FrameSight

Privacy Policy

Effective date: 2026-05-17. Last updated: 2026-05-17.

This Privacy Policy describes how Exploding Frame SAS (“FrameSight”, “we”) collects, uses, stores, and shares personal data when you use our graphics-performance analysis service available at dashboard.framesight.io and related interfaces.

We are the data controller for the processing described below within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the “GDPR”).

Data-flow diagram. On your side, you create a RenderDoc capture with the official client and upload it over HTTPS directly to a FrameSight runner — a virtual machine on FrameSight's infrastructure. The runner extracts shaders, meshes, textures and the frame timeline, then deletes the capture file after analysis. The derived report and low-resolution texture previews are stored long-term on an AES-encrypted server, with a separate encryption key per benchmark; granting admin access is optional and used only for debugging, improvements, and helping you understand reports. Runner and server logs (resource counts, event counts, timings) are deleted after 24 hours. If the game is built without development mode, shaders and names are obfuscated: the analysis is less precise but still works while preserving privacy.
How your data flows through FrameSight, and where each privacy guarantee applies. Open full size.

1. Categories of personal data we process

CategoryExamplesSource
Account identifiersEmail address, display name, hashed password (bcrypt) or OAuth subject identifierYou (sign-up); Google / GitHub (OAuth)
Profile dataCompany name (optional), default organisationYou (account settings)
Authentication dataSession token (JWT), magic-link nonces, OAuth state / PKCE verifier (transient)Generated automatically
Connection logIP address, user agent, timestamp of sign-in and of each authenticated API callAutomatically captured by the server
Billing dataSubscription tier, credit balance, last four digits of payment card, billing country (for VAT)LemonSqueezy (payment processor)
Usage dataBenchmarks created, captures uploaded, runs launched, storage usageGenerated by your actions on the dashboard
Audience measurementPages viewed, referrer, approximate region, device / browser type, anonymised IP (no cookie, no cross-site identifier)Matomo (self-hosted, cookieless)
Support correspondenceEmail exchanges with support@, billing@, legal@ addressesYou (when you write to us)

User Content (RenderDoc captures, shaders, textures, geometry) is uploaded by you in the course of using the service. We do not consider User Content to be personal data per se; however, RenderDoc captures may incidentally embed strings (debug names, file paths) that could include personal data. We process such embedded data only to the extent strictly necessary to render the report. Treatment of User Content is otherwise governed by the Terms of Service.

Important: the original .rdc capture file is deleted automatically within 24 hours of the extraction pipeline completing. Only the derived report (structural metadata, performance counters, downsampled preview images) is retained for consultation. The User retains the right to re-upload the capture at any time.

2. Purposes of processing and legal bases

PurposeLegal basis (GDPR Art. 6)
Provide the service (account, dashboard, analysis pipeline)Performance of the contract: Art. 6(1)(b)
Process payments and issue invoicesPerformance of the contract and legal obligation: Art. 6(1)(b), (c)
Protect the platform (rate limiting, abuse detection, firewall)Legitimate interest: Art. 6(1)(f)
Retain connection logs for LCEN complianceLegal obligation: Art. 6(1)(c) (French LCEN Art. 6)
Send service-related notifications (billing, security, ToS changes)Performance of the contract: Art. 6(1)(b)
Improve the service (aggregated, anonymised usage statistics)Legitimate interest: Art. 6(1)(f)
Marketing communications (newsletters, product updates)Consent: Art. 6(1)(a); opt-in at sign-up, opt-out from any email footer

3. Recipients of personal data (sub-processors)

We share personal data only with the following sub-processors, each bound by a Data Processing Agreement (DPA) compliant with Article 28 of GDPR.

Note on infrastructure: the web dashboard and the reporter service run on a VPS operated by Pulseheberg. The orchestrator and the runner fleet are self-hosted on premises controlled byExploding Frame SAS and do not involve any external sub-processor for the GPU replay step.

Sub-processorRoleCountryData shared
Pulseheberg SASVPS hosting (dashboard and reporter)France (EU)All categories listed in §1
Lemon Squeezy Inc.Payment processor (Merchant of Record)Canada (adequacy decision)Email, billing country, transaction amount, card last 4
Google LLCOAuth identity providerUSA (DPF certified)Email, Google subject ID (only on Google sign-in)
GitHub Inc.OAuth identity providerUSA (subsidiary of Microsoft, DPF certified)Email, GitHub user ID (only on GitHub sign-in)
SMTP relay (Nodemailer-compatible provider)Transactional email delivery (magic-link, billing notifications, ToS updates)EU (provider chosen for residency)Email, message body

We do not share personal data with advertising networks, data brokers, third-party analytics platforms (Google Analytics, Facebook Pixel, etc.), or any other party not listed above. Audience measurement is performed by a self-hosted, cookieless instance of Matomo running on infrastructure we control (stats.explodingframe.com): the data never leaves our infrastructure and is not shared with, or processed by, any third party. Matomo is configured in line with the CNIL audience-measurement exemption (no cookies, IP anonymisation, no cross-site tracking), so no consent banner is required. See our Cookies Policy for details.

3.1 International transfers

Transfers of personal data to recipients outside the European Economic Area are covered by (i) the EU Commission’s adequacy decision for Canada (Lemon Squeezy), and (ii) the EU-US Data Privacy Framework certification held by Google and Microsoft / GitHub. Should any of these mechanisms be invalidated, we commit to executing Standard Contractual Clauses (SCC, 2021/914) as a fallback transfer instrument.

4. Data retention

We retain personal data only for as long as necessary for the purposes described above:

  • Account data: until you delete your account, or three (3) years after your last sign-in, whichever comes first.
  • RenderDoc .rdc uploads: deleted automatically within 24 hours of successful (or definitively failed) extraction.
  • Report bundles and SQLite extractor databases: 30 days after benchmark soft-delete; immediate hard-delete on explicit User request.
  • Billing records and invoices: 10 years from the date of issue, in compliance with Article L.123-22 of the French Code de commerce.
  • Connection logs (IP, user agent): one (1) year, in compliance with the French LCEN (Loi pour la confiance dans l’économie numérique, Article 6-II).
  • Audit logs (administrative actions): 90 days.
  • Support correspondence: 3 years from the last interaction, then archived for an additional 2 years for warranty / legal purposes before deletion.
  • Marketing-consent records: until withdrawal plus 3 years (CNIL recommendation), or 3 years after the last marketing engagement, whichever comes first.

5. Security measures

We implement appropriate technical and organisational measures proportional to the risk:

  • Encryption in transit: TLS 1.2+ enforced on all public endpoints (HSTS, modern cipher suites).
  • Encryption at rest: User Content (capture bundles, report HTML / JSON, SQLite extraction databases) is encrypted on disk using AES-256-GCM with keys held only by authorised service processes. Service processes decrypt content only when serving a request from an authenticated and authorised user.
  • Password hashing: bcrypt with per-password salt and a work factor calibrated to current best practice (≥ 12 rounds as of the effective date).
  • Access control: row-level scoping by organisation in the database; role-based gates on every mutating API endpoint; runner-side process isolation per job.
  • Audit logging: append-only log of every administrative action.
  • Patching: operating systems and runtime libraries are kept on supported security branches; critical CVEs are patched within 7 days of public disclosure.
  • Backups: encrypted daily backups of the Postgres database, retained 14 days, geographically separated from the primary VPS.

6. Your rights as a data subject

Under GDPR Articles 15 to 22 and Articles 38 to 43 of the French Loi Informatique et Libertés as amended, you have the following rights:

  • Right of access (Art. 15): obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17): have your data deleted, subject to retention obligations imposed by law (e.g. invoices, LCEN logs).
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20): receive your data in a structured, commonly-used, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent (Art. 7-3): where processing is based on consent (e.g. marketing), withdraw at any time.
  • Right to define post-mortem directives (Article 85 of the French law): instruct what happens to your data after your death.
  • Right not to be subject to automated decisions (Art. 22): we do not engage in solely-automated decision-making with legal or significant effect.

To exercise any of these rights, write to privacy@explodingframe.com. We respond within one (1) month of receiving a verifiable request; this period may be extended by two months for complex or numerous requests, in which case we will notify you of the extension.

If you believe that our processing of your personal data infringes the GDPR, you may lodge a complaint with the French supervisory authority:

Commission Nationale de l’Informatique et des Libertés (CNIL)
3 place de Fontenoy, TSA 80715
75334 PARIS CEDEX 07, France
www.cnil.fr/fr/plaintes

7. Cookies and similar technologies

FrameSight uses a strictly limited set of first-party cookies for authentication, security, and basic functionality. We do not use advertising or analytics cookies — our self-hosted audience measurement (Matomo) is configured to run without any cookies. See our dedicated Cookies Policy for a full inventory.

8. Children

The service is not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. If you believe a minor has created an account, please notify us at privacy@explodingframe.com and we will delete the data without delay.

9. Data Protection Officer

Pursuant to GDPR Article 37, Exploding Frame SAS is not legally required to appoint a Data Protection Officer (we do not engage in systematic large-scale monitoring or process special-category data on a large scale). Privacy questions and data-subject requests are nonetheless handled by a designated privacy contact at privacy@explodingframe.com.

10. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to active account holders at least 14 days before they take effect.

11. Contact

Privacy and data-subject requests: privacy@explodingframe.com
Postal: Exploding Frame SAS, TODO