Skip to main content

Privacy Policy

Effective date: April 15, 2026
Last updated: April 15, 2026

Note: This document is under legal review. Contact privacy@sigmashake.com for questions or to exercise your data rights.

This Privacy Policy explains how SigmaShake ("SigmaShake," "we," "us") collects, uses, and protects information about you when you use the SigmaShake CLI (ssg), the Rules Hub, the SigmaShake API, the dashboard, and our web properties (collectively, the "Services").

1. Who We Are

Data controller: SigmaShake
Contact: privacy@sigmashake.com
Address: [TBD — legal to confirm]

For EU/UK data subjects, SigmaShake is the controller of your personal data. An EU/UK representative will be designated prior to broader EEA/UK marketing; contact privacy@sigmashake.com to request representative details.

2. Information We Collect

2.1 Account Information

When you register or authenticate, we collect:

  • Email address
  • GitHub user ID and username (if you use GitHub OAuth)
  • Organization name and member list (Pro/Enterprise accounts)
  • Password hash (if email/password registration is used)

2.2 Billing Information

Payments are processed by Stripe, Inc. We never see or store full payment card numbers. We receive and store:

  • Billing email address
  • Plan tier and subscription status
  • Payment event records (invoices, renewals, cancellations)
  • Business name and address (Enterprise, for invoice purposes)

2.3 Product Telemetry

When you use the SigmaShake evaluation engine (CLI, API, or MCP server), we may process:

CategoryExamplesPurpose
Agent tool-call metadataTool name, command fragments, timestampsRule evaluation, audit log
User identifiersGitHub user ID, email (Pro/Enterprise only)Authentication, plan enforcement
Rule evaluation resultsDecision (allow/block/ask), matched rule IDDashboard display, audit export
Usage metricsEvaluation count, latencyQuota enforcement, billing

We do not process: full file contents read or written by the agent; source code in its entirety; credentials or secrets (our rules are designed to block their transmission).

Starter plan: Evaluation telemetry is processed locally; no event data is stored in SigmaShake cloud infrastructure.

2.4 Web Analytics (First-Party)

Our web properties use first-party cookies and a self-hosted analytics service (analytics.sigmashake.com). We collect page views, anonymous session identifiers, and product funnel events. We do not use third-party advertising cookies or cross-site tracking. See our Cookie Policy for full details.

2.5 Support and Communications

If you contact us by email or through a support channel, we retain the content of that communication and your contact details for the purpose of responding and improving our services.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Services — authenticate you, evaluate rules, serve the dashboard, enforce plan quotas.
  • Billing and account management — process payments, send invoices, manage subscriptions.
  • Security and abuse prevention — detect and investigate misuse per our Acceptable Use Policy.
  • Legal compliance — respond to lawful requests, enforce our Terms of Use, fulfill retention obligations.
  • Product improvement — analyze aggregated, anonymized usage patterns to improve the rule engine and developer experience.

We do not use your data for advertising, sell it to third parties, or use it to train AI models without your explicit consent.

For users in the European Economic Area, United Kingdom, or Switzerland:

Processing activityLegal basis (GDPR Art. 6)
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Rule evaluation and audit logPerformance of contract (Art. 6(1)(b))
BillingPerformance of contract (Art. 6(1)(b))
Security and fraud preventionLegitimate interest (Art. 6(1)(f))
Product analyticsLegitimate interest (Art. 6(1)(f))
Legal obligations (tax records)Legal obligation (Art. 6(1)(c))

You may object to processing based on legitimate interest at any time by contacting privacy@sigmashake.com.

5. Sharing Your Information

We share your data only as follows:

  • Sub-processors — third parties we engage to operate the Services (see Section 5.1).
  • Legal requirements — if required by law, court order, or regulatory authority.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations and notification to affected users.
  • With your consent — in any other case, only with your explicit permission.

We do not sell your personal data. SigmaShake is not a "data broker" under CCPA or any comparable law.

5.1 Sub-processors

Sub-processorPurposeLocation
Cloudflare, Inc.Infrastructure, CDN, KV/D1 storageUSA (SCCs apply for EEA data)
Stripe, Inc.Payment processingUSA (SCCs apply for EEA data)

We will publish updates to this list at least 30 days before adding new sub-processors. Pro and Enterprise customers are also notified per the DPA.

6. International Data Transfers

SigmaShake is operated from the United States. If you access the Services from outside the US, your data may be transferred to and processed in the US. For EEA and UK users, we rely on the EU Standard Contractual Clauses (SCCs) as the lawful transfer mechanism for data processed by our US-based sub-processors. Copies of applicable SCCs are available upon request at privacy@sigmashake.com.

7. Data Retention

Data typeRetention period
Audit log events (Starter)Not stored in cloud
Audit log events (Pro)Retained during active subscription
Audit log events (Enterprise)Extended retention during active subscription
Billing records7 years (legal requirement)
Account dataUntil account deletion, then deleted within 30 days

When you delete your account, we delete your personal data from all active systems within 30 days, except billing records retained as required by law. This retention schedule is also reflected in our DPA (Section 10).

8. Your Privacy Rights

8.1 GDPR Rights (EEA / UK / Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data (subject to legal retention obligations).
  • Portability — receive your data in a machine-readable format.
  • Restriction — limit how we process your data in certain circumstances.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

You also have the right to lodge a complaint with your local supervisory authority.

8.2 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

  • Know — request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell).
  • Delete — request deletion of your personal information, subject to exceptions.
  • Opt out of sale — we do not sell personal information; this right is not applicable.
  • Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

8.3 How to Exercise Your Rights

Email privacy@sigmashake.com with your request. We will respond within 30 days. We may ask you to verify your identity before processing the request.

9. Children's Privacy

The Services are not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, contact privacy@sigmashake.com and we will delete it promptly.

10. Security

We implement technical and organizational measures to protect your data, including TLS 1.3 in transit, AES-256 encryption at rest, role-based access controls, and documented breach response procedures. See our Security Policy and DPA (Section 6) for details. In the event of a breach affecting your personal data, we will notify you within 72 hours of becoming aware of it (consistent with GDPR Art. 33 and our DPA obligations).

11. Cookies

We use first-party cookies only — no advertising or cross-site tracking cookies. See our Cookie Policy for the full list of cookies and how to control them.

12. Changes to This Policy

We may update this Privacy Policy to reflect product changes or legal requirements. Material changes will be notified at least 14 days in advance via in-product notice or email. The "Last updated" date at the top of this page will always reflect the most recent version. Continued use of the Services after the effective date of changes constitutes acceptance.

13. Contact

Privacy questions and data subject rights requests: privacy@sigmashake.com
Security incidents: security@sigmashake.com
Enterprise DPA inquiries: sales@sigmashake.com