Privacy Policy

Last updated: February 8, 2026

1. Introduction

This Privacy Policy describes how Butterfly Security ("we", "us", or "the Service") collects, uses, and protects your information when you use our backup and disaster recovery service for identity providers and automation platforms.

2. Information We Collect

2.1 Account Information

When you sign up, we collect:

  • Email address (from your OAuth provider)
  • Name (from your OAuth provider, if available)
  • OAuth provider identifier (Google, GitHub, or Microsoft)

2.2 Provider Connection Information

To perform backups, we store:

  • Your provider domain or tenant URL
  • Encrypted OAuth credentials
  • Connection metadata (last backup time, status)

2.3 Backup Data

When you run a backup, we store:

  • Identity and automation configuration snapshot (users, groups, apps, policies, recipes, connections, etc.)
  • Workflows and automation exports (if applicable)
  • Backup metadata (timestamp, size, resource counts)

2.4 Usage Information

We collect usage data to improve the Service:

  • Backup frequency and timing
  • Feature usage patterns
  • Error logs for troubleshooting
  • Website analytics (via Google Analytics, with your consent): pages visited, referral source, device type, browser type, and approximate geographic location. IP addresses are anonymized. This data is used solely to understand how visitors use our website and improve the experience.

3. How We Use Your Information

We use your information to:

  • Provide the backup and restoration services
  • Authenticate you to the Service
  • Connect to your identity providers and automation platforms via API
  • Store and manage your backup files
  • Send service-related notifications (backup status, errors)
  • Improve and maintain the Service
  • Respond to support requests

4. Data Storage and Security

4.1 Where We Store Data

  • Account and connection data: Supabase (PostgreSQL database with encryption at rest)
  • Backup files: Cloudflare R2 (encrypted object storage)

4.2 Security Measures

  • API credentials are encrypted with AES-256 before storage
  • All data in transit is encrypted with TLS 1.3
  • Backup files are stored in isolated paths per user
  • Sessions are secured with HTTP-only cookies
  • OAuth 2.0 for authentication (no passwords stored)

See our Security page for more details.

5. Data Sharing

We do not sell your personal information. We may share data only in these circumstances:

  • Service providers: We use Supabase for database hosting, Cloudflare for storage and application hosting, and Google Analytics for website analytics (with your consent). These providers process data on our behalf under strict data protection agreements.
  • Legal requirements: We may disclose information if required by law or in response to valid legal process.
  • Business transfers: In the event of a merger or acquisition, your data may be transferred to the new entity.

6. Data Retention

We retain your data for as long as your account is active. Backup files are retained according to your backup settings and plan limits.

When you delete your account, we permanently delete:

  • Your account information
  • All provider connection details
  • All backup files

7. Your Rights

You have the right to:

  • Access: View your account information and backup history in your dashboard
  • Export: Download your backup files at any time
  • Delete: Delete your account and all associated data from the Settings page
  • Correct: Update your account information through your OAuth provider
  • Withdraw consent: Revoke analytics cookie consent at any time by clearing your browser cookies and revisiting the site, where you can decline analytics when prompted

8. Cookies & Tracking

8.1 Essential Cookies (Always Active)

These cookies are necessary for the Service to function and cannot be disabled:

  • Session cookies — managed by Supabase for authentication and keeping you logged in (HTTP-only, Secure, SameSite=Lax)
  • CSRF protection cookies — used during OAuth authorization flows to prevent cross-site request forgery (short-lived, max 10 minutes)

8.2 Analytics Cookies (Require Your Consent)

With your explicit consent, we use Google Analytics to understand how visitors interact with our website. When you accept analytics cookies, Google Analytics may set the following cookies:

  • _ga — Distinguishes unique visitors (expires after 2 years)
  • _ga_* — Maintains session state (expires after 2 years)

Google Analytics collects: pages visited, time spent on pages, referral source, device and browser type, and approximate geographic location. IP addresses are anonymized before processing. We do not use Google Analytics for advertising, remarketing, or cross-site tracking. We do not use any advertising cookies or tracking pixels.

8.3 Your Cookie Choices

When you first visit our site, you will see a cookie consent banner where you can accept or decline analytics cookies. If you decline (or take no action), no analytics cookies will be set and no data will be sent to Google Analytics.

You can change your preference at any time by clearing your browser cookies for butterflysecurity.org and revisiting the site, where the consent banner will appear again.

8.4 Local Storage

We use browser local storage (not cookies) for:

  • Remembering your cookie consent preference
  • Storing demo mode session data (no personal information)
  • Saving UI preferences (e.g., theme, onboarding tour progress)

Local storage data stays in your browser and is never transmitted to our servers.

9. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at contact@butterflysecurity.org.