you
  • Correction - Request correction of inaccurate personal data
  • Deletion - Request deletion of your personal data and account
  • Data portability - Request your data in a portable format

For EEA/UK Residents (GDPR)

In addition to the rights above, you have the right to:

  • Object to processing of your personal data
  • Restrict processing of your personal data
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local data protection authority

For California Residents (CCPA)

You have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information - we do not sell your personal information
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at hey@potions.io. We will respond to your request within 30 days.

8. Cookies and Tracking

Potions uses only essential cookies required for the Service to function:

  • Session cookies - Used to maintain your authenticated session. These are strictly necessary and cannot be disabled while using the Service.
  • CSRF tokens - Used to protect against cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Our analytics provider (Plausible) does not use cookies.

9. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us and we will promptly delete it.

10. International Data Transfers

Your data may be processed and stored in locations outside your country of residence. When we transfer data internationally, we take appropriate measures to ensure your data is protected in accordance with this Privacy Policy and applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The "Last updated" date at the top of this page reflects when the policy was last revised.

Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy.

12. Contact

If you have questions about this Privacy Policy or how we handle your data, please contact us at hey@potions.io.