Privacy Policy

1. Introduction

SiteAutomate (“we,” “us,” or “our”) operates the SiteAutomate platform at siteautomate.net and portal.siteautomate.net, including the web portal, desktop applications (Windows Viewer, Remote Agent), mobile applications, and on-premises Connector Agents (collectively, the “Service”).

This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service. By accessing or using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register or sign in (including via Google OAuth) we collect your name, email address, and organization name. If you enable two-factor authentication we store an encrypted TOTP secret. Passwords are stored using industry-standard bcrypt hashing and are never stored or transmitted in plain text.

2.2 Billing & Payment Information

Payments are processed exclusively by Stripe and/or Square. We do not store full credit or debit card numbers on our servers. We retain only tokenized references, the last four digits of your card, card brand, and transaction metadata necessary to manage your subscription and comply with financial regulations.

2.3 Network & Device Data

When you connect network infrastructure through our Connector Agent or direct API integrations, we collect device configurations, performance metrics, interface statistics, firmware versions, firewall rules, DHCP/DNS records, client device lists, and related network telemetry. This data is associated with your tenant account and is used solely to provide the Service.

2.4 Device Credentials

If you provide credentials for network devices (e.g., SSH or API keys for on-premises equipment), these are encrypted at rest using AES-256 and stored only on your Connector Agent or within your tenant’s encrypted credential vault. Credentials are never transmitted to or stored on our cloud servers in an unencrypted form.

2.5 Remote Access Session Data

Our Remote Access feature streams screen content via WebRTC for real-time viewing and control. Screen frames are transmitted in real time and are not recorded or stored on our servers. Keyboard and mouse input events are relayed in real time and are not logged or persisted.

Session metadata — including start time, end time, agent identifier, and session duration — is logged for auditing, billing, and troubleshooting purposes.

2.6 AI Analysis Data

When you use the AI Network Engineer feature, network configuration and telemetry data is sent to third-party AI model providers to generate analysis and recommendations. We anonymize and pseudonymize this data before transmission. Your identity, tenant name, and personally identifiable information are not shared with AI providers. AI-generated recommendations and action history are stored within your tenant account.

2.7 Penetration Testing Data

Security scan results, vulnerability findings, CVE references, and pen-test reports are generated and stored within your tenant account. This data is not shared with other tenants or third parties.

2.8 Audit Logs

We maintain audit logs of user actions within the platform, including logins, configuration changes, AI action approvals, and administrative operations. These logs include timestamps, user identifiers, IP addresses, and action details.

2.9 Usage & Analytics Data

We collect anonymized usage data (page views, feature usage, performance metrics) through Google Analytics and internal telemetry to improve the Service. Error reports may be sent to Sentry for crash diagnostics; these include stack traces and device context but do not include personal data or network configurations.

2.10 Mobile & Push Notification Data

If you use our mobile application, we collect push notification tokens to deliver alerts and notifications. These tokens are associated with your user account and are deleted when you log out or uninstall the application.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Process payments and manage subscriptions
• Analyze your network infrastructure and generate AI-powered recommendations
• Execute approved network configuration changes on your behalf
• Deliver remote access sessions between your devices
• Conduct security scans and generate vulnerability reports
• Send transactional emails (account confirmations, alerts, billing receipts)
• Send push notifications for network alerts and system events
• Maintain audit trails for security and compliance
• Diagnose technical issues and improve platform reliability
• Comply with legal obligations and enforce our terms

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Sharing & Third-Party Services

We share data only with the following categories of third-party service providers, and only to the extent necessary to operate the Service:

4.1 Payment Processors

Stripe and Square process your payment information. Their use of your data is governed by their respective privacy policies.

4.2 AI Model Providers

Anonymized network data is sent to AI providers (e.g., OpenAI, Anthropic, Google, or other configured providers) to generate analysis. No personally identifiable information is included in these requests.

4.3 Cloud Infrastructure

We use Amazon Web Services (AWS) for hosting, queue processing (SQS), and related infrastructure. All data is encrypted in transit (TLS 1.2+) and at rest.

4.4 Email Delivery

Transactional emails are sent via MailerSend. Email content includes your name, email address, and relevant notification details.

4.5 Analytics & Error Tracking

Google Analytics collects anonymized usage data. Sentry receives crash reports for error diagnostics. Cloudflare Turnstile is used for bot protection on authentication pages.

4.6 Authentication Providers

If you choose to sign in with Google, we receive your name, email, and Google account ID. We do not access your Google account data beyond what is needed for authentication.

4.7 WebRTC Infrastructure

Remote access sessions use WebRTC with TURN relay servers to establish peer-to-peer connections. TURN servers process only encrypted media streams and do not store session content.

4.8 Legal & Compliance

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of SiteAutomate, our users, or the public.

5. Data Storage & Security

We implement industry-standard security measures to protect your data:

• Encryption in transit — All connections use TLS 1.2 or higher
• Encryption at rest — Databases and file storage are encrypted using AES-256
• Password hashing — User passwords are hashed with bcrypt (12+ rounds)
• Credential encryption — Device credentials are encrypted with AES-256 and never stored in plaintext
• Session security — Sessions are encrypted, use secure cookies, and expire after inactivity
• Two-factor authentication — Available for all accounts via TOTP (authenticator app)
• Role-based access control — Multi-tenant isolation with per-tenant role permissions
• Audit logging — All significant actions are logged with timestamps and user attribution
• Code signing — Desktop applications and agents are digitally signed via Azure Trusted Signing

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

6. Data Retention

We retain your data for the following periods:

• Account data — Retained while your account is active and for 30 days after deletion to allow recovery
• Network telemetry & metrics — Retained according to your tenant’s configured retention policy (default: 90 days)
• Audit logs — Retained for up to 1 year
• AI analysis & action history — Retained while your account is active
• Remote session metadata — Retained for up to 90 days
• Billing records — Retained as required by applicable tax and financial regulations

You may request early deletion of your data by contacting us. Certain data may be retained longer if required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your personal data, subject to legal retention requirements
• Data portability — Request your data in a structured, machine-readable format
• Restriction — Request that we limit processing of your data in certain circumstances
• Objection — Object to processing of your data for specific purposes
• Withdraw consent — Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@siteautomate.net. We will respond within 30 days. We may request verification of your identity before processing your request.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of any sale of personal information. We do not sell personal information. To submit a request, contact us at privacy@siteautomate.net.

European Economic Area (GDPR)

If you are in the EEA, our lawful bases for processing include: performance of contract (providing the Service), legitimate interests (improving and securing the Service), consent (where explicitly given), and legal compliance. You have the right to lodge a complaint with your local data protection authority.

8. Cookies & Tracking

We use the following types of cookies and similar technologies:

• Essential cookies — Required for authentication, session management, and security (e.g., CSRF tokens, session identifiers). These cannot be disabled.
• Analytics cookies — Google Analytics cookies to understand usage patterns and improve the Service. You may opt out via your browser settings or the Google Analytics Opt-out Browser Add-on.
• Security cookies — Cloudflare Turnstile tokens for bot protection during authentication.

We do not use advertising cookies or third-party tracking pixels for ad targeting.

9. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@siteautomate.net and we will promptly delete it.

10. International Data Transfers

Your data may be processed in countries other than your own, including the United States, where our servers and service providers are located. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required, to protect your data in compliance with applicable laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we may also notify you via email or an in-app notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

SiteAutomate
Email: privacy@siteautomate.net
General inquiries: sales@siteautomate.net