Legal
This policy covers personal data Failkit collects when you visit failkit.com, register for an account, use the Service, or contact us. It does not cover replicated VM payloads — those remain in Customer’s own cloud accounts and Failkit does not take custody of them. See the Security page for the data architecture.
Name, work email, company name, role, and the password hash for accounts you create. For paid accounts, billing contact and payment-method metadata (we do not store card numbers; payment is handled by Stripe).
Technical metadata about your use of the Service: IP address, user-agent, request paths, error rates, feature-usage counts, drill timestamps, and replication-job metadata (source/target, RPO observed, byte counts — not the bytes themselves).
Failkit does not collect or store the contents of your VMs. Replicated VM data is encrypted by the agent and written directly to your cloud-provider object store (S3, Azure Blob, GCS). Failkit’s management plane only handles metadata about those payloads — sizes, hashes, timestamps, target locations.
We process personal data on the following legal bases:
We share personal data with sub-processors that help us run the Service. Each is bound by data-protection terms equivalent to those we offer Customer.
| Sub-processor | Purpose | Data location |
|---|---|---|
| OVHcloud | Tenant cluster compute & storage (control plane) | EU / US (per cluster) |
| Cloudflare | DNS, TLS termination, WAF for failkit.com | Global CDN |
| AWS / Azure / GCP | Customer-selected cloud target for replication | Customer-controlled region |
| Stripe | Payment processing | US / EU |
| Resend | Transactional email (provisioning, alerts) | US |
We never sell personal data. We do not share personal data with advertisers.
Account data is retained while your account is active and for 30 days after termination, after which it is deleted unless legally required to be retained (typically billing records, retained 7 years per US tax law). Telemetry is retained for 90 days in identified form, then aggregated into anonymous metrics.
Depending on your jurisdiction, you may have the right to:
To exercise any of these rights, email [email protected]. We respond within 30 days.
Failkit is a B2B product not directed at users under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.
Personal data may be transferred to the United States and other jurisdictions where our sub-processors operate. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable. EU/UK customers may request our SCCs by emailing [email protected].
We follow commercially reasonable security practices, including encryption in transit and at rest, per-tenant database isolation, least-privilege access controls, and a documented incident-response plan. The full posture is on the Security page.
Privacy questions, DSAR requests, or anything else: [email protected]. An EU representative will be designated when we begin offering the Service in the EEA at scale; until then, EU/UK individuals may contact [email protected] directly.
We may update this policy. Material changes will be announced at least 30 days in advance via email and a notice on the customer portal. The effective date is shown above.