Table of Contents
CutoverStream is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your personal information.
1. Information We Collect
We collect the following categories of information:
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, email, username, password (hashed) | You provide at registration |
| Profile Data | Job title, team, phone, timezone, avatar | You provide optionally |
| Plan & Project Data | Cutover plans, tasks, issues, comments, audit logs | You create within the Service |
| Billing Data | Subscription tier, billing history (card details handled by Stripe) | You provide at checkout |
| Usage Data | Pages visited, features used, API calls, session duration | Automatically collected |
| Technical Data | IP address, browser type, device type, error logs | Automatically collected |
We do not collect sensitive personal data such as health information, racial or ethnic origin, or financial account numbers.
2. How We Use Your Information
We use your information to:
- Provide, operate, and improve the Service
- Process payments and manage subscriptions
- Send transactional emails (account creation, invitations, password reset, trial expiry)
- Send product updates and announcements (you may opt out at any time)
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Generate anonymized, aggregated analytics to improve the platform
We do not sell your personal data to third parties. We do not use your Customer Data to train AI models without your explicit consent.
3. Information Sharing & Sub-processors
We share your data only with trusted service providers who help us operate the platform ("sub-processors"):
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Infrastructure, CDN, database (D1), storage (R2), edge compute | Global |
| Clerk | User authentication and identity management | United States |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and performance tracking | United States |
| Anthropic | AI narrative generation (optional feature) | United States |
Each sub-processor is bound by data processing agreements and required to protect your data in accordance with applicable law.
We may also disclose your information when required by law, court order, or to protect the rights and safety of CutoverStream, our users, or the public.
4. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: Retained until account deletion, then deleted within 30 days
- Project data: Retained for 30 days after account termination, then permanently deleted
- Billing records: Retained for 7 years as required by tax law
- Audit logs: Retained for 2 years for security and compliance purposes
- Error logs: Retained for 90 days in Sentry
You may request early deletion of your data by contacting privacy@cutoverstream.com.
5. Security
We implement industry-standard security measures to protect your data, including:
- All data transmitted over HTTPS/TLS encryption
- Passwords hashed using bcrypt with work factor tuning (via Clerk)
- Session tokens are cryptographically signed JWTs (RS256)
- Multi-factor authentication available for all accounts
- Data stored in Cloudflare's SOC 2 Type II certified infrastructure
- Regular security monitoring via Sentry error tracking
No security system is impenetrable. In the event of a data breach that affects your personal data, we will notify you within 72 hours as required by GDPR Article 33.
6. Your Rights (GDPR & CCPA)
Depending on your location, you may have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Portability | Receive your data in a machine-readable format |
| Restriction | Restrict processing of your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Opt-out (CCPA) | California residents may opt out of the sale of personal information (we do not sell data) |
To exercise any of these rights, contact privacy@cutoverstream.com. We will respond within 30 days.
7. Cookies
CutoverStream uses essential cookies and session tokens necessary to operate the Service. We do not use advertising or tracking cookies. Specifically:
- Session tokens: Used to maintain your authenticated session (stored in sessionStorage, expires on browser close)
- Preference cookies: Used to remember your theme and UI preferences (stored in localStorage)
You may clear cookies and local storage at any time through your browser settings. This will require you to sign in again.
8. International Data Transfers
CutoverStream is based in the United States. If you access the Service from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, your data may be transferred to and processed in the United States.
For EEA users, we rely on Standard Contractual Clauses (SCCs) as the legal basis for data transfers. Enterprise customers may request our Data Processing Agreement (DPA) at cutoverstream.com/dpa.
9. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided personal data, we will delete it promptly.
10. Contact & Data Protection Officer
For privacy questions, data subject requests, or to reach our Data Protection Officer:
- Email: privacy@cutoverstream.com
- Address: Cutoverstream LLC, Chapel Hill, NC, United States
If you are in the EU and believe we have not addressed your privacy concern adequately, you have the right to lodge a complaint with your local data protection authority.
Privacy questions?
Contact privacy@cutoverstream.com — we respond within 30 days.