// legal

Privacy Policy

Effective: March 10, 2026 · Last updated: March 10, 2026

01. Introduction

Envpilot (“we,” “us,” or “our”) operates the Envpilot platform, including the web application, command-line interface (CLI), and Visual Studio Code extension (collectively, the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we process and store it, and your rights regarding that data.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, do not use the Service.

02. Data Controller

Envpilot is the data controller responsible for your personal data processed through the Service. For privacy-related inquiries, contact us at privacy@envpilot.dev.

03. Data We Collect

3.1 Account Data

When you create an account via our authentication provider (WorkOS AuthKit), we receive and store:

Email address
First and last name (if provided)
Profile picture URL (if provided)
Account creation and last-active timestamps

3.2 Organization and Team Data

When you create or join an organization, we store:

Organization name, description, and logo
Membership details (your role: admin, team lead, or member)
Invitation records (invitee email, assigned role, status, expiration)

3.3 Project and Variable Metadata

For projects you create, we store the project name, description, environment labels (e.g., development, staging, production), variable key names, descriptions, sensitivity flags, and version history. Actual secret values are never stored in our primary database—see Section 5 for encrypted vault storage details.

3.4 Audit and Security Logs

Every action performed within the Service is logged. Audit log entries include:

Action type and timestamp
User who performed the action
IP address and user-agent string
Request and session identifiers
Geographic location derived from IP (country/region only)

3.5 Billing Data

If you subscribe to a paid plan, our payment processor (Polar.sh) collects your payment method details. We store subscription identifiers, plan tier, billing period dates, and payment status. We do not store credit card numbers or bank account information on our servers.

3.6 Device and Token Data (CLI and Extension)

When you authenticate via the CLI or VS Code extension, we collect the device name and a device identifier. Access and refresh tokens are generated and stored on your local machine. We record token creation and last-used timestamps on our servers.

3.7 Feature Requests

If you submit a feature request through our wishlist, we store the request title, description, category, your email (if provided), and vote data.

04. How We Use Your Data

We process personal data for the following purposes:

Service delivery: authenticate your identity, manage your account, deliver environment variable management, enforce role-based access controls.
Security: detect unauthorized access, investigate incidents, maintain audit trails.
Billing: process subscription payments, manage plan tiers, send payment-related communications.
Communications: send team invitations and account-related notifications.
Product improvement: analyze usage patterns in aggregate and respond to feature requests.
Legal compliance: fulfill legal obligations, respond to lawful requests, enforce our Terms of Service.

05. Data Security

5.1 Secret Value Encryption

Environment variable values are stored exclusively in WorkOS Vault using end-to-end encryption. Each secret is encrypted with a unique data encryption key (DEK) derived from an organization-level key encryption key (KEK), providing cryptographic isolation between organizations. Our primary database stores only vault reference identifiers, never plaintext secret values.

5.2 Session Security

User sessions are managed through encrypted HTTP-only cookies. CLI and extension sessions use short-lived access tokens with refresh token rotation. All communication between clients and our servers occurs over TLS.

5.3 Infrastructure

Our backend infrastructure is hosted by Convex (database) and Vercel (application hosting). Both providers maintain SOC 2 compliance and encrypt data at rest and in transit. We regularly review our security posture and follow industry best practices.

06. Legal Bases for Processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases (GDPR):

Contract (Art. 6(1)(b)): processing necessary to provide the Service you signed up for, including account management, authentication, secret storage, and billing.
Legitimate interests (Art. 6(1)(f)): security logging, fraud prevention, aggregate analytics for product improvement, and maintaining platform integrity.
Legal obligation (Art. 6(1)(c)): where required to comply with applicable laws or lawful government requests.
Consent (Art. 6(1)(a)): where applicable, such as optional communications. You may withdraw consent at any time.

07. Third-Party Processors

We share personal data with the following service providers, each bound by data processing agreements:

Provider	Purpose	Data Shared
WorkOS	Auth, encrypted vault	Email, name, tokens, encrypted secrets
Convex	Real-time database	Account metadata, project data, audit logs
Polar.sh	Payment processing	Email, billing address, payment method
Resend	Transactional email	Recipient email, invitation details
Vercel	Application hosting	Server logs, IP addresses

We do not sell your personal data to any third party. We do not use your data for advertising or profiling.

08. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our providers operate. For transfers from the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-U.S. Data Privacy Framework, where applicable
Supplementary technical measures including end-to-end encryption

For Asia-Pacific jurisdictions (Japan, South Korea, Singapore, India), we comply with applicable cross-border transfer requirements, including obtaining necessary consent or relying on contractual safeguards as required by local law.

09. Cookies and Tracking

We use only strictly necessary cookies required for the Service to function:

Cookie	Purpose	Type	Duration
wos-session	Auth session	Strictly necessary, HTTP-only, Secure	Session

We do not use analytics cookies, advertising cookies, marketing trackers, or third-party tracking pixels. Since we only use strictly necessary cookies, no consent banner is required under the ePrivacy Directive. If we introduce non-essential cookies in the future, we will obtain your consent first.

10. Data Retention

Account data: retained for account duration. Deleted within 30 days of account deletion request.
Audit logs: retained for 2 years from creation, then purged.
Secret values: deleted from encrypted vault when you delete a variable or close your account.
Billing records: retained as required by tax and financial regulations (typically 7 years).
CLI/extension tokens: expire per configured lifetime. Revoked tokens purged within 30 days.
Invitation records: expired/declined invitations retained 90 days, then deleted.

11. Your Rights

11.1 GDPR Rights (EEA/UK)

You have the right to:

Access your personal data and obtain a copy
Rectify inaccurate or incomplete data
Erase your data (“right to be forgotten”)
Restrict processing of your data
Port your data in a structured, machine-readable format
Object to processing based on legitimate interests
Withdraw consent at any time
Lodge a complaint with your local data protection authority

11.2 U.S. State Privacy Laws

If you reside in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other U.S. states with comprehensive privacy laws, you have the right to:

Know what personal information we collect and why
Request deletion of your personal information
Opt out of sale or sharing (we do not sell or share your data)
Non-discrimination for exercising your rights
Correct inaccurate personal information

We do not sell personal information as defined by the CCPA. We do not use personal information for targeted advertising.

11.3 Asia-Pacific Privacy Laws

Japan (APPI): You may request disclosure, correction, or deletion. We transfer data internationally using contractual safeguards.
South Korea (PIPA): You may access, correct, suspend processing of, or delete your data. We notify you of cross-border transfers.
Singapore (PDPA): You may access and correct your data. We obtain consent as required.
India (DPDPA): You may access, correct, erase, and port your data. You may nominate another person to exercise rights on your behalf.

11.4 How to Exercise Your Rights

Contact us at privacy@envpilot.dev. We will respond within 30 days (or sooner where required). We may need to verify your identity before processing your request.

12. Children's Privacy

The Service is not directed at individuals under 16 years of age (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

13. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised date. For significant changes, we will provide additional notice (email or in-app banner). Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact

For questions, concerns, or requests related to this Privacy Policy or your personal data:

Envpilot Privacy Team

Email: privacy@envpilot.dev