Privacy Policy
This Privacy Policy explains how RunTimeAdmin ("we", "us", "our") collects, uses, and protects information when you use SBOMix ("Service"). We are committed to handling your data responsibly.
1. Information We Collect
| Data | Why we collect it | Retention |
|---|---|---|
| Email address | Account creation, key delivery, service notifications | Until account deletion |
| Organisation name | Identify your account in the dashboard | Until account deletion |
| SBOM data (components, versions, PURLs) | Core service functionality — vulnerability matching, diff, reporting | Until app or account deleted |
| Vulnerability data | Risk reporting and alerting | Until app or account deleted |
| API key hashes | Authentication (plaintext keys are never stored) | Until key revoked or account deleted |
| API key last-used timestamps | Security monitoring, unused key cleanup | Until key revoked |
| Server logs (IP address, request path, timestamp) | Security, debugging, abuse prevention | 30 days |
We do not collect names, payment details (handled by Stripe directly), or browsing behaviour beyond what is logged at the server level.
2. How We Use Your Information
- To provide and operate the Service
- To deliver your API key and service notifications by email
- To detect and prevent abuse, fraud, and security incidents
- To improve the Service based on aggregate usage patterns
We do not use your SBOM data to train AI models. We do not sell your data to third parties.
3. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Resend | Transactional email delivery | Email address, email content |
| DeepSeek | AI-generated vulnerability explanations (opt-in per request) | Vulnerability and component names only |
| OSV.dev (Google) | Open-source vulnerability data enrichment | Component PURLs |
| CISA KEV | Known Exploited Vulnerability flag enrichment | None — we pull a public feed |
| Stripe | Payment processing (when billing is enabled) | Email, billing details |
4. Data Security
API keys are stored as HMAC-SHA256 hashes — plaintext keys are shown once on creation and never stored. All data is transmitted over TLS. Access to production systems is restricted to authorised personnel only.
5. Your Rights
You have the right to:
- Access — request a copy of the data we hold about your organisation
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and all associated data
- Portability — export your SBOM data in CycloneDX or SPDX format at any time from the dashboard
To exercise any of these rights, email privacy@sbomix.com. We will respond within 30 days.
6. Cookies
The Service does not use tracking cookies. The dashboard stores your API key in localStorage solely to keep you logged in — this data never leaves your browser.
7. Children
The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16.
8. Changes to This Policy
We may update this policy from time to time. We will notify registered users by email of material changes. The "last updated" date at the top of this page will always reflect the current version.
9. Contact
Questions about this policy? Email privacy@sbomix.com.