ShieldedStack Privacy Policy

Effective date: October 17, 2025

This Privacy Policy explains how ShieldedStack ("ShieldedStack", "we", "our", or "us") collects, uses, stores, and protects information when you access or use our SaaS platform, including the secure package proxy, control plane, APIs, and related services (collectively, the "Services").

If you are acting on behalf of a company or other legal entity, you confirm you have the authority to accept this Privacy Policy on that entity’s behalf. "You" or "Customer" refers to the entity or individual using the Services.

1. Information We Collect

We collect the minimum data necessary to deliver, secure, and improve the Services:

Workspace & Account Metadata: Information you provide during onboarding, such as workspace name, tenant contact details, and optional profile information.
Proxy Traffic Telemetry: Package names, versions, registries requested, timestamps, IP addresses, API key identifiers, and HTTP response metadata captured when your IDEs or pipelines route traffic through the ShieldedStack proxy.
Download & Usage Metrics: Aggregate statistics on package downloads, unique packages requested, runtime outcomes, and related analytics that help you monitor dependency usage.
Support Communications: Messages and attachments you send to our support channels.

We do not collect package manager credential secrets, and we only process the data you submit via API keys, workspace configuration, or proxy traffic.

2. How We Use Information

We use the collected information to:

Deliver and maintain the Services, including authenticating API keys, applying workspace policies, and providing analytics dashboards.
Secure the Services, detect abusive behavior, prevent fraud, and respond to incidents.
Improve and analyze the Services, understand feature usage, and develop new capabilities.
Communicate with you, including service announcements, operational updates, and support responses.

We do not sell Customer Data and we do not use proxy traffic for advertising.

3. Website Analytics (Umami)

Our public website uses Umami analytics, served from analytics.bytebard.org, to understand aggregate traffic and improve site content and performance.

Data Points: Page URLs, referrer, browser and device type, country-level location derived from IP address, and event timestamps.
Cookies and Local Storage: We configure Umami in cookieless mode and do not use website analytics to store non-essential identifiers on your device.
Lawful Basis: We process this website analytics data under our legitimate interests in measuring and improving the website.
User Controls: We honor browser Do Not Track signals for website analytics collection.

4. Data Retention

Customer Data is retained for as long as your account and associated workspaces remain active. When you delete a workspace or terminate your account, the related Customer Data is removed from production systems within a reasonable timeframe, subject to necessary backups and legal obligations.

5. Sharing & Disclosure

Service Providers: We rely on subprocessors such as Microsoft Azure (cloud infrastructure/monitoring) and Supabase (authentication and user session management). These providers only process data on our behalf and under confidentiality agreements.
Website Analytics Provider: We use Umami analytics for the public website, served from analytics.bytebard.org, as a processor to provide aggregate website usage reporting.
Legal Requirements: We may disclose information if required by law, valid legal process, or to protect the rights, property, or safety of ShieldedStack, our customers, or others.

We do not otherwise share Customer Data with third parties.

6. Security

ShieldedStack implements technical and organizational measures designed to protect Customer Data, including:

Encryption in transit for all Service endpoints.
Access controls and role-based permissions for internal systems.
Activity logging and monitoring of the proxy infrastructure.
Regular review of suppliers and infrastructure configurations.

No system is completely secure; please notify us immediately at [email protected] if you suspect unauthorized access.

7. Your Rights & Choices

Access and Correction: You may review and update workspace or account information via the control plane. For additional requests, contact [email protected].
Deletion: Delete workspaces or close your account within the product, or request deletion by contacting [email protected].
Data Portability: While we do not currently offer an automated export feature, we will provide reasonable assistance upon request via [email protected].

8. Data Protection Frameworks

ShieldedStack is established in the European Economic Area and processes data in compliance with applicable EU data protection laws (including GDPR). Depending on your jurisdiction, you may have additional privacy rights (e.g., under GDPR or CCPA). We will honor those rights to the extent required by law.

If you require a Data Processing Agreement (DPA), please contact [email protected].

9. International Transfers

Customer Data may be processed within the European Economic Area and other jurisdictions where our subprocessors operate. We ensure that appropriate safeguards are in place for any cross-border data transfers, consistent with applicable law.

10. Updates to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Services or email prior to the change taking effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

11. Contact Us

For privacy-related questions, requests to exercise your rights, or to report a concern, contact us at [email protected].

By using the Services, you acknowledge that you have read and understood this Privacy Policy.