Privacy Policy

Platform Shape is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Infrastructure-as-Code platform.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Organisation name and billing information
  • Authentication credentials (passwords are hashed and never stored in plaintext)
  • Profile information you choose to provide

Usage Data

We automatically collect information about how you interact with the Platform:

  • Log data (IP addresses, browser type, access times)
  • Feature usage and interaction patterns
  • Error reports and performance data
  • Device and connection information

Customer Data

Data you upload or create within the Platform:

  • Infrastructure configurations and Shapes
  • Deployment logs and history
  • Environment variables and secrets (encrypted at rest)
  • Integration credentials for cloud providers

2. How We Use Your Information

Provide and Improve Services

  • Operate, maintain, and improve the Platform
  • Process your infrastructure deployments
  • Provide customer support and respond to enquiries
  • Develop new features based on usage patterns

Communication

  • Send transactional emails (deployment notifications, security alerts)
  • Provide product updates and announcements (with opt-out option)
  • Respond to support requests

Security and Compliance

  • Detect and prevent fraud, abuse, and security incidents
  • Enforce our Terms of Service
  • Comply with legal obligations

3. Legal Basis for Processing (UK GDPR)

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our legal bases for processing include:

  • Contract Performance: Processing necessary to provide our Services under your subscription agreement
  • Legitimate Interests: Improving our services, security monitoring, and fraud prevention, where these interests do not override your rights
  • Legal Compliance: Meeting regulatory and legal requirements under UK law
  • Consent: Marketing communications (where required)

4. Information Sharing and Disclosure

We do not sell your personal information. We may share information with:

Service Providers

Third parties who assist in operating our Platform, including:

  • Cloud infrastructure providers (AWS, Azure, GCP)
  • Payment processors
  • Analytics and monitoring services
  • Customer support tools

These providers are contractually bound to protect your data and use it only for the services they provide to us.

Legal Requirements

We may disclose information when required by UK law, court order, or government request, or when necessary to protect our rights, safety, or property.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and your options.

5. Data Security

We implement comprehensive security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication options
  • Infrastructure Security: SOC 2 compliant infrastructure with regular audits
  • Secrets Management: Customer secrets are encrypted with KMS and isolated per organisation
  • Monitoring: 24/7 security monitoring and incident response

Whilst we implement industry-standard security practices, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specifically:

  • Account Data: Retained whilst your account is active, deleted within 30 days of account closure
  • Deployment Logs: Retained according to your plan settings (default 90 days)
  • Audit Logs: Retained for compliance purposes (typically 1-7 years)
  • Backups: Retained for disaster recovery purposes, encrypted and deleted according to schedule

7. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  • Right of Access: Request a copy of your personal data (Subject Access Request)
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Request restriction of processing in certain circumstances
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing communications at any time

To exercise these rights, contact us using the details below. We will respond within one month (or as required by applicable law).

8. International Data Transfers

Your data may be transferred to and processed in countries outside the UK. We ensure appropriate safeguards are in place for international transfers, including:

  • UK International Data Transfer Agreement (UK IDTA) or addendum to EU SCCs
  • Transfers to countries with UK adequacy decisions (including the EEA)
  • Data Processing Agreements with all sub-processors
  • Compliance with applicable data transfer frameworks and regulations

A list of our sub-processors and their locations is available upon request.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Strictly Necessary Cookies: Required for the Platform to function (authentication, security)
  • Analytics Cookies: Help us understand how you use the Platform (can be disabled)
  • Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings or our cookie preference centre. Disabling certain cookies may affect Platform functionality.

10. Children's Privacy

Platform Shape is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. Additional Rights for International Users

European Economic Area (EEA)

If you are located in the EEA, you have rights under the EU GDPR equivalent to those described above under UK GDPR. You may also lodge a complaint with your local supervisory authority.

California Residents (CCPA/CPRA)

California residents have additional rights:

  • Right to know what personal information we collect and how it is used
  • Right to delete personal information (with exceptions)
  • Right to opt-out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising privacy rights

Other Jurisdictions

We comply with applicable data protection laws in all jurisdictions where we operate. Contact us for jurisdiction-specific information.

12. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you via email or through the Platform at least 30 days before the changes take effect. Your continued use of the Platform after changes become effective constitutes acceptance of the updated policy.

13. Data Controller and Contact Information

Platform Shape Ltd is the data controller for your personal data. We are registered in England and Wales.

For privacy-related enquiries, to exercise your rights, or to make a complaint, please contact us.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

Last updated: December 2024