Jallarhorn
Legal

Privacy Policy

Jallarhorn™ is a product of Trellis Digital Services LLC ("Trellis", "we"). This Privacy Policy describes what data the hosted Jallarhorn service collects, how it is used, and what we do not do with it. Self-hosted installations of Jallarhorn are addressed separately in section 8.

1. What we collect

When you use the hosted Service, we collect:

  • Account data: email address, username, hashed password (bcrypt), and the tenant you belong to.
  • Tenant metadata: tenant name, creation date, tier, device count, and billing contact.
  • Monitoring configuration: the devices, sensors, thresholds, maintenance windows, notification rules, and alert routing you configure.
  • Metric time-series: the values returned by your sensors. Stored in a time-series database with retention per tier.
  • Operational logs: authentication events, configuration changes, and API request metadata for security and debugging.

We do not load third-party analytics, marketing pixels, session-replay scripts, or cross-site tracking. The only cookie we set is the session cookie (httpOnly, Secure, SameSite=Lax) issued after you log in.

2. How we use it

We use the data above to:

  • Deliver the monitoring service you configured (poll sensors, evaluate thresholds, send alerts).
  • Route notifications to the destinations you specified (email, Slack, Teams, PagerDuty, Discord, Opsgenie, webhook, Web Push).
  • Bill your subscription through our payment processor.
  • Investigate security events, abuse, and operational incidents.
  • Respond to your support requests.

3. What we do NOT do

  • We do not sell, rent, or share your data with advertisers or data brokers.
  • We do not profile users for ad targeting or behavioral retargeting.
  • We do not mine your monitoring data to train models or to build competitive products.
  • We do not embed third-party analytics tags on the hosted Service or the marketing site.

4. Third parties

The following sub-processors touch data in the course of operating the Service:

  • Payment processor — subscription billing and payment card handling. Privacy-policy reference available on request to support@jallarhorn.com.
  • Zoho Mail — transactional and support email delivery on the jallarhorn.com domain. Zoho Privacy Policy.
  • Cloudflare — DNS, TLS termination, and edge caching for public endpoints. Cloudflare Privacy Policy.

We review this list as our infrastructure changes. Material additions will be announced with the same 30-day notice used for Terms changes.

5. Retention

  • Metric time-series: Free tier 30 days, Office 1 year, Business 5 years, Enterprise custom (as specified in the order form).
  • Account data and monitoring configuration: retained while your account is active; 90 days after cancellation to allow recovery; then deleted.
  • Audit logs: 1 year. Retained for security investigations and compliance response.
  • Billing records: retained for 7 years to meet US tax and accounting requirements.

6. Your rights

You can at any time:

  • Export your monitoring configuration and metric data via the REST API or the export endpoints in the dashboard.
  • Correct inaccurate account data from your user settings.
  • Delete your account from the billing portal; deletion triggers the 90-day retention window described above.
  • Ask us questions about what we hold on you, by emailing support@jallarhorn.com.

If you are in the EU / UK / California, you have the right to object to processing, request data portability, and lodge a complaint with your data-protection authority. Requests are handled by the support email above.

7. Data residency

Hosted Jallarhorn runs in the United States by default. We plan an EU endpoint in Q4 2026 for Business and Enterprise customers who need EU residency; until that ships, customers with strict EU-residency requirements should self-host.

8. Self-hosted

If you run Jallarhorn on your own infrastructure, this policy does not apply to your installation. Your monitoring data stays on your servers; we do not collect it. The only telemetry the binary sends back to Trellis is the license heartbeat (tenant ID, tier, device count) and only when the license server is reachable. Offline licenses are available for fully air-gapped installs.

9. Security

We enforce TLS on every public endpoint with modern cipher suites and HSTS. Passwords are hashed with bcrypt; API keys are stored only as SHA-256 hashes and compared in constant time. JWT session tokens are HS256 with a 256-bit secret and delivered in httpOnly cookies. Releases are signed with cosign (GitHub OIDC keyless) and ship with SPDX SBOMs. See the security page for the full description, including what we do not have (no SOC 2 attestation, no HIPAA BAA, no completed third-party penetration test).

10. Changes

Material changes to this Privacy Policy are announced by email to account administrators at least 30 days before taking effect.

11. Contact

Privacy questions go to support@jallarhorn.com. For vulnerability disclosure, use support@jallarhorn.com.