Privacy Policy

Who we are

Tameburn is operated as an independent project based in the Republic of Korea. If you have questions about this policy, email [email protected].

'We', 'us', and 'our' in this document refer to Tameburn and its operator.

What we collect

We collect the minimum data needed to operate the service.

• Account: your email address (used for magic-link sign-in and notifications), and your current plan tier from Lemon Squeezy.
• Cloud connection metadata: AWS account ID, Role ARN, and External ID; GCP project ID and an encrypted service account key. We never receive or store your AWS or GCP access keys or secrets.
• Usage data: alerts detected, ignore feedback you submit, and notification-channel delivery logs (whether a message reached Slack, email, etc.).
• Magic-link event records: email address, token length, and timestamp. We do not store the token itself.
• Browser storage: a session JWT under the key tameburn_session in localStorage and sessionStorage. A theme preference (light/dark/system) in localStorage. No tracking or advertising cookies.

What we do not collect

• AWS or GCP access keys, secrets, or credentials of any kind.
• Raw billing line items beyond what is needed to detect a cost spike.
• Content of your cloud resources — we read cost data only, not your S3 objects, compute configurations, or application data.
• Personal data of your end users or customers.
• Any data used for advertising or behavioural profiling.

Third-party services we use

We rely on the following sub-processors to operate the service. We do not sell your data to any third party.

• Lemon Squeezy — billing and subscription management. Privacy policy: https://lemonsqueezy.com/privacy
• Resend — transactional email (magic links, alert digests). Privacy policy: https://resend.com/legal/privacy
• AWS Cost Explorer and S3 Cost and Usage Reports — read-only access via the IAM Role you provide.
• Google Cloud BigQuery — read-only billing export via the service account you authorise.
• MongoDB Atlas — primary hosted database for account, alert, and connection data. Privacy: mongodb.com/legal/privacy-policy.
• No advertising networks. No analytics services that identify users individually.

How we secure your data

All data in transit is protected with TLS. Sensitive fields (service account keys, webhook secrets) are encrypted at rest using AES-256-GCM before being written to the database. Access to production systems is restricted to authorised operators only.

Data retention

• Detected alerts are kept for 90 days by default, then deleted.
• Magic-link event records are kept for 30 days for security audit purposes.
• Cloud connection records are kept until you delete the connection.
• Account data is kept until you delete your account. On deletion we purge operational data within 30 days and retain only what is legally required (for example, billing records for tax purposes).

Your rights (GDPR, CCPA, and others)

Depending on your location, you may have rights including: access to your personal data; correction of inaccurate data; deletion ('right to be forgotten'); data portability (export as JSON); and the right to object to certain processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

To delete your account, use the in-app option at /settings/delete-account, or email us. CCPA: we do not sell or share personal information — no opt-out is necessary.

Children

Tameburn is a developer tool not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email [email protected] and we will delete it promptly.

Changes to this policy

We may update this policy as the product evolves. We will notify account holders by email before material changes take effect. The date at the top of this page shows when it was last revised.

Contact

For privacy questions or requests: [email protected].