Privacy Policy

Effective date: 2026-05-09

This Privacy Policy explains how Omprakash Kumar, sole proprietor trading as "Saneops" ("we", "us", "our", "Saneops") collects, uses, discloses, and protects information about visitors and customers of the Saneops website (saneops.in), hosted application (app.saneops.in), and self-hosted Docker distributions (collectively, the "Services").

This policy is designed to comply with:

• EU GDPR and UK GDPR / Data Protection Act 2018
• India's Digital Personal Data Protection Act 2023 (DPDP Act)
• California CCPA / CPRA
• Brazil's LGPD, Singapore PDPA, Australia Privacy Act, and Canada PIPEDA where applicable

If you have questions, contact privacy@saneops.in.

1. Who we are

Data controller / Data Fiduciary for our website and hosted service (app.saneops.in): Omprakash Kumar, sole proprietor trading as "Saneops", Daiguutu, Mango, Jamshedpur, Jharkhand 831012, India. Contact: privacy@saneops.in.

Grievance Officer (DPDP Act, s. 8(10) / s. 10(2)(g)): Omprakash Kumar — privacy@saneops.in. We acknowledge data principal grievances within 7 days and respond on the merits within 30 days.

For self-hosted deployments, the customer is the controller of any personal data their Saneops instance processes; we act as the processor under our Data Processing Addendum (see DPA). For the hosted service at app.saneops.in, the customer is the controller of alert / incident data their tenant ingests; Saneops is the processor of that data and the controller of account-level metadata (email, name, billing info).

2. What we collect

a) Information you give us

• Account data: name, work email, company name, role.
• Authentication data: bcrypt-hashed password (we never store plaintext) OR your OIDC identity-provider's subject identifier.
• Billing data: company name, billing address, tax ID. Card numbers are handled by Stripe — we never see them.
• Support communications: emails, chat messages you send us.

b) Information collected automatically (hosted service)

• Operational telemetry: HTTP request paths (no body), status codes, response times. Used for capacity planning and error tracking.
• Audit log: every admin-level action (rule create, workflow delete) with actor email and timestamp. Retained 1 year.
• Cookies: a signed session cookie (session) and a CSRF cookie (as_csrf). No third-party tracking cookies, no analytics cookies.
• License beacon (self-host only): the self-hosted Docker image periodically posts to license.saneops.in/beacon a payload containing the installation ID, software version, license sub claim, and aggregate counters (total alerts ingested per interval). It does NOT include alert payload contents, labels, annotations, hostnames, or end-user PII. You can disable this by setting LICENSE_PHONE_HOME_DISABLE=true in the container's environment.

c) Information our customers feed in

When you ingest alerts via webhook, the alert payload may include:

• Alertname, severity, labels (which CAN include free-form text like service names, hostnames)
• Annotations (descriptions, runbook URLs, etc.)
• Timestamps

This data is YOURS. We process it on your behalf (see DPA). We do not look at, share, or sell its content.

3. What we DON'T collect

• We do not use third-party advertising trackers.
• We do not sell or share customer data with brokers or AI training providers.
• We do not send your alert content to any LLM unless you have explicitly configured one. When you configure a BYOK LLM provider (Anthropic, OpenAI, Google, Grok, DeepSeek, Ollama, or an OpenAI-compatible endpoint), the alert payloads necessary to generate an RCA are transmitted to that provider under your contract with them — Saneops does not interpose its own LLM contract between you and them.
• We do not perform behavioral profiling of users.

4. Why we collect (lawful basis)

5. Who we share with

We use the following sub-processors. Each is bound by a written DPA with terms at least as protective as this one:

A live sub-processor list is maintained at saneops.in/subprocessors. We do not share personal data with anyone else without your explicit consent, except as required by law.

6. Where we store

The hosted service (app.saneops.in) currently operates from a single Render region in Singapore (ap-southeast-1). All tenant data — account records, alerts, incidents, audit logs — is stored on Render's managed Postgres in that region. We do not currently offer regional data residency; if you require EU or US residency, please contact us before signing up so we can plan a regional deployment.

Self-hosted customers process data wherever they choose to deploy.

7. How long we keep it

After retention, data is permanently deleted within 30 days unless you've requested a different schedule via DPA.

8. Your rights

Under GDPR, DPDP, CCPA, and LGPD you can:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (with limited exceptions for legal obligations)
• Restrict or object to certain processing
• Port your data in machine-readable format
• Withdraw consent at any time
• Lodge a complaint with your supervisory authority

To exercise these rights, email privacy@saneops.in. We respond within 30 days (GDPR / DPDP) or 45 days (CCPA). EU/UK residents have the right to lodge a complaint with their data-protection supervisory authority; Indian residents may also approach the Data Protection Board of India under the DPDP Act if their grievance is not resolved.

California residents (CCPA/CPRA): we do not sell or share personal information for cross-context behavioural advertising; we have not done so in the prior 12 months. You may exercise your right to know, delete, correct, and opt-out by emailing privacy@saneops.in. Authorised agents may submit requests with verifiable written authorisation.

9. Security

See our /security page. Highlights:

• bcrypt password hashing
• AES-128-CBC + HMAC-SHA256 (Fernet) encryption for secrets at rest
• TLS 1.2+ in transit (when you put a TLS terminator in front)
• CSRF, rate limiting, security headers (CSP, HSTS, etc.)
• Tenant isolation at every database query
• 5-attempt login lockout
• Audit log of all admin actions

In the unlikely event of a breach affecting personal data, we will notify affected customers within 72 hours of becoming aware (GDPR Art. 33) and the relevant supervisory authority as required.

10. Children

Saneops is a B2B operations tool and is not intended for any individual under 18. We do not knowingly collect data from children under the age applicable in your jurisdiction (16 in the EU/UK, 18 in India under DPDP, 13 in the US under COPPA). If you believe we have, contact privacy@saneops.in and we will delete it immediately.

11. Cookies

We set a minimum of two cookies:

Both are first-party, HTTP-only (session) and SameSite=Lax. We do not use Google Analytics or other third-party trackers by default.

12. International transfers

Because the hosted service operates from Singapore today, EU/UK and Indian customer data may be transferred outside its region of origin when you sign up. We rely on:

• EU Standard Contractual Clauses (Module 2 — controller to processor — 2021/914) and UK International Data Transfer Addendum (IDTA) for transfers from the EEA / UK. Where a sub-processor is in a country with an EU adequacy decision (e.g. UK), no SCCs are needed for that leg.
• Singapore PDPA contractual clauses or equivalent contractual safeguards for Singapore-resident data subjects.
• DPDP Act (India): India does not currently maintain a notified blocked-country list under s. 16, so cross-border transfer is permitted subject to the contractual obligations above. We will update this policy if Indian government rules change.
• For transfers under CCPA, our sub-processors are bound by service-provider contractual restrictions on use of personal information.

The EU SCCs and UK IDTA are incorporated by reference into our DPA and are available on request at privacy@saneops.in.

13. Changes to this policy

We post the current policy at our website. Material changes are announced 30 days in advance via email to admins of paid plans.

14. Contact