ControlBird ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, APIs, and related services (the "Service").
1. Information We Collect
Information You Provide
- Account Information: Name, email address, company name, and password when you register.
- Billing Information: Payment method details processed through our third-party payment provider. We do not store full credit card numbers.
- Support Data: Information you provide when contacting support or submitting feedback.
- Configuration Data: Automation configurations, scripts, dashboards, and entity definitions you create within the platform.
Information Collected Automatically
- Usage Data: Pages visited, features used, session duration, and interaction patterns.
- Device Information: Browser type, operating system, IP address, and device identifiers.
- Log Data: Server logs, error reports, and performance metrics.
2. How We Use Information
We use the information we collect to:
- Provide, operate, and maintain the Service.
- Process transactions and manage your subscription.
- Send transactional communications (account verification, billing receipts, security alerts).
- Provide customer support and respond to inquiries.
- Monitor and analyze usage patterns to improve the Service.
- Detect, prevent, and address technical issues and security threats.
- Comply with legal obligations.
We do not sell your personal information. We do not use your automation data, device data, or configuration data for advertising purposes.
3. Data Storage & Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Regular security audits and penetration testing.
- Access controls with role-based permissions and audit logging.
- Infrastructure hosted in SOC 2 compliant data centers.
For ControlBird Cloud, data is stored in the region you select during setup (US, EU, or Asia-Pacific). For ControlBird Enterprise (self-hosted), data remains on your own infrastructure.
4. IoT & Device Data
ControlBird processes data from connected devices and industrial equipment as part of the Service. This device data may include:
- Sensor readings, telemetry, and operational metrics.
- Device status and health information.
- Protocol-specific data (Modbus registers, OPC UA nodes, MQTT messages, DNP3 frames, etc.).
- Historical data stored by the Historian service.
Device data is processed solely to provide the Service. We do not access, analyze, or share your device data for any purpose other than operating and improving the Service, unless required by law or with your explicit consent.
You are responsible for ensuring that any personal data collected through connected devices is processed in compliance with applicable data protection laws.
5. Third-Party Services
We use the following third-party services that may process your data:
- Payment Processor: Payment processing. Subject to our payment processor's privacy policy.
- Analytics Providers: Anonymized usage analytics to improve the Service.
- Cloud Infrastructure: Hosting and storage services with data processing agreements in place.
We require all third-party providers to process data in accordance with our instructions and applicable data protection laws.
7. Data Retention
We retain your data as follows:
- Account Data: Retained while your account is active and for 30 days after deletion to allow recovery.
- Device/Historian Data: Retained according to your configured retention policies within the platform.
- Billing Records: Retained for the period required by applicable tax and financial regulations.
- Server Logs: Retained for up to 90 days for security and debugging purposes.
After account termination, we permanently delete your data within 30 days, except where retention is required by law.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Request your data in a structured, machine-readable format.
- Restriction: Request that we limit processing of your personal data.
- Objection: Object to processing of your personal data for certain purposes.
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days as required by GDPR, or within the timeframe required by your applicable local law.
For EU/EEA residents: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
9. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a prominent notice on the Service at least 30 days before they take effect. We encourage you to review this Privacy Policy periodically.
11. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:
- Privacy: [email protected]
- General: [email protected]
See also our Terms of Service for additional information about your use of the Service.