legal

Privacy Policy

Last updated: 2026-06-03 · Placeholder content — not legal advice.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. This is a placeholder Privacy Policy describing how csplog.io collects, uses, and protects personal data. Final wording will be reviewed by counsel before launch.

1. Information We Collect

We collect information you provide directly when you create an account, configure a project, or contact support. This includes your email address, project domain names, and billing details handled by our payment processor.

We also automatically collect data from your CSP violation reports — including the originating page URL, blocked URI, directive that triggered the violation, and metadata about the requesting browser. These records are stored against your project for the duration of your retention window.

1.1 Cookies and similar technologies

We use essential cookies for authentication, session management, and remembering your cookie-consent choice. With your consent we also set Google Analytics 4 cookies (_ga, _ga_*) to measure aggregate visitor traffic. We do not use third-party advertising or cross-site marketing cookies. You can change your choice at any time via the cookie_settings link in the footer.

2. How We Use Information

  • To operate the csplog.io service and deliver the features you've signed up for.
  • To generate Content Security Policy suggestions tailored to your real traffic.
  • To send transactional email related to billing, account, and security events.
  • To investigate and prevent fraud, abuse, or violations of our terms.
  • To improve our filtering rules and product based on aggregated, de-identified telemetry.

3. Data Sharing

We don't sell personal information. We share data with a small set of subprocessors strictly necessary to run the service:

  • Supabase — managed Postgres hosting (EU region).
  • Paddle — Merchant of Record for billing, tax, and payment processing.
  • Resend — transactional email delivery.
  • Anthropic — LLM inference for policy generation. We don't send personally identifying violation context.
  • Google — Google Analytics 4 for aggregate site analytics. Loaded only if you accept analytics cookies; IP addresses are anonymised.

4. Data Retention

Raw violation events are retained for the window specified by your plan tier (30 days on Starter, 90 days on Professional). Aggregated counts and generated policies are retained for the lifetime of your account. Account-level data is deleted within 30 days of account closure unless we are legally required to retain it.

5. Your Rights

If you are in the EU, UK, or another jurisdiction that grants similar rights, you may request access to, correction of, or deletion of your personal data. Lorem ipsum — placeholder describing the request channel and response time.

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object to processing

6. International Transfers

Personal data is processed primarily in the European Union. Where data is transferred to subprocessors outside the EU, we rely on Standard Contractual Clauses or other recognized transfer mechanisms.

7. Children's Privacy

csplog.io is not directed at children under 16 and we do not knowingly collect personal data from minors.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via email to the address on file at least 14 days before they take effect.

9. Contact Us

Questions about this policy or your data? Email [email protected].