Privacy Policy

The data controller for personal data processed in connection with your Astrari account is:

In this Policy "we", "us" and "our" mean Incus Technologies Limited. "You" means the user of the Astrari service or, where you signed up on behalf of an organisation, that organisation.

This Policy describes how we handle personal data when you use the Astrari dashboard, install the Astrari agent on your servers, add websites to be monitored, or interact with us by email or through our website at astrari.io.

For most personal data processed via the Service we act as a data processor on behalf of you (the controller of that data). For data we collect about your relationship with us directly (your account email, billing records, support correspondence) we act as the controller. Where this Policy treats the two roles differently, we'll say so.

We process the following categories of data:

Account data (we are controller)

• Your email address (used as your login)
• A salted bcrypt hash of your password — we never store the password itself
• Your first and last name (optional)
• Organisation name and chosen plan
• Authentication metadata: session refresh-token hashes, IP address and user-agent of recent logins, last-login timestamp

Billing data (we are controller for the customer relationship; Stripe is processor for the payment itself)

• Your Stripe customer ID, current subscription tier, billing currency and renewal date
• The billing email address you provide to Stripe
• We do not store payment card numbers, card CVCs, or bank details. Those are held by Stripe under their PCI-compliant infrastructure.

Monitoring data — your assets (we are processor)

• Hostnames, IP addresses and OS information of monitored servers
• Installed package names and versions, listening ports, running process names
• SSH configuration excerpts, firewall configuration excerpts
• URLs of monitored websites and their HTTP/HTTPS responses (HTML samples, headers, certificate details)
• WordPress plugin and theme inventories, including version numbers

Findings and diagnostics (we are processor)

• Security findings produced by our scanners
• Forensic diagnostic snapshots when you request them — these may include log excerpts that contain IP addresses, user accounts and session identifiers
• WordPress database scan results when you request them — these may include excerpts of database content

Some of this content can contain personal data about your end-users. We process it solely to provide the Service to you. You are responsible for ensuring you have a lawful basis to share that data with us in the first place.

Alert recipients (we are processor)

• Names, email addresses and (optionally) phone numbers of any alert contacts you configure
• Webhook URLs and shared secrets for any Slack / Teams / PagerDuty / generic webhook integrations you configure

Support correspondence (we are controller)

• Support tickets and any email correspondence you send to us
• The reply-to email address you provide on each ticket

Audit and operational logs (we are controller)

• Authentication events (login success/failure, password resets, refresh-token rotations) — kept for security investigations
• API access logs (request method, path, IP, user agent, response status) — kept for ~30 days unless required for an investigation

We process personal data on the following lawful bases:

• Performance of a contract with you — to provide the Service you have signed up for, including running scans, producing findings, dispatching alerts and processing payment.
• Legitimate interest — to keep the Service secure (rate limiting, abuse detection, audit logging), to respond to support requests, and to send transactional service emails (welcome, alerts, downgrade notifications) that are necessary to operate your account.
• Legal obligation — to retain certain records to comply with tax law and to respond to lawful requests from authorities.
• Consent — where applicable, for example if we send you optional marketing communications. You can withdraw consent at any time.

We use a small number of trusted third-party services to run Astrari. We do not sell your data. We do not share your data for advertising. The processors we use are:

We may share data with law-enforcement or regulators where we are legally required to do so. We don't share data with anyone for advertising or third-party marketing.

Our infrastructure is located in the United Kingdom. Some of our sub-processors (notably Stripe and Resend) operate from the United States. Where personal data is transferred outside the UK, we rely on appropriate safeguards as required by UK GDPR — typically the International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision.

We retain personal data only as long as necessary for the purpose for which it was collected:

• Account data — for as long as your account is active, plus a short window after closure to handle billing reconciliation and support follow-up (typically 90 days).
• Findings, scan history and diagnostics — for the data-retention period associated with your subscription plan (Starter 7 days, Basic 30 days, Professional 90 days, Agency 1 year), after which they are deleted on a rolling basis.
• Billing records — for at least 6 years from the end of the relevant accounting period, in line with UK statutory requirements.
• Authentication and audit logs — typically 12 months, extended only if required to investigate a security incident.
• API access logs — approximately 30 days unless retained for an active investigation.
• Support correspondence — typically 2 years.

If you close your account, we will delete or anonymise your personal data on the schedule above. Statutory retention periods may require us to keep certain records longer (for example, tax records).

We take security seriously, both because we are a security-monitoring product and because UK GDPR requires us to. In particular:

• Passwords are stored as salted bcrypt hashes (cost factor 12). We never see your password.
• Refresh tokens, agent tokens and API keys are stored only as SHA-256 hashes. The raw values are shown to you once at creation and never again.
• WordPress credentials you provide for authenticated scans are encrypted at rest with AES-256-GCM using a key separate from our JWT signing secret.
• All connections between agents, dashboards and the API are encrypted in transit (HTTPS / TLS).
• Agent updates are cryptographically signed (Ed25519). The agent verifies the signature before applying any update.
• Access to production systems is restricted to authorised staff and audited.

No system is perfectly secure. If we become aware of a personal-data breach we will, where required, notify you and the ICO without undue delay and within statutory timeframes.

Strictly necessary (no consent required): The Astrari dashboard uses session and refresh-token cookies for authentication. These are essential to provide the Service you signed up for. The marketing site may set a small localStorage entry to remember your pricing-currency preference — local to your browser, not shared.

Analytics (consent required): Our marketing pages can load Google Analytics 4 (measurement ID G-LN4TQGQKTL) to count visits and understand how the site is used. We use IP anonymisation and disable advertising features. GA4 only stores cookies and processes your data after you click "Accept analytics" in the banner that appears on your first visit. Refusing the banner blocks all GA storage but allows a single cookie-less measurement ping per page (Google's "Consent Mode v2"), which we use only to estimate aggregate traffic.

You can change your mind at any time:

This will clear your stored choice and re-show the banner on next page load.

What we don't do: No advertising cookies, no third-party retargeting pixels, no cross-site profiling. The dashboard itself (logged-in app pages under /dashboard, /sites, /servers, etc.) does not load Google Analytics — only the public marketing pages do.

You have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — ask us to delete your data, subject to retention obligations (e.g. tax records).
• Restriction — ask us to limit processing in certain circumstances.
• Portability — receive a copy of your data in a structured, machine-readable format.
• Objection — object to processing carried out on the basis of legitimate interest.
• Withdraw consent — where we rely on consent, you can withdraw it at any time.
• Not be subject to solely-automated decisions with legal or similarly significant effects. We do not currently make any such automated decisions about you.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. We may need to verify your identity before complying with a request.

If you have a concern about how we are handling your personal data and you have not been able to resolve it with us, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

If you add to Astrari any data that contains personal information about your end-users (for example, log excerpts that include user account names, IP addresses, or session identifiers), you are the data controller for that information. Astrari processes it on your behalf as a data processor, in accordance with our Terms and this Policy.

A separate Data Processing Addendum (DPA) is available on request if your own GDPR obligations require one. Email [email protected] and we'll send it across.

Astrari is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it.

We may update this Policy from time to time. The version and last-updated date appear at the top of this page. Material changes will be communicated by email or through the dashboard at least 30 days before they take effect.

For any questions about this Policy or your personal data, contact us at [email protected].