Privacy Policy

1. Introduction

This Privacy Policy explains how Kheeper ("we", "us", "our") collects, uses, and protects your personal information when you use the Kheeper registry service, website, APIs, and CLI tools (the "Service"). We are committed to keeping your data private and secure.

The short version: We collect the minimum data needed to operate the Service. We do not sell, rent, or share your personal data with third parties.

2. Information We Collect

Account information

When you sign in with Google, we receive your name, email address, and profile picture from Google's authentication service. We use this information solely to create and identify your account. We do not request access to your Google contacts, calendar, drive, or any other Google services.

Usage data

We collect usage metrics necessary for billing and operating the Service, including:

• Storage usage (total blob size per organization)
• Bandwidth usage (bytes served from your images)
• Registered host counts
• API request logs (timestamp, endpoint, response status)

Your content

The Service stores the container images, layers, manifests, and tags you push to the registry. We treat this content as yours and access it only as needed to operate the Service (storage, replication, delivery).

3. How We Use Your Information

We use collected information to:

• Authenticate you and manage your account.
• Operate, maintain, and improve the Service.
• Calculate and process billing.
• Communicate with you about your account or the Service (e.g., security notices, billing issues).
• Detect and prevent abuse, fraud, or security incidents.

We do not use your data for advertising, profiling, or any purpose unrelated to operating the Service.

4. Information We Share

We do not sell, rent, or trade your personal information. We share data only with the following service provider, and only as needed to operate the Service:

Stripe (payment processing)

We share your email address and usage data (storage, bandwidth, and host counts) with Stripe so they can generate and deliver invoices on our behalf. Stripe acts as a data processor and is contractually bound to use this information only for payment processing. We encourage you to review Stripe's Privacy Policy.

Beyond Stripe, the only circumstances under which we disclose personal information are:

• Legal requirements: We may disclose information if required by law, subpoena, or court order.
• Safety: We may disclose information if we believe in good faith that it is necessary to prevent imminent harm or protect the security of the Service.

5. Google Sign-In

We use Google Sign-In as our authentication provider. When you sign in, Google shares your basic profile information (name, email, profile picture) with us. We do not receive your Google password. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google may collect data about you during the sign-in process according to their own privacy policy. We encourage you to review Google's Privacy Policy.

6. Cookies and Local Storage

We use a session cookie to keep you signed in. This is a strictly necessary cookie and does not track you across other websites. We do not use advertising cookies, analytics trackers, or third-party tracking scripts.

7. Data Security

We protect your data using industry-standard measures including encrypted connections (TLS), secure credential storage, and access controls. API keys and authentication tokens are hashed before storage and cannot be retrieved in plaintext.

No system is perfectly secure. If we become aware of a security breach affecting your personal data, we will notify you promptly.

8. Data Retention

We retain your account information and content for as long as your account is active. If you delete your account, we will delete your personal information and content within 30 days, except where we are required by law to retain it.

Usage logs and billing records may be retained for up to 12 months after account deletion for legal and accounting purposes.

9. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Delete your account and associated data.
• Export your content from the registry using standard OCI tooling.

To exercise any of these rights, contact us at privacy@kheeper.com.

10. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 13, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.