Legal

Privacy Policy

brintOS's whole architecture is built on the idea that your machine runs in your tab. That means very little of what you do inside a brintOS machine ever reaches our servers.

Last updated: July 4, 2026.

Plain-English summary. We collect what we need to operate the service, keep your account secure, and bill you correctly — nothing more. We don't sell personal data. We don't run third-party advertising. When you stop using brintOS, you can take your data with you.

1. Who controls your data

JD Brinton Consulting, Inc. ("brintOS", "we") is the controller of personal data processed through brintos.io. You can reach our privacy team at privacy@brintos.io.

2. What we collect

  • Account information. Username, email address, optional display name, optional avatar URL, and how you signed in (email/password, Google, or GitHub).
  • Machine metadata. Repository names, descriptions, visibility, stars, forks, the machine spec (CPU / RAM / device list).
  • Machine content. The root filesystem and snapshots you upload, stored encrypted at rest.
  • Operational telemetry. Server-side request logs (HTTP method, path, status code, response time, client IP) retained for 30 days.
  • Aggregate usage analytics. We measure site traffic ourselves, server-side, without cookies and without any third-party analytics service. We record the page visited, an approximate location (country only), a coarse browser/OS category, and — for visitors who aren't signed in — a truncated network prefix (the first 24 bits of an IPv4 address or 48 bits of an IPv6 address). We never store your full IP address or raw browser fingerprint for analytics, so this data cannot identify you.
  • Billing. Stripe handles every transaction. We receive a customer ID and the subscription state. We never see your card number.

3. What we don't collect

  • The runtime activity inside your brintOS machine. Bytes typed at a shell, files opened, USB transfers — none of that touches our servers.
  • Third-party analytics / advertising trackers. There are zero on brintos.io.
  • Sensitive personal data we don't need. We won't ask for government IDs unless required by a future Enterprise compliance commitment.

4. Why we use it

  • To operate the service and authenticate you.
  • To bill you correctly on paid plans.
  • To protect the service from abuse (rate limiting, fraud detection, security investigations).
  • To send you account-critical email — for example, password resets and billing receipts. We do not send marketing email by default.

5. Who we share it with

We use a small number of sub-processors:

  • Amazon Web Services — cloud infrastructure (us-west-2): encrypted object storage, database, and transactional email (SES).
  • Stripe — payment processing.
  • Cloudflare — CDN and edge protection.

We do not share personal data with anyone else except where required by law.

6. Retention

  • Account data: kept as long as your account is active.
  • Machine snapshots: kept until you delete them.
  • Operational logs: 30 days.
  • Aggregate usage analytics (pseudonymous, no full IPs): up to 13 months.
  • Billing records: 7 years, as required by US tax law.

7. Your rights

You can export, correct, or delete your data from account settings, or by emailing privacy@brintos.io. If you're in the EU/UK/Switzerland, you also have the right to lodge a complaint with your local data protection authority.

8. Children

brintOS is not directed at children under 13 (16 in the EU/UK). We do not knowingly collect data from them.

9. Changes

We'll update the date at the top of this page when this policy changes. Material changes will be notified by email to registered users.