Privacy policy

Status: placeholder. A formal legal-reviewed version lands before public launch.

What we collect

PermitUSB collects telemetry from agents you install on your endpoints. Specifically:

• Device events (USB plug/unplug) including VID, PID, serial number, friendly name, device class
• Per-event audit context: the Windows logged-in user (e.g. CORP\jsmith), the endpoint's local IPs at plug time, and the public IP the event was POSTed from. Standard endpoint-security telemetry; the controlling customer is responsible for disclosing it to their employees in their own acceptable-use policy.
• Endpoint identity: hostname, OS version, agent version
• Account: email address (yours and any teammates you invite)
• Billing: limited Stripe customer data (email + subscription status); card data never touches our servers

What we don't collect

• File contents from USB devices
• User browsing or non-USB peripheral activity
• Any data outside the explicit telemetry above

Where it lives

Supabase (Postgres, AWS us-east-1) for application data. Stripe for billing. Resend for transactional email. We don't sell, share, or use customer data for training.

Retention

Event retention is 365 days on Paid (and during the 14-day Trial). Trial-expired tenants retain data for 30 days before deletion. You can request earlier deletion at any time.

Contact

Email privacy@permitusb.com.