Legal

Privacy Policy

Version 1.1 · Last updated 2026-05-30

1. Who we are

noburn.dev ("noburn", "we", "us") provides LLM budget guardrails for software teams. For privacy questions contact hello@robatdasorvi.com.

When you use our dashboard we act as a data controller for your account data. When you send SDK events containing end-user identifiers, you are the data controller for that data and we act as a data processor.

2. Data we collect

We collect the following categories of personal data:

  • Account data: name, email, organization membership (via Clerk)
  • Usage data: projects, budget settings, SDK events, blocked-call logs
  • Billing data: plan tier and payment status (via Stripe — we do not store card numbers)
  • Waitlist data: email and optional use-case/spend data (with explicit consent)
  • Technical data: IP address (rate limiting), audit logs of sensitive actions
  • Analytics data: page views, session recordings (10% sampling), feature interaction events, referrer and UTM attribution — collected via PostHog
  • Email data: delivery status for transactional emails sent via Resend; we do not store email content

3. Lawful basis (GDPR)

We process personal data on the following bases:

  • Contract — to provide the service you signed up for
  • Legitimate interests — security, fraud prevention, product analytics, and service improvement
  • Consent — waitlist marketing emails and analytics cookies (you may withdraw anytime via the cookie banner or by emailing us)
  • Legal obligation — where required by applicable law

4. Sub-processors

We use the following third-party services:

  • Clerk — Authentication & organization management (US)
  • Supabase — Database hosting (Configurable (EU available))
  • Stripe — Payment processing (US / EU)
  • Vercel — Application hosting (Global edge)
  • PostHog — Product analytics, session recording, and server-side error logging (US (us.i.posthog.com))
  • Resend — Transactional email delivery (waitlist confirmations, invite emails) (US)

5. Data retention

Account and project data are retained while your account is active.

SDK events are retained for operational and billing purposes; you may request erasure.

Webhook delivery logs are purged after 90 days.

Audit logs are retained for 2 years for security compliance.

Waitlist data is deleted on unsubscribe or after 24 months of inactivity.

6. Your rights

If you are in the EEA, UK, or Switzerland you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data.

You can export your data and delete your account from Settings → Privacy. You may also email us at hello@robatdasorvi.com. We respond within 30 days.

7. International transfers

Data may be processed in the United States and other countries where our sub-processors operate. We rely on Standard Contractual Clauses or equivalent safeguards where required.

Configure Supabase in an EU region if you require EU data residency.

8. Contact & complaints

Privacy: hello@robatdasorvi.com · General: hello@robatdasorvi.com

You may lodge a complaint with your local supervisory authority.