Privacy policy

Who we are

Packagento is operated by Packagento Ltd, a company registered in England and Wales (company number 17267961), with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX. Packagento Ltd is the data controller for the personal data described in this policy. You can reach us about privacy at [email protected].

Who this policy covers

This policy applies to everyone who uses Packagento - buyers installing modules through Composer, vendors publishing packages, and anyone visiting the marketplace without an account. It explains what personal data we hold, why we hold it, who we share it with, and the rights you have over it.

What we collect

When you create an account we store your email, name, and a hashed password. When you make a purchase, Stripe handles the card data; Packagento records the Stripe customer and payment intent identifiers but never sees raw card numbers. When you connect a Git provider for vendor publishing we store the OAuth access token (encrypted at rest) plus the GitHub installation identifier or GitLab user identifier. When buyers install packages we record the project token used, the IP address, the user agent, and which package was downloaded - so vendors can spot misuse and buyers can verify their own activity.

What we share

Stripe processes payments, payouts, and refunds under their privacy policy. GitHub and GitLab receive authentication and webhook-management requests as part of the publishing flow under their respective policies. We do not sell or rent personal data to third parties. We share information with law enforcement only when we are compelled to by a valid legal request.

Cookies and sessions

A first-party PHPSESSID cookie carries your login session. A first-party form_key cookie protects POST requests against CSRF. Both are strictly necessary for the site to function. If we introduce any third-party scripts (analytics, support widgets) we will list them here with their purpose before they ship and offer a way to opt out where applicable.

Audit log retention

We keep a structured audit log of account events - token rotations, license grants, refunds, vendor approvals - for 30 days by default. Payout records are retained for seven years for accounting compliance. Refund records are retained for six years. The full retention policy is configurable per event category and surfaces on your account dashboard for events that affect you.

Contacting open-source maintainers

Some of the people we email have never created a Packagento account. If you maintain a public Magento module, we may contact you once to let you know it has been included in our launch catalog and that a vendor profile is waiting for you to claim. Our legal basis for this is legitimate interest under Article 6(1)(f) UK GDPR: our interest is letting the maintainers of open-source Magento modules know their work is listed on the marketplace, weighed against the limited, business-context nature of a single message.

We take your address only from places where you have published it as a maintainer or support contact: the authors block of a module composer.json, your public GitHub profile, or the support email a package declares on Packagist. The only personal data involved is your name, that email address, and the module it relates to. You can object at any time. Use the one-click unsubscribe link in any email, or email [email protected] to object or to ask us to erase your details, after which the vendor profile and every module listed under it is removed. You also have the right to complain to the Information Commissioner's Office (ICO).

Your rights

You have the right to access, correct, delete, or export the personal data we hold about you. Get in touch through our contact form with a verifiable request and we will respond within the timeframe required by law. Account deletion may be paused while active subscriptions are wound down or while legally required records (tax, accounting, dispute history) are retained; see the data-retention section of the Vendor Agreement and Terms for the specifics.

Changes to this policy

Material changes are announced at least 30 days before they take effect, via email to account holders and a notice on this page. Every revision keeps a dated entry below so you can see what changed and when.

16 June 2026

Identified Packagento Ltd as the data controller.

2 June 2026

Added how we contact open-source maintainers under legitimate interest.

26 May 2026

Initial publication.