OpStack ("we", "us", "our") is a software service operated by Poomagan Asokan, based in India. OpStack provides Terraform blast radius and deployment risk analysis for AWS and Azure infrastructure.

For privacy-related questions, contact us at: privacy@opstack.in

When you create an account, we collect:

• Username and email address
• Password (stored as a one-way bcrypt hash — we cannot recover your password)
• Account creation date and plan type

If you sign in with GitHub or connect your GitHub account, we collect:

• GitHub user ID and username
• Primary email address from your GitHub account
• GitHub OAuth access token (used to read your profile only)
• GitHub App installation ID and account name (if you install the OpStack GitHub App)

To connect your cloud account, you provide credentials that we store encrypted in our database:

• Azure: Subscription ID, Tenant ID, Client ID, Client Secret
• AWS: Account ID, Region, IAM Role ARN, External ID

These credentials are used solely to query your cloud infrastructure for live resource discovery. We never perform write operations on your cloud account.

When you upload a Terraform plan for analysis:

• The plan file is processed entirely in memory
• The raw plan JSON is never stored on our servers or in our database
• We store the filename, analysis results (findings, risk summary, severity counts), and analysis metadata (date, status, environment)
• Analysis results may contain Terraform resource identifiers (e.g. resource names and addresses) but do not contain secrets or credentials

We collect basic usage data including:

• Number of analyses run per month (for plan limit enforcement)
• Application error logs via Sentry (if configured) — these may include stack traces but not user data
• Standard web server access logs (IP address, timestamp, HTTP status codes) — retained for up to 30 days

• To authenticate you and maintain your account session
• To connect to your cloud account and run infrastructure discovery
• To run Terraform plan analysis and return findings to you
• To enforce plan limits and send plan-related notifications
• To send transactional emails (welcome, password reset) via Resend
• To respond to support requests you submit
• To improve the service based on aggregated, anonymised usage patterns

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 4.

OpStack uses the following third-party services to operate:

Our backend infrastructure runs on Azure Container Apps and Azure Database for PostgreSQL (Central India region). All application data is stored in this region. Microsoft Privacy Statement

Used for OAuth login and the GitHub App integration. When you authorise GitHub sign-in, GitHub shares your profile and email with us. GitHub Privacy Statement

Used to send transactional emails (welcome emails, password resets). Your email address is passed to Resend solely for email delivery. Resend Privacy Policy

Used for error monitoring. Error reports may include technical details such as stack traces and request metadata but are configured to exclude personally identifiable information. Sentry Privacy Policy

OpStack uses an AWS IAM user to assume cross-account roles when analysing AWS environments. No user data is stored on AWS. AWS Privacy Notice

• Account data: Retained for the lifetime of your account. Deleted within 30 days of account deletion request.
• Analysis results: Retained for 12 months from the date of analysis, then automatically deleted.
• Cloud credentials: Deleted immediately when you disconnect your cloud environment or delete your account.
• Access logs: Retained for 30 days.
• Terraform plan files: Never stored — processed in memory only.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Portability: Request your data in a machine-readable format
• Objection: Object to processing of your data
• Withdraw consent: Disconnect GitHub OAuth or cloud credentials at any time from your account settings

To exercise these rights, contact us at privacy@opstack.in. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect your data:

• All data in transit is encrypted using TLS
• Passwords are hashed using bcrypt with a per-user salt
• Cloud credentials are stored encrypted in our database
• Access to production systems is restricted to authorised personnel only
• GitHub webhook payloads are verified using HMAC-SHA256 signatures

In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of it.

OpStack uses a single session cookie (access_token) to maintain your login session. This cookie is:

• HTTP-only (not accessible by JavaScript)
• Scoped to opstack.in
• Not used for tracking or advertising

We do not use third-party tracking cookies or analytics cookies.

OpStack is operated from India. Our primary data storage is in Azure's Central India region. When you use GitHub OAuth, your authentication data passes through GitHub's servers (United States). When transactional emails are sent, your email address is processed by Resend (United States).

By using OpStack, you consent to these transfers. We ensure that any transfers are protected by appropriate safeguards.

OpStack is intended for professional use and is not directed at anyone under the age of 16. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify users via email where required by law. Continued use of the service after changes constitutes acceptance of the updated policy.

For privacy-related requests, questions, or complaints:

• Email: privacy@opstack.in
• Support: www.opstack.in/support