Book a demo Get started

Legal

Privacy Policy

What Chainsaw collects, why, how long we keep it, and how you exercise your rights.

Last updated: 15 April 2026

Quick summary: We collect the minimum data needed to run the Service. We don't sell personal data. Billing is handled by Paddle, who is the merchant of record; payment-card details never touch our servers. Contact us at privacy@chain305.com to exercise your rights.

1. Who we are

Chainsaw is a transparent supply chain firewall operated as a sole proprietorship, registered in a United Arab Emirates free zone, with operations in the UAE and the United States ("Chainsaw", "we", "us"). We are the data controller for the personal data processed through the Service, except where our customers are controllers of the data they upload (in which case we act as a processor on their behalf, governed by a separate Data Processing Addendum on request).

For questions about this policy or to exercise your privacy rights, contact privacy@chain305.com.

2. Data we collect

2.1 Account data

  • Name, work email address, password hash (argon2id — we never store plaintext passwords);
  • Organisation name and slug;
  • Persona you select at signup (AppSec / DevSecOps / Enterprise IT) — optional, used for UX tailoring only;
  • Role within the organisation;
  • TOTP secret (encrypted at rest), if you enable two-factor authentication.

2.2 Usage and telemetry

  • Login events, session timestamps, IP address and user-agent for audit logs;
  • Requests you make through the proxy (package name, version, source registry, verdict) — used to enforce policy and produce dashboards and SBOMs;
  • Storage and bandwidth usage counters (hourly rollups) — used to enforce plan limits and to bill overage on the Pro plan;
  • Product analytics via PostHog on the marketing site and dashboard — page views, feature interactions, and error events. We configure PostHog to anonymise IP addresses.

2.3 Content you provide

  • Policy configurations you upload or create;
  • Repository and webhook endpoints you register;
  • SSO and SCIM configuration (Unlimited plan) — we store the identity-provider metadata needed to authenticate and provision users.

2.4 Billing data

Paid plans are processed by Paddle, who is the merchant of record. Payment-card details and full billing addresses are collected and stored by Paddle, not by us. We receive a limited billing record from Paddle — plan, price, country for tax purposes, last four digits of the card, and Paddle's subscription identifier — to reconcile subscriptions with your account. Paddle's privacy notice is at paddle.com/legal/privacy.

2.5 Support and communications

When you contact support@chain305.com we keep the conversation and any attachments for as long as needed to resolve the request and for one year after for quality review. Transactional email is delivered by Postmark; bot protection is provided by Cloudflare Turnstile.

3. Why we process data (legal bases)

  • To provide the Service (performance of a contract): account creation, authentication, enforcement of policy, billing reconciliation, support.
  • Legitimate interests: fraud prevention, security logging and audit, service analytics to improve Chainsaw, aggregate usage metrics.
  • Legal obligation: responding to lawful requests, tax and accounting records, breach notifications.
  • Consent: marketing emails (opt-in, with an unsubscribe link in every message), optional analytics that aren't strictly necessary.

4. Data we do not collect

  • We do not inspect the content of the packages you install — only the metadata (name, version, registry, hash) that the proxy needs to evaluate policy.
  • We do not store the bodies of installed artefacts beyond the cache window configured by your plan, and we do not share them with anyone else.
  • We do not use your audit logs, SBOMs, or policy configurations to train machine-learning models.
  • We do not use invasive trackers — no session recording outside of explicit debugging sessions, no fingerprinting beyond what PostHog provides for analytics.

5. How we share data

We share data only with the sub-processors needed to run the Service:

  • Paddle — billing and merchant of record (global).
  • Postmark — transactional email delivery (US).
  • PostHog — product analytics (EU hosting where available).
  • Cloudflare — CDN, Turnstile bot protection, DNS (global).
  • Upstream package registries (npm, PyPI, Docker Hub, Maven Central, etc.) — the proxy forwards requests you initiate.
  • Your configured integrations — SIEM or ticketing webhooks you set up receive the events you ask them to. We do not send them anything you didn't configure.

We do not sell personal data. We don't share it for advertising. We may disclose data when legally required (subpoena, court order), in which case we will, where lawful, notify the affected user.

6. International transfers

Chainsaw is operated from the United Arab Emirates (free-zone registration) and the United States. Some sub-processors we rely on are based in the EU, UK, Singapore, and other jurisdictions. Transferring personal data across borders is an inherent part of running a globally available Service.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to countries that are not covered by an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021/914/EU) and the UK International Data Transfer Addendum where applicable. For transfers involving the UAE, we comply with the UAE's Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its implementing regulations where they apply to our processing. We publish a current sub-processor list on request — email privacy@chain305.com.

7. Retention

  • Account data: for as long as you have an account, plus 90 days after closure.
  • Audit logs and usage rollups: 13 months, so you can run year-over-year comparisons.
  • Billing records: 7 years where legally required for tax purposes.
  • Support correspondence: 1 year after resolution.
  • Backups: rolling 30-day encrypted backups.

8. Your rights

8.1 Rights available in every jurisdiction we serve

You can ask us to:

  • Access the personal data we hold about you;
  • Correct data that is inaccurate or out of date;
  • Delete your data (subject to the retention windows in Section 7);
  • Export your data in a portable, machine-readable format;
  • Restrict or object to specific processing;
  • Withdraw consent for any processing based on consent, without affecting the lawfulness of prior processing.

To exercise these rights, email privacy@chain305.com from the address on your account, or use the export / deletion controls in your in-app settings. We respond within 30 days (extendable by up to 60 days for complex requests, with notice).

8.2 EU / UK / Switzerland (GDPR)

Where the GDPR applies, you additionally have the right to complain to your local supervisory authority, and the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (we do not make such decisions).

8.3 California residents (CCPA / CPRA)

If you're a California resident, you have the additional rights to (a) know the specific pieces of personal information we have collected, (b) delete that information, (c) correct inaccurate information, (d) limit the use and disclosure of sensitive personal information, and (e) opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA / CPRA. We will not discriminate against you for exercising any of these rights. You may designate an authorised agent to make requests on your behalf; we will verify the agent's authorisation before responding.

8.4 UAE residents (Federal PDPL)

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), you additionally have the right to request clarification about the processing, to object to automated decision-making that affects your rights, and to bring a complaint to the UAE Data Office. Free-zone residents may have additional rights under the DIFC Data Protection Law (DIFC Law No. 5 of 2020) or the ADGM Data Protection Regulations 2021; those laws apply to our processing to the extent required by the free zone of our registration.

8.5 Other jurisdictions

If you reside elsewhere (e.g., Brazil under LGPD, Canada under PIPEDA, Australia under the Privacy Act), comparable rights typically apply. Email privacy@chain305.com and we will respond under the most protective applicable framework.

9. Security

We implement technical and organisational safeguards appropriate to the risk, including:

9.1 Encryption

  • TLS 1.2 or higher for all data in transit, with HSTS and modern cipher suites;
  • Industry-standard at-rest encryption for database volumes and backups;
  • Argon2id for password hashing with per-user salts;
  • TOTP secrets encrypted at rest with a key held separately from the data store.

9.2 Access control

  • Role-based access controls (RBAC) on every customer-facing permission;
  • Multi-factor authentication required for internal administrative access;
  • Isolated processing per tenant — no cross-tenant data sharing, enforced at the database layer;
  • Principle of least privilege for staff: access is scoped to what each role actually needs, reviewed periodically;
  • All internal admin actions are audit-logged and retained.

9.3 Operational security

  • Continuous monitoring of the production environment with alerting on anomalous patterns;
  • Documented incident-response procedure with defined roles, severity levels, and communication templates;
  • Regular third-party dependency scanning — we use Chainsaw on our own supply chain;
  • Encrypted, geographically redundant backups; restore procedures tested on a recurring basis;
  • Staff security training on phishing, credential hygiene, and data handling.

9.4 Incident notification

If we become aware of a personal-data breach affecting your account, we will notify you without undue delay and, where required by law (including GDPR Article 34), within 72 hours of becoming aware. The notification will describe the nature of the breach, the data concerned, likely consequences, and the measures we've taken to address it.

9.5 Reporting vulnerabilities

Report suspected vulnerabilities to security@chain305.com. We acknowledge within three business days and coordinate a responsible-disclosure timeline. We don't pursue legal action against good-faith researchers who follow our disclosure process.

10. Cookies

We use a small number of cookies strictly necessary to run the Service (session authentication, CSRF protection, Turnstile), plus first-party PostHog analytics cookies where allowed. We don't use third-party advertising cookies. You can disable cookies in your browser, but strictly-necessary cookies are required for login.

11. Children

Chainsaw is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@chain305.com and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will post the updated version here with a new "Last updated" date and, for subscribers, email a summary at least 14 days before the change takes effect.

13. Contact

Privacy inquiries: privacy@chain305.com
Security: security@chain305.com
General: support@chain305.com