Privacy Policy

Substrate Systems Inc. ("Substrate," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect information when you visit our website at substratecore.com, create an account, or use the Substrate platform and related services (collectively, the "Service").

This policy applies to all users of the Service, including visitors to our website, registered account holders, organization administrators, and team members. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you are using the Service on behalf of an organization, you confirm that you are authorized to agree to this Privacy Policy on behalf of that organization.

We use the information we collect to:

• Provide and operate the Service: Manage your account, deliver infrastructure management features, process billing, and provide customer support
• Ensure security: Detect, prevent, and respond to security incidents, fraud, and unauthorized access to accounts or infrastructure
• Improve the Service: Analyze usage patterns to improve performance, reliability, and user experience; develop new features based on aggregated usage data
• Communicate with you: Send transactional emails (billing confirmations, security alerts, service notifications), respond to support inquiries, and provide product updates
• Comply with legal obligations: Fulfill our obligations under applicable laws, regulations, legal processes, and governmental requests
• Generate analytics: Create aggregated, anonymized, and de-identified data sets for internal analytics, benchmarking, and industry insights that cannot be used to identify you

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal bases for processing your personal data include:

• Contract Performance: Processing necessary to provide the Service you have subscribed to, including account management, billing, and infrastructure operations
• Legitimate Interests: Processing for purposes such as improving the Service, ensuring security, preventing fraud, and conducting analytics, where these interests are not overridden by your data protection rights
• Consent: Where we rely on your consent (e.g., for certain marketing communications or optional cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal processes

We do not sell your personal information. We share your information only in the following circumstances:

• Payment Processing: We share billing information with Stripe, Inc. for payment processing. Stripe's handling of your data is governed by Stripe's privacy policy.
• Cloud Providers: When you connect your cloud provider accounts (AWS, GCP, Azure), we transmit your instructions and credentials to those providers to perform the operations you request. This sharing is directed by you and necessary to deliver the Service.
• Git Providers: When you connect Git integrations (GitHub, GitLab, Bitbucket, Azure DevOps), we exchange data with those providers as authorized by you through OAuth to enable CI/CD, repository management, and related features.
• Analytics Providers: We use Google Analytics to analyze website usage. Google Analytics collects information anonymously and reports trends without identifying individual visitors.
• Financial Services: We share relevant financial data with QuickBooks Online (Intuit) for our internal accounting and reconciliation purposes. No customer personal data beyond billing transaction records is shared.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy.
• With Your Consent: We may share your information for other purposes with your explicit consent.

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account data: Retained for the duration of your account plus thirty (30) days after termination
• Billing and transaction records: Retained for seven (7) years as required for tax and financial reporting compliance
• Infrastructure and configuration data: Deleted within ninety (90) days after account termination
• Audit logs: Retained according to your plan's retention settings (up to 90 days for Pro, custom for Enterprise)
• Usage and analytics data: Aggregated and anonymized data may be retained indefinitely
• Support communications: Retained for two (2) years after the last interaction

We implement comprehensive security measures to protect your data, including:

• Encryption at rest: All sensitive data, including cloud provider credentials and secrets, is encrypted using AES-256 encryption
• Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher
• Access controls: Role-based access control (RBAC) with granular organization, project, and resource-level permissions
• Multi-factor authentication: TOTP-based MFA available for all accounts and enforceable at the organization level
• SOC 2 Type II: Our infrastructure and practices are SOC 2 Type II certified (available on Enterprise plans)
• Audit trails: Comprehensive logging of all significant operations for security monitoring and forensic analysis
• Regular security assessments: Periodic penetration testing, vulnerability scanning, and security audits conducted by internal and external teams

While we employ industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Depending on your location and applicable law, you may have the following rights regarding your personal information:

Substrate is headquartered in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure an adequate level of data protection.

Where we engage sub-processors that process personal data on our behalf, we enter into data processing agreements (DPAs) that include appropriate safeguards for international transfers. Enterprise customers may request a copy of our DPA by contacting privacy@substratecore.com.

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for the Service to function properly, including authentication tokens, session management, and security features. These cannot be disabled.
• Analytics Cookies: Used to understand how visitors interact with our website, including Google Analytics cookies. These help us improve the Service and user experience.
• Preference Cookies: Remember your settings and preferences, such as theme selection (light/dark mode) and language preferences.

You can manage your cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service. We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) browser settings where required by applicable law.

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal information, please contact us at privacy@substratecore.com.

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents are entitled to additional disclosures. The following table summarizes the categories of personal information we have collected in the preceding twelve (12) months:

Do Not Sell or Share: Substrate does not sell or share (as defined by the CCPA/CPRA) your personal information for cross-context behavioral advertising or any other purpose.

Automated Decision-Making: Substrate does not use automated decision-making technology (ADMT) that produces legal or similarly significant effects on consumers.

Data Controller: Substrate Systems Inc. is the data controller for the personal data collected through the Service.

Data Protection Officer: For questions or concerns about our data protection practices, you may contact our Data Protection Officer at dpo@substratecore.com.

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority if you believe that we have not complied with applicable data protection laws.

Data Processing Agreements: Where Substrate acts as a data processor on behalf of an organization, we enter into Data Processing Agreements (DPAs) that comply with GDPR Article 28 requirements. Enterprise customers may request our standard DPA.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Provide notice via email to the address associated with your account at least thirty (30) days before the changes take effect
• Display a prominent notice within the Service for active users

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: