Privacy Policy

Last updated: March 1, 2026

1. Introduction

OneBastion Security, Inc. (“OneBastion,” “we,” “us,” or “our”) operates the OneBastion security intelligence platform. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our services, visit our website, or interact with us.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, organization name, and password. If you sign up using a third-party provider (Google, GitHub, or Microsoft), we receive your name and email from that provider.

2.2 Security Event Data

Our platform processes security events and signals that your organization explicitly sends to the platform. This data is used solely to provide the security intelligence services you have subscribed to.

2.3 Platform Usage Data

We collect information about how you interact with the platform — actions taken, features used, and preferences configured. This data is used to improve the intelligence and recommendations provided to your organization.

2.4 Network Intelligence Data (Opt-In)

With your explicit consent, anonymized aggregate patterns from your usage may contribute to our collective network intelligence. This data is stripped of all identifying information before aggregation. You may opt out at any time from your account settings.

2.5 Billing Information

Payment information is processed by our payment processor (Stripe). We do not store full credit card numbers on our servers. We retain billing contact information and transaction records as required for accounting purposes.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve our security intelligence services
  • Build and refine AI models specific to your organization
  • Generate cross-product correlations and intelligence insights
  • Communicate with you about your account and our services
  • Ensure the security and integrity of our platform
  • Comply with legal obligations

4. What We Never Do

  • We never sell your data to third parties
  • We never use your identifiable data to train models for other customers
  • We never access your data without explicit authorization or legal requirement
  • We never retain data beyond your configured retention period
  • We never share your data with advertising networks or data brokers

5. Data Sharing

We may share your information only in these circumstances:

  • Service providers: With vendors who assist in operating our platform (hosting, payment processing, analytics), bound by strict data processing agreements.
  • Legal requirements: When required by law, regulation, or valid legal process.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to affected customers.
  • With your consent: For any purpose you explicitly authorize.

6. Data Security

We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 encryption in transit, strict tenant data isolation, and 24/7 security monitoring. For details, see our Security page.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Enterprise customers can configure custom retention policies per data type. You may request deletion of your data at any time.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access all personal data we hold about you
  • Export your data in standard formats
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing
  • Withdraw consent for optional data processing (network intelligence)

To exercise any of these rights, contact us at our contact page or email privacy@runbastion.com.

9. International Transfers

Our primary infrastructure is located in the United States. EU customers may choose EU-region deployment for data residency. All international data transfers are governed by appropriate safeguards including Standard Contractual Clauses.

10. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice on our platform at least 30 days before changes take effect.

12. Contact

For privacy-related questions or requests, contact us at runbastion.com/contact or email privacy@runbastion.com.