Privacy Policy

What data we collect

Account

• Email, name, password (hash)
• TOTP secret (encrypted), passkey public keys
• OAuth provider tokens (encrypted)

Billing

• Via Stripe — we do not store your card number
• Invoice address (legal entity)

Operations

• Metrics and metadata sent by your agents
• Dashboards, alert rules, notification channels — whatever you create in the cabinet
• API access logs
• Audit log of actions

Site analytics

• Self-hosted analytics (Plausible-compatible): URL, referrer, aggregation by country — no cookies, no cross-site tracking
• Cookies: only the cabinet session cookie (httpOnly, sameSite=lax) and billing (Stripe)

How we use it

We do not use your metrics or metadata for advertising, ML models, or sale to third parties.

• To provide the Service
• For billing and support
• Service incident notifications (email)
• Maintenance / security updates (email)

Disclosure to third parties

Subprocessors are listed at /security#subprocessors and in the DPA. Only what is necessary to provide the Service. All subprocessors are bound by a DPA.

Retention

• Account data — until account closure + 90 days
• Metrics — per the plan’s retention (30 days / 90 days / custom)
• Audit log — 1 year after the event
• Billing — 5 years (legal requirement)

Your rights (GDPR / equivalents)

• Access to your data — export through the cabinet or by request
• Rectification — through the cabinet or by request
• Erasure — account closure
• Portability — export in JSON format
• Objection to processing — email [email protected]

Cookies

We use a minimum of cookies. On the marketing site — no cookies at all. In the cabinet — a session cookie (httpOnly, sameSite=lax, secure in production). In billing — Stripe cookies per their Privacy Policy.

Children

The Service is not intended for individuals under 16 years of age.

Contact

DPO / privacy inquiries — [email protected].