Privacy, plainly.
What we collect, why we collect it, where it lives, and how to get it removed. Effective 2026-07-03. Questions: [email protected].
The website
The marketing site has no accounts and sets no advertising trackers. If you use the contact form, we receive the fields you type — name, work email, company size — delivered to our inbox via Web3Forms. Cloudflare fronts the site for DNS and network protection.
The console
- Your GitHub identity at sign-in: username, account ID, display name, avatar, and your GitHub-verified email addresses. We never see or store a password.
- Organization access metadata from scans you run: member lists, two-factor status, outside collaborators, and installed-app grants — read through a least-privilege, read-only GitHub App. Never repository contents, never code.
- The review record you create: decisions, justifications, and objections, each with reviewer name and timestamp — that's the product.
- One cookie: an encrypted session cookie (ab_session, 8 hours). No analytics or advertising cookies.
Only to run the service
Identity data authenticates you and enforces default-deny tenancy — you only reach a tenant you're provisioned for. Scan data exists to produce your access-review evidence. Billing data exists to charge your subscription. We don't sell data, share it for advertising, or use it to train models.
Stripe holds the card, not us
Payments are processed by Stripe. Card numbers never touch Atomburst systems; we store your subscription status and a Stripe customer reference.
Subprocessors
Railway (hosting and managed Postgres, encrypted at rest) · Cloudflare (DNS and network edge) · GitHub (sign-in identity and read-only organization access) · Stripe (payments) · Web3Forms (contact-form delivery). Traffic is encrypted in transit everywhere.
Kept as your evidence, until you say otherwise
Reviews are your access-review evidence of record, so they're kept until you delete them: deleting a tenant removes its reviews, findings, objections, and org connections. Sessions expire after 8 hours. Contact-form messages are kept as ordinary correspondence. Uninstalling the Atomburst GitHub App from your org cuts our read access immediately.
Ask, and it happens
Want a copy of your data, a correction, or deletion? Email [email protected] from the address on the account. We honor data-subject requests in the spirit of GDPR regardless of where you are.
This page is the record
If our practices change, this page changes first, with a new effective date. Material changes to console data handling are announced to affected tenants.