Privacy Policy

Last updated: 2026-05-26 · Effective date: 2026-05-26

Heads-up: This is a starter template — review with legal counsel before relying on it for enforceability.

Linux Identity (“we”, “us”, “our”) operates linuxidentity.com and the Linux Identity service (the “Service”). This Privacy Policy describes what data we collect, how we use it, and the choices you have. By using the Service you consent to the practices described here.

1. Data We Collect

  1. Account information. Email address, name, organization name, and authentication identifiers received from your identity provider (Google Workspace, Microsoft 365, or WorkOS-hosted SSO).
  2. Usage telemetry. Server logs (IP address, user agent, request paths, timestamps, response codes) generated as you use the Service. Used for operations, debugging, and security.
  3. Audit log content. Records of fleet events (enrollments, certificate issuance, policy decisions, host sessions) generated by your Linux Identity agents. This data is owned by you and processed on your behalf.
  4. Billing information. For paid plans, billing address and the last four digits / brand of your payment method. Full card numbers are handled by Stripe — we do not store them.
  5. Support correspondence. Emails and messages you send us, retained so we can respond and improve the Service.

2. How We Use Data

  1. Operate the Service. Provision tenants, authenticate users, enforce policy, generate certificates, and store your audit logs.
  2. Security and abuse detection. Detect, prevent, and respond to fraud, abuse, and security incidents.
  3. Communication. Service announcements, security notices, billing receipts, and (with your consent) product updates.
  4. Legal compliance. Meet obligations under applicable law and respond to lawful requests.

We do not sell personal data and we do not use Customer Data to train machine-learning models.

3. Legal Bases (GDPR)

For users in the EU/UK we process personal data under one or more of the following bases:

  1. Contract. Processing necessary to provide the Service you signed up for.
  2. Legitimate interests. Securing the Service, preventing abuse, and operating our business — balanced against your rights.
  3. Consent. Where you have opted in (e.g. marketing email). You can withdraw consent at any time.
  4. Legal obligation. Where processing is required by law.

4. Subprocessors and Data Sharing

We share data with the following subprocessors strictly to operate the Service. Each is bound by a written data-processing agreement.

  1. Amazon Web Services (AWS) — hosting, storage, networking, and email infrastructure. DPA.
  2. WorkOS — identity, single sign-on, and directory sync. DPA.
  3. Stripe — payment processing and billing. DPA.
  4. Amazon SES — transactional email (signup confirmations, security alerts, billing receipts). Covered by the AWS DPA above.

We may also share data when required by law, to enforce our Terms, or in connection with a merger or acquisition (with notice to you).

5. Retention

We retain account information for as long as your account is active. Audit log content is retained for the period stated in your plan; on account deletion we delete or anonymize personal data within 30 days unless we are required to retain it for legal reasons. Server logs are retained for up to 90 days.

6. Your Rights

Depending on your jurisdiction (GDPR, CCPA, and similar regimes) you have the right to:

  1. Access the personal data we hold about you.
  2. Request correction of inaccurate data.
  3. Request deletion of your personal data.
  4. Receive your data in a portable format.
  5. Object to or restrict certain processing.
  6. Withdraw consent where processing relies on consent.
  7. Lodge a complaint with a supervisory authority (EU/UK residents).

To exercise these rights, email mail@linuxidentity.com. We will respond within 30 days.

7. Security

  1. Encryption in transit. All traffic to and from the Service is encrypted with TLS 1.2+.
  2. Encryption at rest. Customer Data and backups are encrypted at rest using AWS-managed keys.
  3. Tenant isolation. Postgres FORCED row-level security enforces tenant boundaries; queries cannot reach data outside the authenticated tenant.
  4. Audit log integrity. Audit events are hash-chained so tampering is detectable.
  5. Least privilege. Production access is restricted to a small set of engineers and is logged.

No system is perfectly secure. If you believe you have found a security issue, please email mail@linuxidentity.com.

8. Cookies

The Service uses strictly-necessary session cookies to keep you signed in across the marketing site and the dashboard. We do not use analytics tracking, advertising cookies, or third-party trackers. Disabling session cookies will prevent you from signing in.

9. International Transfers

The Service and our subprocessors are primarily located in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers from the EEA, UK, or Switzerland.

10. Children

The Service is not directed to individuals under 18 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the Service. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

Questions about this Privacy Policy or our data practices? Email mail@linuxidentity.com.