Privacy Policy
PodWarden
Privacy Policy
Version 4.0 • Effective Date: April 20, 2026
PodWarden • Vancouver, British Columbia, Canada
1. Introduction
PodWarden Technologies Inc. (“PodWarden,” “we,” “us,” or “our”) is committed to protecting the privacy of everyone who visits our website or uses our platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, how long we keep it, and what rights you have with respect to your personal information.
This Policy applies to all personal information processed by PodWarden in connection with our website at podwarden.com, our cloud platform and infrastructure management services, our APIs and MCP (Model Context Protocol) tooling, and all related applications and services (collectively, the “Services”).
PodWarden is incorporated in British Columbia, Canada and operates as a data controller under applicable Canadian privacy legislation, including the Personal Information Protection Act (BC PIPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and, where applicable, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Where our Services are accessed by individuals in the European Economic Area, the United Kingdom, or California, we also comply with the obligations imposed by the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) respectively.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
2. Who This Policy Applies To
This Privacy Policy applies to:
Visitors to the PodWarden website (podwarden.com)
Registered users and account holders on the PodWarden platform
Team members, administrators, and collaborators added to a PodWarden organization account
Developers and third parties who access our platform via API or MCP protocol
Any person whose personal information is submitted to or processed by PodWarden in connection with the Services
If you use PodWarden on behalf of an organization, that organization is responsible for ensuring that its members’ use of PodWarden complies with applicable privacy laws and this Policy.
3. Information We Collect
We collect personal information in the following categories:
3.1 Account and Identity Information
When you create a PodWarden account, we collect:
Your name and email address
Password (stored as a cryptographic hash; we never store plaintext passwords)
Organization name and billing contact details
Payment information processed by our third-party payment processor, Stripe, Inc. We do not store raw card data — see Section 6.
Profile information you voluntarily provide, such as a display name or avatar
OAuth identity tokens when you sign in via Google or GitHub. We receive your name, email address, and profile picture URL only; we never receive your passwords for those services.
3.2 Usage and Interaction Data
When you use our Services, we automatically collect:
Log data including IP address, browser type, operating system, referring URLs, and pages visited on our website
Session and authentication events (login times, token issuance, failed authentication attempts)
Feature usage metrics, such as which dashboard sections are accessed, catalog items browsed, and workflows initiated
Error reports and diagnostic data generated by the platform
Timestamps and frequency of interactions with the Services
3.3 Infrastructure Metadata
In the course of providing infrastructure management services, we process operational metadata associated with your workloads, including:
Server names, IP addresses, and network topology information for servers you connect to PodWarden
Container and workload identifiers, deployment names, and namespace configurations
Resource utilization metrics (CPU, memory, storage, GPU usage) for servers under management
Health status, uptime records, and alert history for managed infrastructure
Deployment logs and configuration change records within your account
Infrastructure metadata is operational data associated with your account. It may incidentally contain personal information if you include names, identifiers, or other personal data in your workload configurations or deployment names. You are responsible for ensuring that any personal data embedded in your infrastructure configurations is handled in accordance with applicable law.
3.4 MCP Tool Call Logs
PodWarden’s MCP (Model Context Protocol) interface enables AI clients to interact with your infrastructure. When MCP tooling is used, we collect and retain:
Records of MCP tool calls made within your account, including the tool name, parameters supplied, and outcome
The identity of the user or API credential that authorized the tool call
Timestamps and session identifiers associated with each tool call
Error responses and failure records for failed tool invocations
MCP tool call logs do not capture the content of AI model prompts or responses from third-party AI clients (such as Claude or Cursor). Those interactions are governed by the privacy policies of the respective AI client providers. PodWarden only logs the structured tool invocations at the API boundary of our own platform. Where PodWarden’s MCP tooling returns data to a third-party AI client in response to a tool call, that data is transmitted to and processed by the AI client provider in accordance with their privacy policy. You should review the privacy policy of any AI client you connect to PodWarden.
MCP tool call logs are retained for security, audit, and compliance purposes. They may be reviewed by PodWarden in the event of a suspected policy violation, security incident, or at your request for account-level audit purposes.
3.5 Secrets and Credentials
PodWarden provides a secrets management feature that allows you to store API keys, environment variables, and other credentials for use in your workloads. Secrets are:
Encrypted at rest using AES-256 encryption
Decrypted only at the point of deployment to your workloads
Never logged in plaintext in our systems
Accessible only to users with appropriate RBAC permissions within your organization
PodWarden staff do not have routine access to the plaintext values of stored secrets. Access may be required in exceptional circumstances, such as during a security incident response, and will be logged and subject to our internal access control policies.
For self-hosted PodWarden instances, secrets are encrypted with a key that lives on your own infrastructure, not on PodWarden’s servers. PodWarden cannot decrypt or access these secrets remotely.
3.6 Payment and Billing Information
For paid plan subscriptions (Pro at USD $19/month per cluster; Business at USD $79/month per cluster), payment processing is handled entirely by Stripe, Inc. PodWarden does not store your full credit card number, CVV, or bank account details. We retain only:
Stripe Customer ID and Subscription ID
Last four digits of your payment method (for display purposes only)
Billing history and invoices, retained for 7 years as required by Canadian tax law
3.7 Communications Data
If you contact us for support, submit a bug report, or correspond with us by email, we retain records of those communications, including your email address and the content of your messages, for the purpose of providing support and maintaining a history of your interactions with us.
3.8 Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies. We use:
Strictly necessary cookies required for the website and platform to function (session authentication, CSRF protection)
Analytics cookies to understand how visitors use our website and to improve our content and services
Preference cookies that remember your settings and choices
We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings or via our cookie consent banner. For visitors in the EEA and UK, our cookie consent banner will gate non-essential cookies until you have provided consent. For other visitors, analytics cookies may be set by default and can be withdrawn at any time.
Do Not Track: Our website does not currently respond to Do Not Track signals, as there is no universally accepted standard for how such signals should be interpreted. We will revisit this position if a consensus standard emerges.
4. How We Use Your Information
We use the personal information we collect for the following purposes:
4.1 Providing and Operating the Services
Creating and managing your account
Authenticating your identity and securing your session
Processing your payment and managing your subscription
Delivering the infrastructure management, container orchestration, and MCP tooling features of the platform
Providing customer support and responding to your inquiries
4.2 Security and Fraud Prevention
Detecting, investigating, and preventing unauthorized access, policy violations, and fraudulent activity
Maintaining audit logs and security records
Verifying compliance with our Acceptable Use Policy
Responding to security incidents and vulnerability reports
4.3 Platform Improvement
Analyzing usage patterns and feature adoption to improve the platform
Diagnosing technical issues and improving platform reliability
Conducting internal research and development
4.4 Communications
Sending transactional communications related to your account, such as welcome emails, billing receipts, and password reset notifications
Notifying you of material changes to our policies, terms, or the platform
Sending product updates or announcements where you have opted in to receive them
You may opt out of non-essential communications at any time by following the unsubscribe instructions in our emails or by contacting us at [email protected].
4.5 Legal and Compliance Obligations
Complying with applicable laws, regulations, and lawful government requests
Enforcing our Terms of Service and Acceptable Use Policy
Establishing, exercising, or defending legal claims
5. Legal Bases for Processing (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies to the processing of your personal information, we rely on the following legal bases:
Contract: Processing necessary to perform our contract with you, including providing the Services you have signed up for and managing your account.
Legitimate Interests: Processing necessary for our legitimate interests, such as maintaining platform security, preventing fraud, improving our services, and communicating with you about your account, provided those interests are not overridden by your rights and interests. A summary of our legitimate interest balancing assessments is available on request at [email protected].
Legal Obligation: Processing required to comply with applicable laws and regulations.
Consent: Where we rely on your consent (for example, for optional analytics cookies or marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review.
6. How We Share Your Information
We do not sell your personal information. We share personal information only in the following circumstances:
6.1 Service Providers
We engage trusted third-party service providers who process personal information on our behalf. These include:
Stripe, Inc. — Payment processing. Stripe is a PCI-DSS compliant payment processor. Their privacy policy is available at stripe.com/privacy.
Cloud infrastructure and hosting providers for platform operation
Email delivery services for transactional and product communications
Analytics and monitoring tools for platform performance and reliability
All service providers are contractually required to process personal information only in accordance with our instructions, implement appropriate security measures, and comply with applicable privacy laws.
6.2 Within Your Organization
If you use PodWarden under an organization account, your account information, activity, and audit logs may be visible to the administrators of that organization. Administrators are responsible for managing access permissions within their account.
6.3 Legal Requirements and Safety
We may disclose personal information if we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a lawful government or law enforcement request, protect the rights or safety of PodWarden, our users, or the public, or prevent or detect fraud, security incidents, or technical issues.
6.4 Business Transfers
If PodWarden is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users by email or by posting a notice on our website before personal information is transferred and becomes subject to a different privacy policy.
6.5 With Your Consent
We may share your information with third parties in other circumstances where you have given explicit consent to the disclosure.
7. International Data Transfers
PodWarden is headquartered in Vancouver, British Columbia, Canada. Our infrastructure and some of our service providers may be located in countries other than Canada, including the United States and other jurisdictions. When we transfer personal information outside Canada, we take steps to ensure that adequate protections are in place, as required by BC PIPA and PIPEDA.
For transfers of personal information from the European Economic Area or the United Kingdom, we rely on appropriate transfer mechanisms, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards recognized under UK law. For transfers from other jurisdictions, we implement contractual or other protections as required by applicable law.
If you are located in the EEA or UK and have questions about the safeguards we apply to international transfers of your personal information, please contact us at [email protected].
8. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to resolve disputes and enforce our agreements. The following general retention periods apply:
Account information: Retained for the duration of your account and for up to 30 days following account closure, after which it is deleted or anonymized
Usage and interaction logs: Retained for up to 12 months from the date of collection
Infrastructure metadata and MCP tool call logs: Retained for up to 12 months, or longer where required for security investigation, legal hold, or regulatory compliance
Billing and financial records: Retained for 7 years as required by Canadian tax and accounting laws
Support communications: Retained for up to 3 years following the resolution of your request
Security and audit logs: Retained for up to 2 years for security monitoring and incident response purposes
Where you request deletion of your personal information, we will action that request subject to any overriding legal obligations. Residual copies may remain in backup systems for a limited period before being permanently purged.
9. How We Protect Your Information
We implement technical, organizational, and administrative safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Our security measures include:
Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest, including secrets and sensitive configuration data, using AES-256
Role-based access controls (RBAC) limiting access to personal information to authorized personnel on a need-to-know basis
Secure WebSocket tunnels for MCP tool routing — no ports need to be opened on your infrastructure
Multi-factor authentication for PodWarden staff access to production systems
Regular security assessments and vulnerability management
Audit logging of access to sensitive systems and data
Incident response procedures for detecting, containing, and remediating security events
No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the security of your account credentials and for promptly notifying us of any suspected unauthorized access.
10. Data Breach Notification
In the event of a security incident involving personal information, we will follow our incident response procedures and comply with all applicable breach notification obligations. Specifically:
Under PIPEDA and BC PIPA, we will notify affected individuals and the applicable privacy commissioner where a breach poses a real risk of significant harm
Under the GDPR and UK GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
Under the CCPA/CPRA, we will notify affected California residents in the event of a breach of their unencrypted personal information, as required by California law
Breach notifications will be provided by email to the address associated with your account, or by such other means as required or permitted by applicable law. We maintain a record of all data security incidents in accordance with our legal obligations.
11. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
11.1 Rights Under Canadian Privacy Law (BC PIPA / PIPEDA)
Right of access: You may request access to the personal information we hold about you and receive a copy of it
Right of correction: You may request that we correct inaccurate or incomplete personal information
Right to withdraw consent: Where we process your information based on consent, you may withdraw that consent at any time, subject to legal or contractual restrictions
Right to complain: You have the right to complain to the Office of the Information and Privacy Commissioner for BC (OIPC BC) or the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights have been violated
11.2 Rights Under GDPR / UK GDPR
If you are located in the EEA or UK, you have the following additional rights:
Right to erasure (“right to be forgotten”): You may request deletion of your personal information, subject to certain exceptions
Right to restriction: You may request that we restrict the processing of your personal information in certain circumstances
Right to data portability: You may request a copy of your personal information in a structured, machine-readable format
Right to object: You may object to processing based on legitimate interests or for direct marketing purposes
Right to lodge a complaint: You may lodge a complaint with your local data protection authority
11.3 Rights Under Quebec Law 25 (Quebec Residents)
If you are a resident of Quebec, you have the following additional rights under Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25):
Right of access and correction: You may request access to and correction of your personal information held by us
Right to de-indexation: Where your personal information has been disseminated online, you may request that hyperlinks providing access to it be de-indexed
Right to data portability: You may request that personal information you have provided to us be communicated in a structured, commonly used technological format
Right to be informed of automated decision-making: Where we use personal information to render a decision based exclusively on automated processing, you have the right to be informed of this and to request human review
Right to lodge a complaint: You may file a complaint with the Commission d’accès à l’information (CAI) at cai.gouv.qc.ca
11.4 Rights Under CCPA / CPRA (California Residents)
If you are a California resident, you have the following rights:
Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it
Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions
Right to correct: You may request correction of inaccurate personal information
Right to opt out of sale or sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is required.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
California residents may designate an authorized agent to make requests on their behalf. We will verify the identity of the requestor before processing any request.
11.5 How to Exercise Your Rights
To exercise any of the rights described above, please contact us at [email protected]. We will respond to verified requests within the timeframe required by applicable law (generally 30 days, with the possibility of a single extension where permitted). We may ask you to verify your identity before processing your request.
12. Children’s Privacy
The Services are not directed to children under the age of 16 (or such higher age as may be required under applicable law in your jurisdiction). We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information without appropriate consent, please contact us at [email protected] and we will take steps to delete that information promptly.
13. Third-Party Links and Services
Our website and platform may contain links to third-party websites, services, and integrations. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with PodWarden. PodWarden is not responsible for the privacy practices or content of third-party services.
14. Self-Hosted Instances and User Data
PodWarden’s architecture is designed with data sovereignty in mind. When you deploy a PodWarden instance on your own servers:
Your application data, container contents, and workload data are stored on your own infrastructure
Secrets you store in your local PodWarden instance are encrypted with a key that lives on your servers, not ours
PodWarden accesses your instance only through authenticated, encrypted tunnels when you initiate a connection through the Hub
PodWarden Hub processes only the operational metadata described in Section 3 — not the content of your workloads or application data
If you process personal data of third parties (e.g., your customers) on your self-hosted PodWarden instance, you are the data controller for that data and are responsible for ensuring your processing complies with applicable privacy laws.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will provide notice of material changes by posting the updated Policy on our website and, where required by law or where we consider it appropriate, by notifying account holders by email, no fewer than 14 days before the changes take effect.
The effective date at the top of this Policy indicates when it was last updated. Your continued use of the Services after the effective date of any changes constitutes your acknowledgment of the updated Policy. The current version of this Policy is always available at: podwarden.com/legal/privacy-policy
16. Contact and Data Protection Inquiries
PodWarden has designated a Privacy Officer who is responsible for overseeing compliance with Canadian privacy law (BC PIPA and PIPEDA) and this Privacy Policy. For the purposes of GDPR and UK GDPR, PodWarden acts as the data controller. At this stage of our operations, we have determined that a formal Data Protection Officer (DPO) appointment under Article 37 GDPR is not mandatory; however, we review this determination on an ongoing basis as our processing activities scale. Privacy-related enquiries from EEA and UK residents will be handled by our Privacy Officer.
Enterprise customers and organizations subject to the GDPR or UK GDPR may request a Data Processing Agreement (DPA) by contacting us at [email protected].
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:
PodWarden Technologies Inc.
Attn: Privacy Officer
Vancouver, British Columbia, Canada
[Street Address to be inserted]
Email: [email protected]
Website: https://podwarden.com
17. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein. Any disputes arising under or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of British Columbia, Canada.
© 2026 PodWarden. All rights reserved.