Privacy Policy
Effective Date: June 10, 2026
1. Introduction
Kamyab Infotech ("CleanShift") is committed to protecting your privacy. This policy explains how we collect, use, store, share, and protect information when you use the CleanShift security platform.
2. Information We Collect
2.1 Account Information
| Data Point | Details |
|---|---|
| Used for account identification and communication | |
| Password | Stored as bcrypt hash — never in plaintext |
| Organization Name | Used for account labeling and multi-tenant isolation |
| API Keys | Stored as hashed values — originals are not retained |
| Billing Information | Processed via pay.kamyab.co.in — we do not store card details |
| Login IP | Recorded for security audit and abuse prevention |
| Browser User Agent | Recorded for session security and device identification |
2.2 Server & Scan Metadata
| Data Point | Details |
|---|---|
| Server Hostname | Identifies the managed server |
| IP Addresses | Server IPs for connectivity and identification |
| Operating System | OS type and version |
| PHP Version | Runtime environment details |
| Control Panel | Server management panel type (e.g. cPanel, Plesk) |
| Agent UUID | Unique identifier for the installed agent instance |
| WordPress Site Paths | File system paths to WordPress installations |
| WordPress Version | Installed WP core version |
| Plugins & Themes | Names and versions of installed plugins and themes |
| File Paths | Paths of scanned files |
| File Hashes (SHA-256) | Cryptographic hashes for integrity verification |
| File Sizes & Timestamps | Metadata for change detection |
| File Ownership | Unix owner/group for permission auditing |
| Threat Details | Detection signatures, severity, and classification |
| Rogue Admin Usernames | Usernames flagged as unauthorized administrators |
| Malicious wp_options Entries | Database options flagged as injected or malicious |
| Security Stack | Detected security plugins and configurations |
| Scan Mode & Duration | Type of scan performed and execution time |
| Heartbeat Data | Agent health and connectivity status |
2.3 What the Agent Does NOT Collect
- ❌ File contents
- ❌ Database row content
- ❌ Passwords
- ❌ Email addresses of your users
- ❌ Customer PII (personally identifiable information)
- ❌ User-generated content
- ❌ SSL/TLS private keys
- ❌ SSH keys
- ❌ Environment variables
2.4 Guard Activity Logs
| Data Point | Retention | Storage |
|---|---|---|
| Blocked IP | 90 days | Stored locally on your server |
| User Agent | 90 days | Stored locally on your server |
| Request URI | 90 days | Stored locally on your server |
| Block Reason | 90 days | Stored locally on your server |
| Timestamp | 90 days | Stored locally on your server |
| Guard Component | 90 days | Stored locally on your server |
2.5 Dashboard Technical Data
| Data Point | Purpose |
|---|---|
| IP Address | Security and rate limiting |
| Browser | Compatibility and session security |
| Device Type | Responsive experience optimization |
| Pages Viewed | Usage analytics and UX improvement |
| Timestamps | Session tracking and audit |
| Referral Source | Understanding how users find the dashboard |
3. How We Use Your Information
3.1 Primary Uses
- Threat detection, analysis, and automated remediation
- Intelligence correlation across anonymized datasets
- Scan reporting and dashboard visualization
- Account management and authentication
- Service improvement and feature development
- Security monitoring and incident response
- Communication regarding your account and the Service
3.2 What We Do NOT Use Data For
- ❌ We do not sell your data to anyone
- ❌ We do not use your data for advertising
- ❌ We do not share individual scan results with other customers
- ❌ We do not mine your data for commercial purposes
3.3 Legal Basis for Processing (GDPR)
| Legal Basis | Description |
|---|---|
| Contract Performance | Processing necessary to deliver the Service you subscribed to |
| Legitimate Interests | Security monitoring, fraud prevention, and service improvement |
| Consent | Crowd intelligence participation and optional communications |
| Legal Obligation | Compliance with applicable laws, regulations, and legal processes |
4. Data Retention
| Data Category | Retention Period |
|---|---|
| Account Information | 90 days after account deletion |
| Scan Results | 90 days |
| Aggregated Statistics | 24 months |
| Threat Intelligence | Indefinitely (anonymized and aggregated) |
| Guard Logs | 90 days (stored locally on your server) |
| Billing Records | 7 years (legal and tax requirements) |
| Dashboard Logs | 12 months |
| API Logs | 30 days |
4.1 Data Deletion
You may request deletion of your account and associated data at any time by contacting privacy@cleanshift.osg.co.in. Upon receiving a valid deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
4.2 Scan Result Purging
Scan results are automatically purged after 90 days. You may request early deletion of specific scan results through the dashboard or by contacting privacy@cleanshift.osg.co.in. Aggregated, anonymized statistics derived from scan results may be retained beyond this period.
5. Data Sharing and Disclosure
5.1 We Do Not Sell Data
CleanShift does not sell, rent, or trade your personal information or scan data to any third party, under any circumstances.
5.2 Limited Disclosure
We may share data only in the following limited circumstances:
- Sub-Processors: Third-party infrastructure providers necessary to deliver the Service, bound by data processing agreements.
- Law Enforcement: When required by a valid legal order, subpoena, or applicable law. We will notify you unless legally prohibited.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
- With Your Consent: When you explicitly authorize us to share specific data.
- Aggregated Data: We may share anonymized, aggregated statistics that cannot identify any individual customer or server.
5.3 Current Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| Railway | API hosting and backend infrastructure | US (Oregon) |
| Vercel | Dashboard hosting and delivery | Global CDN |
| pay.kamyab.co.in | Billing and payment processing | — |
6. Data Security
6.1 Technical Measures
| Measure | Description |
|---|---|
| TLS 1.2+ | All data in transit is encrypted with TLS 1.2 or higher |
| Encryption at Rest | All stored data is encrypted at rest |
| RBAC | Role-based access control for all internal systems |
| bcrypt Passwords | All user passwords hashed with bcrypt |
| Rate Limiting | API and authentication rate limiting to prevent abuse |
| Audit Logging | Comprehensive audit trails for all administrative actions |
| 0600 File Permissions | Agent configuration files restricted to owner-only access |
| Atomic Writes | File operations use atomic writes to prevent corruption |
| Cryptographic Verification | Agent updates and intelligence feeds are cryptographically signed |
| CORS/SSRF Protection | Strict cross-origin and server-side request forgery controls |
| shlex.quote() | All shell arguments are safely escaped to prevent injection |
6.2 Organizational Measures
Access to customer data is restricted to authorized personnel on a need-to-know basis. All team members undergo security awareness training. We conduct regular security reviews and follow the principle of least privilege across all systems.
6.3 Breach Notification
In the event of a data breach affecting your personal data, we will notify you and any applicable supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification will include the nature of the breach, data affected, and remediation steps taken.
7. International Data Transfers
CleanShift's infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US.
For transfers of personal data from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.
Enterprise customers may opt for a self-hosted deployment to keep all data within their own infrastructure and jurisdiction.
8. Your Rights
8.1 Rights for All Users
Regardless of your location, you have the right to:
- Access the personal data we hold about you
- Export your data in a portable format
- Delete your account and associated data
- Correct inaccurate information
- Object to specific types of data processing
8.2 GDPR Rights (EEA Residents)
| Right | GDPR Article | How to Exercise |
|---|---|---|
| Right of Access | Art. 15 | privacy@cleanshift.osg.co.in |
| Right to Rectification | Art. 16 | privacy@cleanshift.osg.co.in |
| Right to Erasure | Art. 17 | privacy@cleanshift.osg.co.in |
| Right to Restriction | Art. 18 | privacy@cleanshift.osg.co.in |
| Right to Data Portability | Art. 20 | privacy@cleanshift.osg.co.in |
| Right to Object | Art. 21 | privacy@cleanshift.osg.co.in |
| Withdraw Consent | Art. 7(3) | privacy@cleanshift.osg.co.in |
| Lodge a Complaint | Art. 77 | Your local supervisory authority |
8.3 CCPA Rights (California Residents)
| Right | Status | How to Exercise |
|---|---|---|
| Right to Know | Supported | privacy@cleanshift.osg.co.in |
| Right to Delete | Supported | privacy@cleanshift.osg.co.in |
| Right to Correct | Supported | privacy@cleanshift.osg.co.in |
| Right to Opt-Out of Sale | N/A — we do not sell data | — |
| Right to Non-Discrimination | Supported | privacy@cleanshift.osg.co.in |
8.4 Other Jurisdictions
If you are located in a jurisdiction with data protection laws not specifically addressed above (e.g., Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act), we will honor equivalent rights under your local law. Contact privacy@cleanshift.osg.co.in with your request.
9. Children's Privacy
CleanShift is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal information, please contact privacy@cleanshift.osg.co.in.
10. Cookies and Tracking
10.1 Authentication
The CleanShift Dashboard uses JWT authentication tokens stored as HTTP-only cookies for secure session management.
10.2 What We Do NOT Use
- ❌ Third-party tracking scripts or pixels
- ❌ Advertising cookies
- ❌ Cross-site tracking
10.3 Essential Cookies Only
| Cookie | Duration | Purpose |
|---|---|---|
| JWT Auth Token | 24 hours | Strictly necessary — user authentication |
| CSRF Token | Session | Strictly necessary — cross-site request forgery protection |
Note: Because we use only strictly necessary cookies, no cookie consent banner is required under GDPR.
11. Crowd Intelligence
CleanShift offers an opt-in Crowd Intelligence program that enables participants to contribute to a shared threat intelligence network, improving detection accuracy for all users.
When enabled, the program shares only:
- File hashes (SHA-256)
- Malicious domain names
- Threat detection patterns and signatures
The program never shares:
- ❌ Server hostnames or IP addresses
- ❌ File paths or directory structures
- ❌ Usernames or account information
12. Hosting Providers
When CleanShift is installed on a managed hosting server, the hosting provider remains the data controller for the data on that server. CleanShift acts as a data processor on behalf of the hosting provider.
Hosting provider obligations:
- Ensure appropriate legal basis for deploying CleanShift on customer servers
- Inform end-users about the use of CleanShift as a security tool
- Respond to end-user data subject access requests as the data controller
- Maintain their own privacy policy addressing CleanShift usage
A Data Processing Agreement (DPA) is available on request for hosting providers. Contact legal@cleanshift.osg.co.in.
13. Third-Party Intelligence
CleanShift integrates publicly available threat intelligence data from the following sources:
- NVD / MITRE: CVE vulnerability data from the National Vulnerability Database
- WordPress.org: Plugin and theme version data, checksums, and known vulnerability advisories
- Public Security Advisories: Published security advisories from reputable sources
All matching and analysis using third-party intelligence is performed locally on your server by the CleanShift Agent. No customer data is sent to these third-party sources.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
- Material changes: We will notify you at least 30 days in advance via email and a prominent notice on the dashboard before the changes take effect.
- Non-material changes: Minor clarifications or formatting changes may be made without advance notice. The "Effective Date" at the top of this page will always reflect the date of the latest revision.
15. Contact
Kamyab Infotech
Privacy: privacy@cleanshift.osg.co.in
Support: support@cleanshift.osg.co.in
Security: security@cleanshift.osg.co.in
Legal: legal@cleanshift.osg.co.in
WhatsApp: +91 845 409 4444
— End of Privacy Policy —