Privacy Policy

Substrate Systems Inc. ("Substrate," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect information when you visit our website at substratecore.com, create an account, or use the Substrate platform and related services (collectively, the "Service").

This policy applies to all users of the Service, including visitors to our website, registered account holders, organization administrators, and team members. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you are using the Service on behalf of an organization, you confirm that you are authorized to agree to this Privacy Policy on behalf of that organization.

We use the information we collect to:

• Provide and operate the Service: Manage your account, deliver infrastructure management features, process billing, and provide customer support
• Ensure security: Detect, prevent, and respond to security incidents, fraud, and unauthorized access to accounts or infrastructure
• Improve the Service: Analyze usage patterns to improve performance, reliability, and user experience; develop new features based on aggregated usage data
• Communicate with you: Send transactional emails (billing confirmations, security alerts, service notifications), respond to support inquiries, and provide product updates
• Comply with legal obligations: Fulfill our obligations under applicable laws, regulations, legal processes, and governmental requests
• Generate analytics: Create aggregated, anonymized, and de-identified data sets for internal analytics, benchmarking, and industry insights that cannot be used to identify you

We process your personal information based on the following justifications:

• Contract Performance: Processing necessary to provide the Service you have subscribed to, including account management, billing, and infrastructure operations
• Legitimate Business Interests: Processing for purposes such as improving the Service, ensuring security, preventing fraud, and conducting analytics
• Consent: Where we rely on your consent (e.g., for certain marketing communications or optional cookies), you may withdraw consent at any time
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal processes

We do not sell your personal information. We share your information only in the following circumstances:

• Payment Processing: We share billing information with Stripe, Inc. for payment processing. Stripe's handling of your data is governed by Stripe's privacy policy.
• Cloud Providers: When you connect your cloud provider accounts (AWS, GCP, Azure), we transmit your instructions and credentials to those providers to perform the operations you request. This sharing is directed by you and necessary to deliver the Service.
• Git Providers: When you connect Git integrations (GitHub, GitLab, Bitbucket, Azure DevOps), we exchange data with those providers as authorized by you through OAuth to enable CI/CD, repository management, and related features.
• Analytics Providers: We use Google Analytics to analyze website usage. Google Analytics collects information anonymously and reports trends without identifying individual visitors.
• Financial Services: We share relevant financial data with QuickBooks Online (Intuit) for our internal accounting and reconciliation purposes. No customer personal data beyond billing transaction records is shared.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy.
• With Your Consent: We may share your information for other purposes with your explicit consent.

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account data: Retained for the duration of your account plus thirty (30) days after termination
• Billing and transaction records: Retained for seven (7) years as required for tax and financial reporting compliance
• Infrastructure and configuration data: Deleted within ninety (90) days after account termination
• Audit logs: Retained according to your plan's retention settings (up to 90 days for Pro, custom for Enterprise)
• Usage and analytics data: Aggregated and anonymized data may be retained indefinitely
• Support communications: Retained for two (2) years after the last interaction

We implement comprehensive security measures to protect your data, including:

• Encryption at rest: All sensitive data, including cloud provider credentials and secrets, is encrypted using AES-256 encryption
• Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher
• Access controls: Role-based access control (RBAC) with granular organization, project, and resource-level permissions
• Multi-factor authentication: TOTP-based MFA available for all accounts and enforceable at the organization level
• Security standards: Our infrastructure and practices are designed to meet industry-standard security requirements
• Audit trails: Comprehensive logging of all significant operations for security monitoring and forensic analysis
• Regular security assessments: Periodic penetration testing, vulnerability scanning, and security audits conducted by internal and external teams

While we employ industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

We believe you should have control over your personal information. Subject to applicable law, we provide the following rights to all users:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Data Portability: Receive your personal data in a structured, machine-readable format
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
• Opt-Out: Opt out of marketing communications at any time. Note: Substrate does not sell personal information.

Substrate is headquartered in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using the Service, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate. We take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

If you have questions about international data transfers, please contact us at privacy@substratecore.com.

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for the Service to function properly, including authentication tokens, session management, and security features. These cannot be disabled.
• Analytics Cookies: Used to understand how visitors interact with our website, including Google Analytics cookies. These help us improve the Service and user experience.
• Preference Cookies: Remember your settings and preferences, such as theme selection (light/dark mode) and language preferences.

You can manage your cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service. We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) browser settings where required by applicable law.

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal information, please contact us at privacy@substratecore.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Provide notice via email to the address associated with your account at least thirty (30) days before the changes take effect
• Display a prominent notice within the Service for active users

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: