Privacy Policy

Last updated: June 2026

This Privacy Policy explains how Strathon ("Strathon", "we", "us") collects, uses, discloses, and safeguards personal data when you visit getstrathon.com, use our managed cloud, or interact with us. It is written to align with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and India's Digital Personal Data Protection Act, 2023 together with the DPDP Rules, 2025.

Strathon is open source. When you self-host the software, your agent telemetry stays entirely on your own infrastructure. The receiver does not transmit your data to us. This policy applies to our website and, where you choose to use it, our managed cloud.

1. Who is the controller

For this website and managed-cloud account data, Strathon, currently an open-source project operated by an individual based in India, is the data controller (the "data fiduciary" under India's DPDP Act). For agent telemetry you send to the managed cloud, you are the controller and Strathon acts as your processor under the Data Processing Addendum.

2. Data we collect

Website

The marketing site is static and intentionally minimal. We do not run Google Analytics, advertising pixels, or cross-site trackers. We may keep aggregate, privacy-preserving server logs (IP, user agent, timestamp) for security and abuse prevention.

Account & managed cloud

  • Account data: email, display name, hashed password (Argon2id), and authentication metadata such as MFA status and session records.
  • Billing data: handled by our payment processor; we store only the minimum needed to manage your subscription (plan, status, invoices). We do not store full card numbers.
  • Agent telemetry: the spans, policy decisions, and traces you send. You control what is captured and can enable PII redaction at ingest.
  • Support communications: messages you send us via Discord or email.

3. Legal bases (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): to provide the managed cloud you signed up for.
  • Legitimate interests (Art. 6(1)(f)): to secure our services, prevent abuse, and improve the product, balanced against your rights.
  • Consent (Art. 6(1)(a)): where required, e.g. optional product communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with applicable law.

4. How we use data

To operate, secure, and improve the website and managed cloud; to authenticate you; to process billing; to provide support; to detect and prevent fraud and abuse; and to comply with legal obligations. We do not sell personal data, and we do not use your agent telemetry to train models.

5. Cookies

The website uses only strictly necessary cookies (for example, to remember UI state). We do not set advertising or analytics cookies. The managed cloud uses a session cookie to keep you logged in. Because we avoid non-essential cookies, there is no consent banner for EU visitors beyond what the law requires.

6. Sharing & subprocessors

We share data only with infrastructure and service providers that help us run the service (hosting, email, payments), each bound by data-protection terms. A current list is maintained on the Subprocessors page. We may also disclose data if required by law or to protect rights and safety.

7. International transfers

Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum. Managed-cloud customers can request EU data residency.

8. Retention

We keep account data for the life of your account and a reasonable period afterward for legal and accounting purposes. Agent telemetry in the managed cloud follows the retention period you configure. Security logs are kept for a limited period. When data is no longer needed, we delete or anonymize it.

9. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with a supervisory authority. The product includes self-service GDPR data export (Article 20) and account deletion. To exercise rights regarding this website, contact us (Section 12).

California (CCPA/CPRA)

California residents have the right to know, delete, correct, and opt out of "sale"/"sharing" of personal information. We do not sell or share personal information as those terms are defined under the CPRA.

India (DPDP Act 2023)

Under India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, you (the "data principal") have the right to access a summary of your personal data, to correct and erase it, to nominate another person to exercise your rights, and to grievance redressal. Strathon acts as a "data fiduciary" for account data and processes personal data on a lawful basis, including your consent and the legitimate uses the Act permits. To exercise these rights, contact us (Section 12).

10. Security

We apply encryption in transit (TLS) and at rest, Argon2id password hashing, a signed append-only audit log, and least-privilege access controls. See the Security page for details and how to report a vulnerability.

11. Children

Strathon is a developer tool not directed to children. We do not knowingly collect personal data from children, which India's DPDP Act defines as anyone under 18, or anyone under the applicable age of digital consent in other regions. If you believe a child has provided us data, contact us and we will delete it.

12. Contact

For privacy questions or to exercise your rights, reach us on Discord or by email at the address listed on the Security page. We aim to respond within 30 days.

13. Changes

We may update this policy. Material changes will be reflected by the "Last updated" date above, and where appropriate we will provide additional notice.

This page is provided for transparency and general information and is not legal advice.

Terms of ServiceData Processing AddendumSubprocessorsSecurity