Privacy Policy

Last updated: January 1, 2025

This Privacy Policy describes how Alter ("Alter," "we," "us," or "our"), operated by Alter Inc., San Francisco, USA, collects, uses, discloses, and safeguards information about you when you use our OAuth credential management platform available at aIterai.org (the "Service"). Please read this Privacy Policy carefully. If you do not agree with its terms, do not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you provide when you create an account, contact us, or use features of the Service:

  • Account registration data: Your name, email address, company name, job title, and password when you sign up for the Service.
  • Payment information: Billing name, address, and payment card details when you subscribe to a paid plan. Card numbers are processed by our payment processor (Stripe) and are not stored on our servers.
  • Support communications: Messages, attachments, and contact details when you submit a support request or communicate with our team at hello@aIterai.org.
  • Survey and feedback data: Responses to optional surveys, product feedback forms, or beta program participation.
  • Demo and sales inquiries: Information provided when requesting a product demonstration, including your role, organization size, and use case description.

1.2 Information Collected Automatically

When you use the Service, we automatically collect certain technical information:

  • Log data: IP address, browser type and version, operating system, referring URLs, pages visited on our website, timestamps, and error logs generated during Service use.
  • Device information: Device identifiers, hardware model, operating system version, and browser fingerprint data.
  • Usage data: Features accessed, API endpoints called, agent registrations created, policy configurations, and token event counts (without token content).
  • Cookies and tracking technologies: We use cookies, web beacons, and similar technologies to maintain session state, remember preferences, and analyze traffic patterns. See our Cookie Policy for full details.

1.3 OAuth and Credential Data

The core function of the Service involves processing OAuth credential flows on your behalf. In doing so, we handle:

  • Agent registration data: Agent identifiers, names, and role assignments you configure within the platform.
  • Policy configurations: Scope policies, TTL settings, and provider configurations you define for your agents.
  • Token event metadata: Metadata about token mint, use, and revocation events — including timestamps, agent IDs, scope granted, and provider identifiers. We do not log token values (the actual OAuth access tokens) in our application logs; tokens are held transiently in memory during the proxy operation only.
  • OAuth client credentials: Client IDs and client secrets you register with Alter for your OAuth applications. These are encrypted at rest using AES-256 encryption. Alter personnel cannot access plaintext client secrets.

1.4 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Identity providers (Google, GitHub, Microsoft) if you use social login to authenticate with the Alter dashboard.
  • Analytics providers who aggregate behavioral data to help us understand how the Service is used.
  • Business intelligence and CRM platforms that may provide firmographic data associated with your email domain.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Operation and Delivery

  • To create and maintain your account and provide access to the Service.
  • To process OAuth credential requests on behalf of your registered agents.
  • To enforce your configured scope policies and TTL rules.
  • To generate the audit event stream that you export to your SIEM.
  • To process payments and send billing communications.
  • To respond to support requests and troubleshoot technical issues.

2.2 Service Improvement and Security

  • To analyze aggregate usage patterns to improve platform reliability, performance, and features.
  • To detect, investigate, and prevent fraudulent activity, unauthorized access, and security incidents.
  • To comply with our security monitoring obligations and respond to legal requests from law enforcement or regulatory authorities.

2.3 Communications

  • To send transactional emails (account confirmation, password reset, billing receipts, policy alert notifications).
  • To send product updates, release notes, and security advisories — these are sent to all account holders and cannot be opted out of while maintaining an active account.
  • To send optional marketing communications about Alter features and content, subject to your communication preferences. You may opt out of marketing emails at any time via the unsubscribe link or by contacting hello@aIterai.org.

3. How We Share Your Information

We do not sell personal information. We share information in the following circumstances:

3.1 Service Providers

We engage third-party vendors who process data on our behalf subject to written data processing agreements that restrict their use of your data to providing services to us. Current categories include:

  • Cloud infrastructure: Amazon Web Services (AWS) — compute, storage, and networking. Alter's infrastructure runs in AWS us-east-1 and us-west-2 regions.
  • Payment processing: Stripe, Inc. — payment card processing and billing management.
  • Email delivery: Postmark — transactional email delivery.
  • Error monitoring: Sentry — application error tracking and diagnostics.
  • Product analytics: PostHog — privacy-preserving product usage analytics, self-hosted on our infrastructure.
  • Customer support: Intercom — customer messaging and support ticket management.

3.2 Legal and Compliance

We may disclose your information if required to do so by law or in the good-faith belief that such disclosure is necessary to: (a) comply with a legal obligation, subpoena, or court order; (b) protect the rights, property, or safety of Alter, our users, or the public; or (c) detect and prevent fraud or security threats. We will notify affected account holders when legally permitted to do so.

3.3 Business Transfers

In the event of a merger, acquisition, financing, reorganization, or sale of all or a portion of Alter's assets, your information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, and you will have a choice as to whether your information is transferred under materially different privacy terms.

4. Data Retention

We retain different categories of data for different periods based on operational necessity and legal obligations:

  • Account data: Retained for the lifetime of your account plus 90 days following account termination, after which it is permanently deleted from our systems.
  • OAuth token event audit logs: Retained for 90 days on Standard plans, 12 months on Growth plans, and according to customer-configured retention policies on Enterprise plans. Customers may export their full audit log before account termination.
  • Billing records: Retained for 7 years following the transaction date to comply with financial reporting requirements.
  • Support communications: Retained for 3 years from the date of the last interaction.
  • Security incident logs: Retained for 2 years from the date of the incident to support potential legal or regulatory proceedings.
  • OAuth client credentials (encrypted): Retained while active in the platform. Deleted within 24 hours of credential removal by the account holder or within 30 days of account termination, whichever is sooner.

Anonymized aggregate data (usage statistics, performance metrics) may be retained indefinitely as it does not identify individuals or organizations.

5. Data Security

We implement security measures appropriate to the sensitivity of the data we process:

  • Encryption at rest: All customer data is encrypted at rest using AES-256. OAuth client secrets are encrypted using an additional application-layer encryption key stored separately from the data it protects.
  • Encryption in transit: All data transmitted between clients and Alter's systems uses TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled on all endpoints.
  • Access controls: Internal access to production systems and customer data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication requirements.
  • Vulnerability management: We conduct quarterly penetration testing by an independent security firm. Critical and high-severity findings are remediated within 30 and 90 days respectively.
  • Incident response: We maintain a documented incident response plan and will notify affected customers within 72 hours of becoming aware of a data breach affecting their data, in accordance with GDPR Article 33 and applicable US state notification laws.

No security measure is perfect. If you discover a potential security vulnerability in our platform, please report it to srikar@aIterai.org before public disclosure. We take all security reports seriously and respond within one business day.

6. International Data Transfers

Alter is headquartered in San Francisco, USA. If you access the Service from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States and other countries outside your jurisdiction.

For transfers of personal data from the EEA to the United States, we rely on the following legal mechanisms: (a) Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreement available upon request; and (b) the UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom. Where we transfer data to sub-processors, we ensure equivalent protections are in place through contractual agreements.

7. Your Privacy Rights

7.1 Rights Under GDPR (EEA Residents)

If you are located in the EEA, you have the following rights under the General Data Protection Regulation:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to erasure: You may request deletion of your personal data where we have no compelling legitimate grounds to continue processing it.
  • Right to restriction: You may request that we restrict processing of your data in certain circumstances.
  • Right to data portability: You may request your personal data in a structured, machine-readable format.
  • Right to object: You may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right not to be subject to automated decision-making: We do not make automated decisions with legal or similarly significant effects about individuals.

7.2 Rights Under CCPA (California Residents)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to delete: You may request deletion of personal information we have collected about you, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of the above rights, submit a request to hello@aIterai.org with the subject line "Privacy Rights Request." We will respond within 30 days (CCPA) or one month (GDPR), which may be extended by an additional two months for complex requests. We may ask you to verify your identity before fulfilling your request.

8. Cookies

We use cookies and similar tracking technologies on aIterai.org. For a full description of the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

9. Children's Privacy

The Service is intended for use by businesses and professionals. We do not knowingly collect personal information from individuals under the age of 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete it promptly. If you believe we have collected information from a child, please contact us at hello@aIterai.org.

10. Third-Party Links

The Service may contain links to third-party websites, products, and services including OAuth providers such as GitHub, Slack, Google, and Salesforce. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you connect to through Alter, as they govern how those parties handle the data you share with them through their OAuth implementations.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email to the address associated with your account and by posting a notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the updated terms.

For minor changes that do not materially affect your rights, we will update this page and revise the "Last updated" date without individual notification.

12. Contact Information

For questions about this Privacy Policy, to exercise your privacy rights, or to report a privacy concern, contact us at:

Alter Inc.
San Francisco, CA, USA
Email: hello@aIterai.org
For data protection inquiries (EEA): hello@aIterai.org (subject: "GDPR Inquiry")

If you are located in the EEA and believe we have not addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority. In the Republic of Ireland (our designated EU representative jurisdiction), the supervising authority is the Data Protection Commission (dataprotection.ie).

Related policies: Terms of Service  ·  Cookie Policy