Privacy Policy

Last updated: April 1, 2026 · Effective: April 1, 2026

SummitFlux LLC ("SummitFlux," "we," "us," or "our") operates Bastionary. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our services.

1. Information We Collect

Account information: When you create an account, we collect your email address and credentials. Payment information is collected only when you subscribe to a cloud plan. Additional profile details (name, organization) are optional and collected if you choose to provide them.

Usage data: We collect logs of API calls, feature usage, and error events to operate and improve our services. This data is aggregated and does not identify individual end-users of your application.

End-user authentication data: If you use Bastionary Cloud, authentication data for your application's users (tokens, session records) is processed on your behalf. We act as a data processor; you remain the data controller.

Communications: If you contact us, we retain those communications to respond and improve support.

2. How We Use Information

• To provide, operate, and improve Bastionary services
• To send transactional emails (billing receipts, security alerts)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell your data. We do not use your data to train AI models or serve advertisements.

3. Data Sharing

We share data with:

• Service providers: Infrastructure providers (Hetzner), payment processors (Stripe), and email delivery services — under data processing agreements
• Legal requirements: When required by law, court order, or to protect rights

4. Self-Hosted Deployments

If you run the Bastionary Community Edition on your own infrastructure, we do not collect any data from your deployment. Your users' authentication data stays entirely within your environment.

5. Data Retention

We retain account data for the duration of your subscription plus 90 days after cancellation. Authentication event logs are retained for 90 days unless you export them earlier. You may request earlier deletion via our contact form.

6. Your Rights

Depending on your location, you may have the right to access, correct, delete, or export your personal data. To exercise these rights, use the contact form. We will respond within 30 days.

EU/EEA residents: Bastionary Cloud processes data under Standard Contractual Clauses. Our data processing addendum (DPA) is available on request.

7. Cookies

Our marketing site (bastionary.com) uses only essential session cookies. We do not use third-party analytics or advertising cookies. The app (app.bastionary.com) uses authentication cookies strictly required for session management.

8. Security

We implement industry-standard security controls: TLS in transit, encryption at rest for sensitive fields, MFA for admin access, and regular security reviews. See our Security page for details.

9. Changes to This Policy

We will notify you of material changes by email at least 30 days before they take effect. The "last updated" date at the top reflects the most recent revision.

10. Contact

Privacy questions? Use our contact form. For GDPR-specific requests, include "GDPR Request" in the subject line.