PRIVACY POLICY

Bedrock Dynamics ("we", "us", "our") operates Substrate, an AI-powered hardware development platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information.

We are committed to protecting your privacy and being transparent about our data practices. By using Substrate, you agree to the collection and use of information in accordance with this policy.

2.1 Account Information

When you create an account, we collect:

• Email address (via Clerk authentication)
• Display name or username
• Profile picture (if provided)
• Authentication provider (GitHub, Google, etc.)

2.2 Usage Data

We automatically collect:

• IP address and approximate location
• Browser type and version
• Device information
• Pages visited and time spent
• Features used and interactions
• Error logs and performance metrics

2.3 Project Data & AI Training

What we store in your workspace:

• Natural language prompts and descriptions
• Generated firmware code
• Hardware configurations and wiring diagrams
• Project metadata (names, timestamps, platform selections)
• Compilation logs and error messages

Pro Tier ($15/month+): Paid subscribers can completely opt out of training data collection in Settings → Privacy → Training Data. When opted out, your code is never sent to training pipelines and is not retained beyond your active workspace.

2.4 Billing Information

Payment processing via Stripe collects:

• Billing address
• Payment method details (handled securely by Stripe, we do not store full card numbers)
• Transaction history

We use collected data to:

• Provide the Service: Generate code, compile firmware, manage your projects
• Improve AI Models (Free Tier Only): Train and refine our code generation models using successfully compiled firmware code. This includes analyzing what code patterns work for different hardware platforms, optimizing compilation success rates, and improving code quality. All training data is anonymized and stripped of identifiers before use. Pro tier users can opt out.
• Personalize Experience: Remember your preferences and hardware choices
• Process Payments: Handle subscriptions and billing
• Provide Support: Respond to inquiries and troubleshoot issues
• Send Notifications: Service updates, security alerts, billing reminders
• Ensure Security: Detect fraud, abuse, and security threats
• Comply with Law: Meet legal obligations and enforce our terms

Legal Basis (GDPR): We process training data based on consent (free tier use implies consent), legitimate interest (improving our service), and contract performance (providing the free service in exchange for training data contribution). Pro tier users can withdraw consent by opting out of training.

We share your data only in these circumstances:

4.1 Service Providers

• Clerk: Authentication and user management
• Supabase: Database hosting and file storage
• Vercel: Frontend hosting and edge functions
• Modal: AI model inference and compilation workers
• Stripe: Payment processing
• Qdrant: Vector database for hardware documentation

4.2 Legal Requirements

We may disclose information if required by law or to:

• Comply with legal process (subpoenas, court orders)
• Enforce our Terms of Service
• Protect our rights, safety, or property
• Investigate fraud or security issues

4.3 Business Transfers

If Bedrock Dynamics is acquired or merges with another company, your data may be transferred as part of that transaction. You will be notified of any such change.

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Account Data: Until you delete your account, then 30 days
• Project Data: Until you delete projects, or account deletion + 30 days
• Usage Logs: 90 days for analytics, 1 year for security/fraud prevention
• Billing Records: 7 years (tax/legal requirements)
• Anonymized Training Data (Free Tier): Indefinitely for AI model improvement. Once code is collected and anonymized for training, it remains in our training datasets even if you later delete your account or upgrade to Pro tier. The anonymized data cannot be traced back to your account or projects.

You can request immediate data deletion by contacting privacy@bedrockdynamics.com. Note: Only identifiable personal data and active projects can be deleted; anonymized training data cannot be removed from existing datasets.

Depending on your location, you have rights regarding your personal data:

6.1 Access & Portability

Request a copy of your data in machine-readable format (JSON export). Available in Account Settings → Privacy → Export Data.

6.2 Correction

Update your profile information anytime through Account Settings.

6.3 Deletion (Right to be Forgotten)

Delete your account and all associated data through Account Settings → Delete Account. Deletion is permanent and cannot be undone.

6.4 Opt-Out of Marketing

Unsubscribe from promotional emails via the link in any email or through Account Settings. You will still receive essential service notifications.

6.5 Object to Processing

Object to certain data processing (e.g., marketing, profiling) by contacting privacy@bedrockdynamics.com.

6.6 Training Data Opt-Out (Pro Tier)

Pro tier subscribers ($15/month or higher) can opt out of AI model training in Settings → Privacy → Training Data. This is a forward-looking right: it prevents future collection but does not remove already-collected anonymized training data from existing datasets.

Free tier users: Training data collection is mandatory for free tier access. If you require privacy controls, upgrade to Pro tier before creating sensitive projects.

We implement industry-standard security measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Secure sessions via Clerk with MFA support
• Access Control: Role-based access, principle of least privilege
• Monitoring: 24/7 security monitoring and incident response
• Regular Audits: Security reviews and penetration testing
• Data Isolation: Tenant-based data segregation (your data is yours alone)

No system is 100% secure. While we take extensive precautions, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

We use cookies and similar technologies for:

8.1 Essential Cookies

(Cannot be disabled - required for the Service to function)

• Authentication sessions (Clerk)
• Security tokens (CSRF protection)
• Load balancing and performance

8.2 Analytics Cookies

(Can be opted out)

• Usage analytics (Vercel Analytics)
• Performance monitoring
• Error tracking (anonymized)

Manage cookie preferences in Account Settings → Privacy → Cookie Preferences.

Substrate may contain links to hardware vendor websites, documentation, or community resources. We are not responsible for the privacy practices of these external sites. Please review their privacy policies before sharing information.

Substrate is not intended for children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact privacy@bedrockdynamics.com immediately for account removal.

Your data may be processed in the United States or other countries where our service providers operate. These countries may have data protection laws different from your jurisdiction.

For EU users: We comply with GDPR through Standard Contractual Clauses (SCCs) with our processors.

We may update this Privacy Policy periodically. Material changes will be announced via:

• Email notification (30 days advance notice)
• In-app banner notification
• Blog post with change summary

Continued use after changes constitutes acceptance. If you do not agree, please delete your account.

For privacy-related questions, requests, or concerns:

Response Time: We aim to respond to privacy requests within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed (we do not sell your data)
• Right to opt-out of sale (N/A - we don't sell data)
• Right to deletion
• Right to non-discrimination for exercising CCPA rights

To exercise these rights, contact privacy@bedrockdynamics.com with "CCPA Request" in the subject line.