noburn

Legal

Privacy Policy

Version 1.0 · Last updated 2026-05-17

1. Who we are

noburn.dev ("noburn", "we", "us") provides LLM budget guardrails for software teams. For privacy questions contact privacy@noburn.dev.

When you use our dashboard we act as a data controller for your account data. When you send SDK events containing end-user identifiers, you are the data controller for that data and we act as a data processor.

2. Data we collect

We collect the following categories of personal data:

  • Account data: name, email, organization membership (via Clerk)
  • Usage data: projects, budget settings, SDK events, blocked-call logs
  • Billing data: plan tier and payment status (via Stripe — we do not store card numbers)
  • Waitlist data: email and optional use-case description (with explicit consent)
  • Technical data: IP address (rate limiting), audit logs of sensitive actions

3. Lawful basis (GDPR)

We process personal data on the following bases:

  • Contract — to provide the service you signed up for
  • Legitimate interests — security, fraud prevention, product improvement
  • Consent — waitlist marketing emails (you may withdraw anytime)
  • Legal obligation — where required by applicable law

4. Sub-processors

We use the following third-party services:

  • Clerk — Authentication & organization management (US)
  • Supabase — Database hosting (Configurable (EU available))
  • Stripe — Payment processing (US / EU)
  • Vercel — Application hosting (Global edge)

5. Data retention

Account and project data are retained while your account is active.

SDK events are retained for operational and billing purposes; you may request erasure.

Webhook delivery logs are purged after 90 days.

Audit logs are retained for 2 years for security compliance.

Waitlist data is deleted on unsubscribe or after 24 months of inactivity.

6. Your rights

If you are in the EEA, UK, or Switzerland you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data.

You can export your data and delete your account from Settings → Privacy. You may also email us at privacy@noburn.dev. We respond within 30 days.

7. International transfers

Data may be processed in the United States and other countries where our sub-processors operate. We rely on Standard Contractual Clauses or equivalent safeguards where required.

Configure Supabase in an EU region if you require EU data residency.

8. Contact & complaints

Privacy: privacy@noburn.dev · General: hello@noburn.dev

You may lodge a complaint with your local supervisory authority.