Privacy Policy

Last updated: January 2025

This Privacy Policy explains how seal.dev ("Seal", "we", "us", or "our") collects, uses, and shares information when you use our website, APIs, SDKs, documentation, and hosted services (collectively, the "Services").

If you do not agree with this Privacy Policy, do not use the Services.

1. Roles: "Controller" vs "Processor"

Seal may process data in two different roles:

  • When you visit our website or create an account: we act as a data controller for that information.
  • When you use Seal in your product: we typically act as a data processor/service provider for Customer Data you submit (e.g., end-user identities, authentication events). In that case, you are the controller.

If you need a Data Processing Agreement ("DPA"), contact privacy@seal.dev.

2. Information We Collect

A. Information you provide to us (Controller data)

We may collect:

  • Account information (name, email, company, role)
  • Billing information (billing contact details, payment status; payment card data is usually handled by our payment processor)
  • Support communications (messages, attachments, and troubleshooting details)

B. Information collected automatically

We may collect:

  • Device and usage data (IP address, browser type, pages viewed, timestamps, approximate location derived from IP)
  • Logs and diagnostics (API requests, error logs, performance metrics)
  • Cookies and similar technologies (see "Cookies")

C. Customer Data (Processor data)

When you use the Services, you may submit Customer Data, which can include:

  • End-user identifiers (user ID, email, name)
  • Org/workspace identifiers
  • Authentication and authorization events (sign-in events, SSO metadata, RBAC changes, audit log events)
  • Configuration data (SSO setup details, SCIM settings, etc.)

You control what you send us. Don't send sensitive data unless you need to and you have the right to do so.

3. How We Use Information

We use information to:

  • Provide and operate the Services (auth flows, logging, admin functionality)
  • Secure the Services (abuse prevention, detecting fraud, monitoring for attacks)
  • Improve and maintain the Services (debugging, performance tuning, product improvements)
  • Communicate with you (support, product updates, service notices)
  • Bill and manage subscriptions (invoices, payments, plan limits)
  • Comply with legal obligations and enforce our Terms

4. Legal Bases (EEA/UK Users)

If GDPR applies, we process data under these legal bases:

  • Contract: to provide the Services you request
  • Legitimate interests: to secure and improve the Services, prevent abuse, and communicate about the Services
  • Consent: for certain cookies/marketing where required
  • Legal obligation: for compliance requests

5. How We Share Information

We do not sell your personal information.

We may share information with:

A. Service providers (sub-processors)

Vendors that help us operate the Services, such as:

  • Hosting/infrastructure
  • Analytics
  • Email delivery
  • Customer support tools
  • Payment processing

They can access information only to perform services for us and must protect it.

B. Legal and safety

We may disclose information if we believe it's necessary to:

  • Comply with law or legal process
  • Protect rights, safety, and security (including investigating abuse)
  • Enforce our Terms

C. Business transfers

If we're involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction.

6. Cookies & Analytics

We use cookies and similar technologies for:

  • Essential site functionality (session, security)
  • Understanding site usage (analytics)
  • Preference storage

You can control cookies through your browser settings. If you disable cookies, some features may not work.

7. Data Retention

We keep information only as long as necessary for:

  • Providing the Services
  • Security and audit requirements
  • Legal compliance and dispute resolution

Retention periods vary by data type. If you want specific retention settings (e.g., audit log retention), contact us.

8. Security

We use reasonable technical and organizational measures to protect information (access controls, encryption in transit, logging, monitoring, etc.).

No system is 100% secure. You are responsible for safeguarding your API keys and admin credentials.

9. International Transfers

If you access the Services from outside [PRIMARY HOST COUNTRY], your information may be processed in countries where we or our service providers operate.

Where required, we use appropriate safeguards for cross-border transfers (e.g., Standard Contractual Clauses).

10. Your Rights & Choices

Depending on your location, you may have rights to:

  • Access, correct, or delete your personal information
  • Object to or restrict certain processing
  • Request a copy (portability)
  • Withdraw consent where processing is based on consent

Important: If Seal is processing Customer Data on behalf of a Customer (processor role), you should send requests to the Customer (the controller). We'll support them as required.

To exercise rights for controller data, contact privacy@seal.dev.

11. Children's Privacy

The Services are not intended for children under 18. We do not knowingly collect information from children.

12. Third-Party Links

The Services may link to third-party websites or services. We're not responsible for their privacy practices.

13. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date will reflect changes. If changes are material, we'll provide reasonable notice.

14. Contact

Questions or requests:
Email: privacy@seal.dev