Climakers is built so that customer documentation and personal data never need to flow through Climakers when using the products. This page explains the role Climakers plays under GDPR and how that simplifies procurement, DPO review, and Article 28 paperwork.
Short version: for the customer-operated products acp2md and acs2md, Climakers is neither a controller nor a processor of customer personal data. The CLI tools run inside customer environments and personal data does not transit Climakers infrastructure. Climakers acts as controller only for the limited business data tied to license purchases and voluntary support correspondence.
When you run acp2md or acs2md, customer pages, exports, credentials, and any personal data they contain stay inside your environment. Climakers does not receive that data and never decides how it is processed.
Because Climakers does not process customer personal data through the products, a Data Processing Agreement under Article 28 GDPR is not required for use of acp2md or acs2md. Procurement teams can rely on this statement together with the privacy and security policies.
Climakers is the controller for the limited business data needed to fulfill license purchases and respond to support requests. Details, sub-processors, retention, and your rights are described in the privacy policy.
GDPR distinguishes the controller (who decides why and how personal data is processed) from the processor (who handles personal data on the controller's behalf). Climakers' position varies depending on the activity, and the product model is intentionally narrow.
For acp2md and acs2md, Climakers is neither controller nor processor of customer personal data. The CLI tools run inside customer-controlled environments, and customer documentation, credentials, and exports never transit Climakers infrastructure during normal product use.
Climakers is the controller for the limited business data used to operate the public site, fulfill license purchases, issue invoices, and respond to customer-initiated support requests.
The customer remains the controller for any personal data processed inside its own infrastructure when running Climakers tools. Climakers has no access to that data and no role under Article 4 GDPR with respect to it.
Procurement and data protection teams typically check whether a DPA is required, whether Standard Contractual Clauses apply for international transfers, and what sub-processors are used. The answers below address those questions for the Climakers product model.
Because Climakers does not process customer personal data through acp2md or acs2md, an Article 28 Data Processing Agreement is not required for use of those products. Customers may still bring a template if their internal process requires one to be on file.
Standard Contractual Clauses for international transfers do not apply to customer documentation processed by the products, because that content does not leave the customer environment. The customer's own infrastructure choices determine where customer data lives and how it is transferred.
The limited business data Climakers does control (license purchases, support correspondence) is processed with a small set of sub-processors — Lemon Squeezy, Vercel, and GitHub. These sub-processors do not handle customer documentation content.
Several common GDPR concerns simply do not apply to the Climakers product model. Listing them explicitly helps DPO and procurement reviews close out faster.
Climakers does not perform profiling or solely automated decision-making with legal or similarly significant effects on individuals as defined in Article 22 GDPR.
Climakers does not use customer information for advertising profiles, cross-context behavioral advertising, or data brokerage, and the public site does not load advertising cookies or third-party behavioral trackers by default.
Climakers does not sell personal data and does not share personal data for purposes that would require a 'Do Not Sell or Share' link under California law or equivalent commitments under GDPR.
The customer-operated products do not phone home with customer documentation content. Operational improvements rely on voluntary, redacted support reports from customers.
Where Climakers is the controller for limited business data, individuals can exercise the rights below by writing to support@climakers.com. Rights for personal data processed inside customer environments are exercised against the customer as the controller.
Article 15 GDPR. Confirm whether Climakers processes information about you and obtain a copy of that information.
Article 16 GDPR. Correct inaccurate or incomplete information held by Climakers as controller.
Article 17 GDPR. Request deletion of information held by Climakers as controller, subject to legal-retention obligations such as accounting or tax law.
Article 18 GDPR. Request that Climakers limit the use of information while a request is being assessed.
Article 20 GDPR. Receive information you provided in a structured, commonly used format where the right applies.
Article 21 GDPR. Object to processing based on legitimate interests, including for direct marketing purposes (Climakers does not engage in direct marketing of personal data).
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
Article 77 GDPR. Lodge a complaint with the supervisory authority in your habitual residence, place of work, or place of the alleged infringement.
The summary above captures the main commitments. The text below presents the full GDPR position in a more traditional plain-text format.
This GDPR statement explains the position of Climakers under the European Union General Data Protection Regulation and the United Kingdom GDPR. It applies alongside the Climakers Privacy Policy, which describes the limited business data Climakers handles, and alongside the product-specific license terms, which govern use of acp2md and acs2md.
This statement does not create new commitments beyond applicable law and the published privacy and license documents. It clarifies the role Climakers plays under Articles 4, 24, 26, 27, 28, and 32 GDPR so that customers can complete procurement, data protection, and compliance reviews efficiently.
GDPR distinguishes the controller, who determines the purposes and means of processing, from the processor, who processes personal data on the controller's behalf. For the customer-operated products acp2md and acs2md, Climakers is neither: the products run inside customer environments, customer documentation and credentials never transit Climakers infrastructure during normal use, and Climakers does not determine the purposes or means of any personal data processed inside the customer environment.
For the public Climakers website, license purchase fulfillment, and customer-initiated support correspondence, Climakers acts as the controller for the limited business data described in the Privacy Policy. The customer always remains the controller for personal data processed inside its own infrastructure.
Article 28 GDPR requires a written contract between a controller and a processor that processes personal data on the controller's behalf. Because Climakers does not process customer personal data through acp2md or acs2md, that controller-processor relationship does not arise from product use and an Article 28 Data Processing Agreement is not required for those products.
Customers operating Climakers products are responsible for any controller-processor relationships they themselves establish — for example, with their own cloud or backup providers. Climakers documentation favors least-privilege configuration, redacted diagnostics, and customer-controlled storage to support that responsibility.
Where Climakers acts as the controller for limited business data, that data may be processed by a small set of sub-processors that provide payment, hosting, and source distribution functions. The current sub-processors are Lemon Squeezy (merchant of record for license purchases), Vercel (public site and documentation hosting), and GitHub (source code hosting and product release distribution). None of these sub-processors processes customer documentation content.
Because these sub-processors operate from the United States, the limited business data Climakers controls may be transferred outside the European Economic Area or the United Kingdom. Where applicable, Climakers relies on the protections offered by its sub-processors, including Standard Contractual Clauses, adequacy decisions, and equivalent safeguards published by those providers. Customer documentation content remains under customer control and is not subject to those transfers.
Subject to applicable law, individuals may exercise the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent in respect of the limited business data Climakers controls, and may lodge a complaint with the competent supervisory authority. Requests can be sent to support@climakers.com and will be handled within the timelines required by applicable law.
Rights in respect of personal data processed inside customer environments through use of Climakers products must be exercised against the customer, who acts as the controller for that data. Climakers will reasonably support customers responding to such requests but is not a party to the underlying processing.
Climakers may update this statement as the product model, sub-processor list, or legal landscape evolves. The effective date at the top of this page identifies the latest published version, and material changes will be reflected by updating that date and, where appropriate, by additional notice.
Questions about this statement, the controller / processor classification, or sub-processor details can be sent to support@climakers.com. Where applicable law requires identification of an EU representative, a UK representative, or a postal contact for the controller, Climakers will provide those details on request.
Read the full Privacy Policy for the limited business data Climakers controls, and the Security Policy for engineering and operational controls.