Skip to main content

Privacy Policy

Last updated: June 4, 2026

1. Introduction

This Privacy Policy describes how Butterfly Security ("we", "us", or "the Service") collects, uses, and protects your information when you use our backup and disaster recovery service for identity providers and automation platforms.

1A. Data Controller

Butterfly Security operates as the data controller for the personal information collected through the Service (such as your account details, usage data, and connection metadata). For backup data retrieved from your identity provider, Butterfly Security acts as a data processor on your behalf – we access and store that data solely according to your instructions and for the purpose of providing the Service. Full processor-role legal framing, sub-processor list, breach-notification SLA, and Standard Contractual Clauses for EU / UK / Swiss customers are in our Data Processing Agreement.

2. Information We Collect

2.1 Account Information

When you sign up, we collect:

  • Email address (from your OAuth provider)
  • Name (from your OAuth provider, if available)
  • OAuth provider identifier (Google)

2.2 Provider Connection Information

To perform backups, we store:

  • Your provider domain or tenant URL
  • Encrypted OAuth credentials
  • Connection metadata (last backup time, status)

2.3 Backup Data

When you run a backup, we store:

  • Identity and automation configuration snapshot (users, groups, apps, policies, recipes, connections, etc.)
  • Workflows and automation exports (if applicable)
  • Backup metadata (timestamp, size, resource counts)

2.4 Usage Information

We collect usage data to improve the Service:

  • Backup frequency and timing
  • Feature usage patterns
  • Error logs for troubleshooting
  • Website analytics (via Google Analytics, with your consent): pages visited, referral source, device type, browser type, and approximate geographic location. IP addresses are anonymized. This data is used solely to understand how visitors use our website and improve the experience.
  • Marketing-page product analytics (via PostHog, on marketing pages only). Anonymous and cookieless: we record pathname, referrer, and CTA name; we do not record IP addresses, browser fingerprints, or any personal identifier; we do not set cookies or localStorage; we honor the Do-Not-Track browser header. PostHog is not deployed on the authenticated dashboard. See the subprocessors list for vendor details.

3. How We Use Your Information

We use your information to:

  • Provide the backup and restoration services
  • Authenticate you to the Service
  • Connect to your identity providers and automation platforms via API
  • Store and manage your backup files
  • Send service-related notifications (backup status, errors)
  • Improve and maintain the Service
  • Respond to support requests

4. Data Storage and Security

4.1 Where We Store Data

  • Account and connection data: Supabase (PostgreSQL database with encryption at rest)
  • Backup files: Cloudflare R2 (encrypted object storage)

4.3 Data Residency

Data is stored in the United States via Cloudflare R2 and Supabase (AWS-hosted). For customers established in the European Economic Area, United Kingdom, or Switzerland, international transfers are governed by the European Commission's Standard Contractual Clauses (Module Two – Controller to Processor, Decision 2021/914) and the UK International Data Transfer Addendum, where applicable. Contact legal@butterflysecurity.org to execute the relevant SCCs. Sub-processor transfer mechanisms are documented at Cloudflare's GDPR resources and Supabase's Privacy Policy.

4.2 Security Measures

  • API credentials are encrypted with AES-256 before storage
  • All data in transit is encrypted with TLS 1.3
  • Backup files are stored in isolated paths per user
  • Sessions are secured with HTTP-only cookies
  • OAuth 2.0 for authentication (no passwords stored)

See our Security page for more details.

5. Data Sharing

We do not sell your personal information. We may share data only in these circumstances:

  • Service providers (subprocessors): We use Cloudflare for application hosting (Workers), object storage (R2 – for encrypted backup files), DNS, and edge security; Supabase for the Postgres database, authentication, and realtime channels; Stripe for billing and payment processing (no cardholder data ever touches Butterfly); SendGrid (Twilio) for transactional email delivery – sign-in codes, account notifications, drift alerts; Resend for internal founder alerts (recipient is Butterfly only, never customers); Anthropic and OpenAI for the optional in-product AI assistant (redacted Okta metadata only – never raw credentials or backup contents, and never used for model training); and Google Analytics for website analytics (with your consent). Each provider processes data on our behalf under a written data protection agreement. The full, dated sub-processor list is at butterflysecurity.org/subprocessors, and attestations are linked from the Trust Center.
  • Legal requirements: We may disclose information if required by law or in response to valid legal process.
  • Business transfers: In the event of a merger or acquisition, your data may be transferred to the new entity.

Enterprise customers requiring a Data Processing Agreement (DPA) can review our standard DPA or request a counter-signed copy by contacting legal@butterflysecurity.org.

6. Data Retention

We retain your data for as long as your account is active. Backup files are retained according to your backup settings and plan limits.

During the beta period, data retention schedules may change as the Service evolves. See our Terms of Service for details on beta limitations.

When you request account deletion via Settings → Data rights, Butterfly opens a 30-day grace period during which you can cancel the request. After the grace period expires, we permanently delete within 30 days:

  • Your account information
  • All provider connection details
  • All backup files and restore history
  • All audit log rows associated with your team

A counts-only deletion-audit row (team identifier, requesting email, completion timestamp, row-count summary) is retained for compliance – no content of your data survives this step. Full legal framing is in the Data Processing Agreement, Section 11.

7. Your Rights

The following rights apply to all users. For users in the European Economic Area (EEA), United Kingdom, and Switzerland, these rights are provided under the General Data Protection Regulation (GDPR) and equivalent national law. For California residents, these rights are provided under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

7.1 Right of Access

You can view your account information, connection metadata, and backup history at any time from the Butterfly dashboard.

7.2 Right to Data Portability (GDPR Article 20)

You can download a machine-readable JSON bundle of every row Butterfly holds for your team – including account records, connections, backups, restore history, and audit logs. Encrypted provider secrets (OAuth refresh tokens, API keys, private keys) are redacted from the export, since they cannot be decrypted outside our runtime.

Request an export from Settings → Data rights. The underlying endpoint is GET /api/account/export. Exports are rate-limited to one successful export per 7 days per team.

7.3 Right to Erasure (GDPR Article 17 – “Right to be Forgotten”)

You can request permanent deletion of your account and all team-scoped data from Settings → Data rights. The underlying endpoint is POST /api/account/delete with body {"confirm":"DELETE"}.

Erasure requests trigger a 30-day grace period during which the request can be cancelled (via DELETE /api/account/delete or the same UI). On expiry, all team-scoped rows are hard-deleted from production within 30 days. A counts-only audit row is retained for compliance – no row contents survive.

Only the team owner (super_admin) can fire an erasure request, since the action affects every member of the team.

7.4 Right to Rectification

Update your account information through your OAuth provider (Google). Provider-side changes propagate to Butterfly on next sign-in.

7.5 Right to Withdraw Consent

Revoke analytics cookie consent at any time by clearing your browser cookies for butterflysecurity.org and revisiting the site, where the consent banner will appear again.

7.6 California Consumer Rights – Do Not Sell or Share My Personal Information

Butterfly Security does not sell your personal information, and we do not share it for cross-context behavioural advertising as defined by the CCPA/CPRA. There is therefore no “Do Not Sell or Share” action to take – the default state of your data is already what the CCPA requires. California residents retain the rights of access, deletion, correction, and portability described above, and may also request a list of categories of personal information collected, sources, business purposes, and third parties with whom information is shared. Send such requests to legal@butterflysecurity.org.

7.7 Right to Lodge a Complaint

EEA / UK / Swiss data subjects have the right to lodge a complaint with their local supervisory authority. We'd appreciate the chance to address concerns directly first – contact legal@butterflysecurity.org.

7A. Healthcare Customers (HIPAA)

Butterfly Security is not a HIPAA-covered entity. For healthcare customers (covered entities or business associates under HIPAA) who require a Business Associate Agreement (BAA) before processing Protected Health Information (PHI) through the Service, we make a BAA available on request on the Business plan. Contact legal@butterflysecurity.org to initiate BAA review.

Until a BAA is executed and counter-signed, the Customer should not configure Butterfly to back up any identity provider tenant that contains PHI.

8. Cookies & Tracking

8.1 Essential Cookies (Always Active)

These cookies are necessary for the Service to function and cannot be disabled:

  • Session cookies – managed by Supabase for authentication and keeping you logged in (HTTP-only, Secure, SameSite=Lax)
  • CSRF protection cookies – used during OAuth authorization flows to prevent cross-site request forgery (short-lived, max 10 minutes)

8.2 Analytics Cookies (Require Your Consent)

With your explicit consent, we use Google Analytics to understand how visitors interact with our website. When you accept analytics cookies, Google Analytics may set the following cookies:

  • _ga – Distinguishes unique visitors (expires after 2 years)
  • _ga_* – Maintains session state (expires after 2 years)

Google Analytics collects: pages visited, time spent on pages, referral source, device and browser type, and approximate geographic location. IP addresses are anonymized before processing. We do not use Google Analytics for advertising, remarketing, or cross-site tracking. We do not use any advertising cookies or tracking pixels.

8.3 Your Cookie Choices

When you first visit our site, you will see a cookie consent banner where you can accept or decline analytics cookies. If you decline (or take no action), no analytics cookies will be set and no data will be sent to Google Analytics.

You can change your preference at any time by clearing your browser cookies for butterflysecurity.org and revisiting the site, where the consent banner will appear again.

8.4 Local Storage

We use browser local storage (not cookies) for:

  • Remembering your cookie consent preference
  • Storing demo mode session data (no personal information)
  • Saving UI preferences (e.g., theme, onboarding tour progress)

Local storage data stays in your browser and is never transmitted to our servers.

9. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at contact@butterflysecurity.org.