Legitimate Interest Assessment
Data Controller: Dasolve AS (Org.nr 936 035 019), Lillogata
5P, 0484 Oslo, Norway
Assessment date: May 10, 2026
Last reviewed: May 10, 2026
Contact: privacy@archgate.dev
1. Purpose of processing
Archgate collects anonymous CLI usage analytics and crash reports to:
- Understand which commands and features are used, enabling evidence-based prioritization
- Identify and fix crashes that affect users (via Sentry error reports)
- Measure adoption patterns across operating systems, CI providers, and installation methods
- Detect regressions after new releases by comparing command success rates
- Plan deprecations by understanding which features have low usage
Without this data, product decisions would be made blindly, crashes could go undetected, and development resources would be misallocated.
2. Necessity
We considered less invasive alternatives:
| Alternative | Why insufficient |
|---|---|
| Opt-in only | Industry data shows opt-in telemetry achieves 2-5% participation, producing statistically unreliable samples that cannot represent the user base |
| Manual bug reports | Only captures issues users notice and choose to report; crashes in CI pipelines or edge-case environments go permanently undetected |
| No telemetry | Eliminates all quantitative signal; decisions become guesswork |
| Periodic surveys | Self-selection bias, low response rate, no real-time crash detection |
Opt-out telemetry with anonymous data is the least invasive mechanism that still achieves the stated purposes.
3. Data minimization
The processing is designed to collect the minimum data necessary:
- Anonymous identifier: A random UUID (not derived from any personal data)
- No PII: No names, emails, usernames, IP addresses, or file content
- Flag presence only: We record which CLI flags were used, never their values
- Hashed repository identity: SHA-256 hash (first 16 chars) — non-reversible
- IP anonymization: IP is resolved to country/region server-side, then immediately discarded
- No cross-service linking: The install ID is not correlated with any external identity
Full data inventory: https://cli.archgate.dev/reference/telemetry
4. Safeguards
| Safeguard | Implementation |
|---|---|
| IP anonymization | PostHog discards IP after geo-resolution; Sentry strips IP before storage |
| EU-only storage | PostHog EU (Frankfurt), Sentry EU (Frankfurt), Turso EU |
| Limited retention | Analytics: 1 year. Crash reports: 90 days |
| Easy opt-out |
Single command (archgate telemetry disable) or
environment variable (ARCHGATE_TELEMETRY=0)
|
| First-run disclosure | Notice displayed on first interactive CLI session |
| Transparency | All telemetry code is open source (Apache-2.0) and publicly auditable |
| No profiling | No user profiles are created; no behavioral targeting |
| No third-party sharing | Data is not sold, rented, or shared for advertising or marketing |
| Minimal processors | Only PostHog (analytics) and Sentry (crashes) process the data |
| Data subject rights | Users may request access or deletion via privacy@archgate.dev (30-day response) |
5. Balancing test
Controller's legitimate interest
Archgate needs quantitative usage and crash data to build a reliable, well-prioritized developer tool. This is a standard and recognized interest for software publishers (GDPR Recital 47: "processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" — by analogy, processing for product reliability serves a comparable interest).
Impact on data subjects
- Data is anonymous: A random UUID with no link to any identity
- No sensitive data: No health, political, religious, or financial information
- No behavioral profiling: No advertising, no targeting, no algorithmic decisions affecting users
- Minimal footprint: A few kilobytes per CLI session, transmitted once
- No impact on service: Opting out has zero effect on CLI functionality
- Reasonable expectation: Developer tools commonly collect anonymous telemetry; users reasonably expect this
Conclusion
The controller's legitimate interest in product improvement and crash detection outweighs the minimal impact on data subjects because:
- The data is anonymous and cannot identify individuals
- The processing has no adverse effect on data subjects
- Data subjects retain full control via an easy, permanent opt-out
- The purpose is proportionate (product quality, not monetization)
- Robust safeguards (IP anonymization, EU storage, limited retention, transparency) further reduce any residual risk
Legal basis: GDPR Article 6(1)(f) — legitimate interests of the controller. Under Brazilian LGPD: Article 7, IX c/c Article 10.
6. Review schedule
This assessment will be reviewed:
- Annually (next review: May 2027)
- When new data points are added to telemetry
- When processing purposes change
- When a data subject raises a substantive objection