Privacy Policy

This Privacy Policy explains how Subnomic ("Subnomic", "we", "us") collects, uses, discloses and safeguards information when you visit our website, create an account, or use our products and services (the "Services").

1. Information we collect

Account information

When you sign up we collect your name, work email, organization name and authentication details. If you subscribe to a paid plan, billing information is processed by our payment provider; we do not store full card numbers.

Agent telemetry

The Subnomic agent collects operational metrics from hosts you connect — CPU, memory and swap, disk usage and I/O, top processes, and per-interface network throughput — along with connection and session metadata. The agent does not read application data or file contents unless you explicitly grant access through a policy.

Session recordings

When session recording is enabled, SSH and command sessions are captured and stored as replayable recordings, tied to the user, host and RBAC policy that authorized them.

Usage & device data

We collect standard log data such as IP address, browser type, pages visited and timestamps to operate and secure the Services.

2. How we use information

• To provide, maintain and improve the Services;
• To authenticate users and enforce RBAC policies;
• To provide audit, session replay and observability features;
• To communicate with you about your account, security and product updates;
• To detect, prevent and respond to fraud, abuse and security incidents;
• To comply with legal obligations.

3. Legal bases for processing

Where the GDPR applies, we process personal data on the bases of performance of a contract, our legitimate interests in operating and securing the Services, your consent (where requested), and compliance with legal obligations.

4. Sharing & sub-processors

We do not sell personal data. We share data with vetted sub-processors that help us operate the Services (for example, cloud hosting and email delivery), each bound by data protection obligations. A current list is available on our Subprocessors page.

5. Data retention

We retain account data for as long as your account is active. Metrics, session recordings and audit logs are retained according to your plan's retention settings (for example, 7 days on Starter and up to 90 days on Team), unless a longer period is configured or required by law. Self-hosted deployments retain data within your own infrastructure.

6. Security

We use encryption in transit (TLS), least-privilege access controls, and operational safeguards designed around Zero Trust principles. See our Security page for more detail.

7. Your rights

Depending on your location, you may have the right to access, correct, delete or port your personal data, to object to or restrict certain processing, and to withdraw consent. Under the CCPA, California residents may request access to and deletion of personal information and may opt out of any "sale" of personal information (we do not sell personal information). To exercise these rights, contact us at privacy@subnomic.com.

8. International transfers

Where data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses.

9. Children's privacy

The Services are not directed to individuals under 16, and we do not knowingly collect personal data from children.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified through the Services or by email, and the "Last updated" date above will be revised.

11. Contact

Questions about this policy? Email privacy@subnomic.com or see our Imprint for our legal entity details.