Legal

Privacy Policy

Last updated 10 June 2026

This policy covers the website at provenrail.com and its subdomains. It is written to be read, not to hide behind. The short version: the Provenrail software is self-hosted, so the records it produces never reach us, and the website itself collects only what it needs to run.

The software does not send us your data

Provenrail is distributed as open-source software that you run on your own infrastructure. The audit records your agents produce go to a sink you operate. We do not receive, store, or have any access to those records or their contents. When you self-host, you are the data controller for your own data; we are not a processor of it.

What the website collects

• Server logs. Like any website, our host records standard request metadata (IP address, user agent, timestamp, requested URL) to operate the site, prevent abuse, and diagnose problems. These logs are retained for a short period and then discarded.
• The verifier. The /verify page runs entirely in your browser. Your bundle is never transmitted to our servers; verification is computed locally on your device, and we never receive or store it.
• No advertising trackers. We do not sell personal data and do not embed third-party advertising or cross-site tracking pixels.

When you create an account

If you sign in at /account, we create an account so you can manage a subscription and your commercial license key. For this we store your email address and your plan and subscription status. We do not store passwords: you sign in with GitHub, Google, or a one-time email link. If you choose GitHub or Google, that provider confirms your identity and shares your email address with us; we do not receive your password or post on your behalf. We never store, receive, or have access to the audit records your agents produce. Those remain on infrastructure you operate.

Who processes this data for us

• Supabase hosts authentication and the account database (your email, plan, subscription status, license key). Data is stored in the EU (Frankfurt). Supabase acts as our processor under a data processing agreement.
• GitHub and Google are optional sign-in providers. If you use one, it authenticates you and returns your email address and a unique identifier so we can match your account. We request only your basic profile and email.
• Polar handles payments and subscriptions as the Merchant of Record. When you subscribe, Polar is the seller and processes your billing details and applicable tax; we never see or store your card data. Polar shares back only your subscription status and a customer reference.

We do not use this data for advertising and do not sell it.

Cookies and local storage

This site sets no cookies, and uses no analytics, advertising, or cross-site tracking. When you sign in on the account page, your session is kept in your browser's local storage for the single purpose of keeping you signed in. It is never sent to advertisers or third parties, and it is cleared when you sign out. Because we use only this strictly necessary mechanism and no tracking, no cookie consent banner is required.

Email you send us

If you email us, we keep that correspondence to reply and for our records. We do not add you to a marketing list without your consent.

Your rights

If you are in the EU/EEA or UK, you have rights to access, correct, or erase personal data we hold about you, and to object to or restrict its processing. To exercise them, email privacy@provenrail.com. We respond to legitimate requests within the statutory timeframe.

The data controller is the operator of Provenrail, a sole trader registered under individual activity (individuali veikla) in Lithuania. For any data-protection matter, including a request to identify the controller, contact privacy@provenrail.com. This policy is governed by the laws of the Republic of Lithuania. Your GDPR (or UK GDPR) rights above apply regardless, and you may lodge a complaint with your local data protection authority. In Lithuania this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), vdai.lrv.lt.

Changes

If this policy changes materially, we will update the date above and, where appropriate, note the change on this page.

Contact

Questions about privacy: privacy@provenrail.com.