Privacy Policy

The short version

We collect only what's needed to sell you a product and keep it working. We do not sell or share your personal information — including as defined under CCPA/CPRA. We don't run analytics tools that profile you. You can delete your data at any time by emailing us.

Data controller

Septim Labs (a Michigan-based sole proprietorship operated by Ethan Quintero, [email protected]) is the data controller for personal information collected through this site and its products. If you are located in the EU or UK, Septim Labs is your point of contact for GDPR-related requests; we do not have a formal EU representative appointed at this time. Contact: [email protected].

Legal basis for processing (GDPR)

For visitors in the EU and UK, we process personal data under the following lawful bases:

• Contract performance (Article 6(1)(b)): processing your email address and purchase record to deliver the product you bought and handle refund or support requests.
• Legitimate interest (Article 6(1)(f)): sending transactional emails about material updates to products you have purchased. You can opt out at any time.
• Legal obligation (Article 6(1)(c)): retaining transaction records for the period required by applicable tax and accounting law.

We do not process personal data for automated decision-making or profiling.

What we collect

When you buy:

• Your email address (from Stripe at checkout)
• Your country (from Stripe, for tax calculation)
• Payment amount and timestamp
• Your Stripe Checkout Session ID (acts as your license reference)

We do NOT receive your full credit card number — Stripe handles that.

When you fill a confirmation form:

• Email (re-confirmed)
• GitHub username — so we can invite you to your private repo

When you visit our sites:

• Cloudflare Pages (our host) collects aggregated, anonymized request metadata — IP-based region, page path, referrer — for routing and abuse prevention. We do not store or process this data ourselves. Cloudflare privacy policy: cloudflare.com/privacypolicy.
• No third-party trackers, no Facebook Pixel, no Google Analytics, no behavioral profiling.

What we do with it

• Send you the product you bought (via email + GitHub invite)
• Send you transactional emails about your purchase (receipt, updates, refund confirmation)
• Let you re-retrieve your license via /my-purchases using your session ID
• Add significant product updates or critical security fixes (rare, and only to existing buyers — we don't do marketing blasts)

What we don't do

• Sell or rent your data to anyone. Ever.
• Share your email with advertisers, data brokers, or affiliates.
• Profile you across sites. Our analytics are aggregate only.
• Use your data to train AI models.

Who can see your data

• Stripe — processes payment. Their privacy policy: stripe.com/privacy
• Resend — delivers our transactional email to you. resend.com/legal/privacy-policy
• GitHub — holds the private repositories you get access to. GitHub privacy
• Formsubmit.co — relays confirmation form submissions to our inbox. formsubmit.co/privacy
• Cloudflare Pages — hosts our site. Sees request metadata (IP, path, headers) for routing and security; does not receive response bodies or payment data. cloudflare.com/privacypolicy
• Cloudflare — provides DNS for septimlabs.com. Sees request metadata but not response bodies. cloudflare.com/privacypolicy
• Anthropic — if you purchase Septim Audit, the URL you submit on the intake form is analyzed using Anthropic's Claude API. The intake brief plus the public content of the URL is passed to Claude to generate the audit; nothing else. Anthropic API privacy: anthropic.com/legal/privacy

For Septim Sift and Septim Deploy specifically: if you grant Septim Labs access to a private GitHub repository as part of the engagement, the repository contents are read by the Septim Labs team (not by any third party). We do not commit, modify, or distribute your code. Access is revoked at the end of the engagement.

That's the complete list. No ad networks, no analytics firms, no data brokers.

How long we keep it

Purchase records live in Stripe for accounting/refund purposes (typically 7 years per US tax requirements). Everything else — confirmation form submissions in our inbox, repository collaborator lists — is retained as long as you're a customer. If you request account deletion, we remove what we control within 30 days, though Stripe retains transaction records for compliance.

Your rights

You can at any time:

• See what we have: email us and ask for a copy of your data.
• Fix what's wrong: email us with a correction.
• Delete your data: email us to request deletion. We'll remove what we control, revoke your repository access, and confirm within 30 days.
• Stop getting emails: reply to any email asking to stop. Except critical ones (like a refund confirmation) we're legally required to send.

California residents (CCPA/CPRA): We do not sell or share your personal information as defined under California law. You have the right to know what we collect, request deletion, and opt out of sharing. Email us to make any of those requests. We will respond within 45 days.

EU/UK residents (GDPR): You have rights under Articles 15–22 — access, rectification, erasure, restriction, portability, and objection. Email us to exercise any of them. You also have the right to lodge a complaint with your local supervisory authority.

Cookies

We do not set any first-party tracking or analytics cookies. Cloudflare, our hosting and DNS provider, sets technical cookies (__cf_bm, cf_clearance) for bot protection and routing. These are functional — not advertising — and are governed by Cloudflare's privacy policy. No marketing or behavioral cookies are present on this site.

Security

We take reasonable steps (encrypted transport, signed webhooks, no plaintext secrets, per-user license isolation) but no system is perfectly secure. If we become aware of a breach that creates high risk to your rights or freedoms, we will notify affected users without undue delay. Where required by law (e.g., GDPR Article 33), we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

Children

Our products are for developers and business operators. We don't knowingly collect data from anyone under 16.

Contact

Questions about this policy, your data, or to make a request: [email protected].