Privacy Policy

Saturn, Inc. ("Saturn", "we", "us", or "our") provides cron and scheduled job monitoring services with statistical anomaly detection. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Services.

1. Information We Collect

1.1 Account & Authentication Data

• Email address: For account creation and magic link authentication
• Google OAuth profile: Basic profile information (email, name, picture)
• Password hash: bcrypt-hashed passwords (never plaintext)
• Organization membership: Your role (OWNER, ADMIN, MEMBER)
• Session data: JWT tokens via NextAuth v5

1.2 Billing & Payment Information

• Stripe Customer ID: Links your organization to billing
• Subscription metadata: Plan type, billing cycle, limits
• What we DON'T store: Credit card numbers, CVV codes (handled by Stripe)

1.3 Monitoring Data

• Monitor definitions (names, schedules, cron expressions)
• Ping timestamps and states (start/success/fail)
• Runtime metrics and durations
• Anomaly statistics (using Welford's algorithm): mean, stddev, z-scores
• Incident records and resolution data
• Health scores (0-100, A-F grades)
• MTBF/MTTR calculations

1.4 Output Capture (Optional)

If you enable output capture:

• Job output: stdout/stderr up to 10KB (100KB for Enterprise)
• Storage: MinIO (S3-compatible) with pattern outputs/{monitorId}/{timestamp}.txt
• Automatic redaction: Passwords, API keys, AWS credentials, private keys, credit cards
• Access control: Organization-scoped (row-level security)

2. How We Use Your Data

• Provide the Services: Monitor jobs, detect anomalies, send alerts
• Enforce security: Rate limiting, RBAC, row-level security
• Anomaly detection: Calculate z-scores, trigger incidents
• Analytics & insights: Health scores, MTBF/MTTR, uptime
• Alerting: Send notifications via email, Slack, Discord, webhooks
• Billing: Process subscriptions, enforce plan limits
• Support: Troubleshoot issues, respond to inquiries

3. Data Sharing

Service Providers (Sub-Processors)

• Vercel (USA): Web application hosting
• Fly.io (USA): Background worker hosting
• Neon (USA): PostgreSQL database
• Upstash (USA): Redis caching and queues
• MinIO: Object storage for output capture
• Sentry (USA): Error tracking
• Resend (USA): Transactional email
• Stripe (USA/Ireland): Payment processing

4. Your Privacy Rights

For All Users

• Access: Request a copy of your data
• Correction: Update inaccurate information
• Deletion: Request account and data deletion
• Portability: Receive data in machine-readable format (JSON/CSV)

GDPR Rights (EEA/UK Users)

• Restriction: Limit processing of your data
• Object: Object to processing based on legitimate interests
• Withdraw consent: For consent-based processing
• Lodge a complaint: With your local supervisory authority

CCPA Rights (California Residents)

• Know: What personal information we collect and use
• Delete: Request deletion of personal information
• Opt-out: We do NOT sell personal information
• Non-discrimination: Exercise rights without penalty

5. Data Security

• Encryption in transit: TLS 1.2+ for all HTTPS connections
• Token hashing: SHA-256 (irreversible)
• Row-level security: Automatic org-level data isolation
• Rate limiting: 60-120 requests/minute
• Secure headers: HSTS, CSP, X-Frame-Options
• Input validation: Zod schemas prevent injection attacks
• CSRF protection: NextAuth v5 built-in

6. Data Retention

• Active monitors & pings: While account is active
• Run history: 7 days (FREE), 90 days (PRO), 365 days (BUSINESS)
• Output capture: Configurable (default 30 days)
• Deleted monitors: Data deleted within 30 days
• Closed accounts: Data deleted within 90 days
• Billing records: 7 years (tax compliance)

7. Contact Information