Legal
Privacy Policy
Effective: May 16, 2026
1. Information We Collect
OSS Toolchain: The local CLI, GitHub Action, and MCP tools do not transmit any data to readtheplan servers. We collect nothing.
Managed Platform: When you create an account, we collect:
- Email address and full name (registration).
- Organization and project names (workspace setup).
- Policy configurations and compliance framework selections.
- Signed evidence summaries (not raw Terraform plans).
Website: We use Plausible Analytics, a privacy-first, cookie-less analytics service, and Cloudflare CDN for Three.js. No personal data is collected through these services. We do not use cookies, tracking pixels, or behavioral advertising scripts.
2. How We Use Information
We use collected information to:
- Provide and maintain the Managed and Enterprise Service.
- Authenticate users and enforce access controls.
- Generate compliance reports and evidence timelines.
- Communicate service updates, billing, and support.
3. Data Storage and Retention
The managed SaaS backend is currently offline, and readtheplan.dev is serving a static frontend with API stubs. If/when managed accounts return, this policy will be updated with the active storage backend and retention schedule before data collection resumes.
4. Data Sharing
We do not sell, rent, or share your data with third parties except:
- As required by law or legal process.
- With your explicit consent.
- To protect the security or integrity of the Service.
5. Security
We implement industry-standard security measures: bcrypt password hashing (12 rounds), JWT with token revocation, HttpOnly/Secure cookies, rate limiting, CORS restrictions, Content-Security-Policy headers, and encrypted connections (TLS 1.3).
6. Your Rights
You may:
- Access and update your account information.
- Export your organization's evidence and policy data.
- Request deletion of your account and associated data.
To exercise these rights, contact [email protected].
7. Children's Privacy
The Service is not intended for individuals under 16. We do not knowingly collect information from children.
8. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated via email for registered users.