Legal

Privacy Policy

Last updated: May 30, 2026

Bastionik is infrastructure software. We collect the minimum data necessary to operate the service. We do not sell your data, serve you ads, or share your information with third parties except as required to deliver the service.

Information We Collect
How We Use Your Information
When We Share Information
Security Measures
Data Retention
Your Rights
International Transfers
Contact

1. Information We Collect

Account information: Email address, username, and password (hashed) when you register.

Encrypted credentials: API tokens and authentication credentials you store in the vault. These are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before storage. We cannot read your stored credentials in plaintext.

Agent configuration data: Agent names, Ed25519 public keys, and access policies you define.

Usage and audit logs: Every agent action is logged with agent ID, timestamp, service accessed, action performed, IP address (approximate location), and outcome. This is a core product feature — not incidental tracking.

Billing information: Subscription plan and payment history. Payment card details are processed by Paddle and never touch our servers.

2. How We Use Your Information

To deliver the service — authenticating agents, enforcing policies, executing API calls on your behalf
To authenticate AI agents and verify cryptographic signatures on execution requests
To enforce access policies and maintain audit logs of agent actions
To monitor agent behavior and detect anomalous or potentially compromised activity
To respond to your support requests
To send you service updates and product announcements (you can unsubscribe at any time)
To comply with legal obligations

We share your information only with the following service providers, and only as necessary to deliver the service:

Microsoft Azure — cloud infrastructure hosting
Paddle — payment processing
Google (Gmail) — transactional email communications
Termly — legal document management

We do not sell your personal information. We do not share your information with advertisers. We do not use third-party tracking cookies or ad pixels.

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you in advance.

4. Security Measures

Bastionik is designed so that a compromised agent cannot exfiltrate credentials, even under attacker control:

All credentials encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256)
Encryption keys never stored in the database
Credentials decrypted in memory only at the moment of use, then immediately discarded
All agent requests verified via Ed25519 cryptographic signatures
Replay attacks mitigated via timestamp validation
All data transmitted over TLS 1.3
Immutable audit trail of every action

If we become aware of a security incident affecting your data, we will notify you and relevant authorities within 72 hours as required by applicable law.

5. Data Retention

Account data: Retained while your account is active, deleted within 12 months of account termination
Encrypted credentials: Deleted immediately upon your request or account termination
Audit logs: Retained for 12 months for security forensics and compliance purposes
Billing history: Retained for the life of the account plus 12 months for dispute resolution

6. Your Rights

Depending on your location, you may have the right to access, correct, or delete your personal information. To exercise these rights:

Log into your account settings to update or delete your account
Email hellobastionik@gmail.com with any data request

EU/UK users have rights under GDPR including data portability and the right to object to processing. California users have rights under CCPA. South African users have rights under POPIA.

We will respond to all data rights requests within 30 days.

7. International Transfers

Our servers are hosted on Microsoft Azure infrastructure in the United States. If you are accessing our Services from the EU, UK, or other regions, your data is transferred to and processed in the United States. This transfer is governed by Microsoft Azure's Standard Contractual Clauses.

8. Contact

For privacy-related questions or data requests:

Email: hellobastionik@gmail.com
Data Protection Officer: Available at the email above
Bastionik (Pty) Ltd, trading as Bastionik · Bloemfontein, Free State, South Africa

This Privacy Policy was last reviewed on May 30, 2026. We will notify you 30 days before any material changes take effect.