PRIVACY POLICY

Sidero Labs, Inc.

Last Updated: March 6, 2026 (Updated subprocessors and legal language)

Effective Date: March 15, 2026

Sidero Labs, Inc. (“us,” “we,” “our,” or “Sidero”) operates the website https://www.SideroLabs.com/ and related web properties including https://docs.siderolabs.com/ and https://factory.talos.dev/ (collectively, the “Website”), provides Omni, our Software as a Service product (the “SaaS Service”), and offers technical support services. We also develop Talos Linux, an open-source Linux distribution for Kubernetes (collectively with the Website, SaaS Service, and support services, the “Services”).

This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Services and the choices you have associated with that data. We use your data to provide and improve the Services. By using the Services, you agree to the collection and use of information in accordance with this policy.

1. Definitions

Services: The Website (https://www.SideroLabs.com/) and related web properties (including https://docs.siderolabs.com/ and https://factory.talos.dev/), Omni (our SaaS product), technical support services, and any related tools, APIs, or optional services such as the Talos Linux Discovery Service.

Personal Data: Any data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

Usage Data: Data collected automatically, either generated by the use of the Services or from the Services infrastructure itself (for example, the duration of a page visit, IP address, or browser type).

Cookies: Small files stored on your device (computer or mobile device).

Data Controller: The natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data when you use the Website. When a customer utilizes Sidero’s SaaS Service, the customer is the Data Controller with respect to any Personal Data inputted into the SaaS Service, and Sidero is the Data Processor.

Data Processor (or Service Provider): Any natural or legal person or entity who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.

Data Subject (or User): Any living individual who is using our Services and is the subject of Personal Data, or whose data is included by a Customer in Sidero’s SaaS Service.

2. Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Services to you.

2.1 Personal Data

While using our Services, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Phone number
  • Address, State, Province, ZIP/Postal code, City
  • Cookies and Usage Data

We may use your Personal Data to contact you with newsletters, marketing, or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.

2.2 Usage Data

We may also collect information on how the Services are accessed and used. This Usage Data may include information such as your computer’s Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

2.3 Location Data

We may use and store information about your location if you give us permission to do so. We use this data to provide features of our Services and to improve and customize our Services. You can enable or disable location services when you use our Services at any time through your device settings.

2.4 Talos Linux Discovery Service

Talos Linux itself does not collect any telemetry data. However, if you choose to use the optional public Discovery Service, certain information is transmitted, including your Talos version number and IP address. Use of the Discovery Service is entirely voluntary and opt-in.

2.5 Technical Support

When you contact us for technical support, we collect information necessary to assist you, including your name, email address, and the content of your support request. Support interactions may also include diagnostic information such as log files, IP addresses, hostnames, or screenshots that you choose to share with us. This data is processed by our support management sub-processor (Pylon Labs) and is used solely to provide and improve our support services.

2.6 Comments

When visitors leave comments on the Website, we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help with spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. After approval of your comment, your profile picture is visible to the public in the context of your comment.

3. Tracking and Cookies

We use cookies and similar tracking technologies to track the activity on our Services and hold certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

3.1 Types of Cookies

We use the following categories of cookies:

  • Strictly Necessary Cookies: These cookies are essential for the operation of our Services. They include session cookies and security cookies.
  • Preference Cookies: These cookies remember your preferences and various settings to provide a personalized experience.
  • Analytics Cookies: We use analytics cookies (including Google Analytics) to understand how visitors interact with our Services. These cookies collect information about pages visited, time on site, and referring URLs.
  • Marketing Cookies: We may use marketing cookies (including those set by HubSpot) to track visitors across websites for the purpose of displaying relevant advertising and measuring campaign effectiveness.

For analytics and marketing cookies, we obtain your consent before setting these cookies where required by applicable law. You may manage your cookie preferences through our cookie consent mechanism on the Website.

4. Use of Data

Sidero uses the collected data for the following purposes:

  • To provide and maintain our Services
  • To notify you about changes to our Services
  • To allow you to participate in interactive features of our Services when you choose to do so
  • To provide customer support
  • To gather analysis or valuable information so that we can improve our Services
  • To monitor the usage of our Services
  • To detect, prevent, and address technical issues
  • To provide you with news, special offers, and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about, unless you have opted not to receive such information

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom (UK), Sidero’s legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it. We may process your Personal Data because:

  • We need to perform a contract with you
  • You have given us permission to do so (consent)
  • The processing is in our legitimate interests and it is not overridden by your rights
  • To comply with a legal obligation

5.1 Automated Decision-Making

We do not engage in automated decision-making or profiling as described under Article 22 of the GDPR. No decisions that produce legal effects or similarly significantly affect you are made solely by automated means.

6. Retention of Data

We retain Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. The following retention periods apply by category:

  • Account Data (name, email, contact details): Retained for the duration of your account or business relationship, plus 3 years after termination, to comply with legal obligations and resolve disputes.
  • Usage Data and Analytics: Retained for up to 26 months from the date of collection, unless required for security or legal purposes.
  • SaaS Service Customer Data: Retained for the duration of the customer agreement. Upon termination, customer data is deleted within 90 days unless a longer retention period is required by law or requested by the customer.
  • Billing and Transaction Data: Retained for 7 years to comply with tax and financial reporting obligations.
  • Support Ticket Data: Retained for 3 years after the ticket is closed.
  • Comments on the Website: Retained indefinitely to allow us to recognize and approve follow-up comments automatically.

We will retain and use your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

7. Transfer of Data

Your information, including Personal Data, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to the United States and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

7.1 International Transfer Safeguards

With respect to any Personal Data transferred outside of the EEA or the UK, Sidero ensures that appropriate safeguards are in place to protect that data. We currently rely on the Standard Contractual Clauses (“SCCs”), as approved and adopted by the European Commission effective June 4, 2021. For transfers from the UK, we rely on the UK International Data Transfer Agreement (“IDTA”) or the UK Addendum to the EU SCCs, as applicable.

The SCCs and IDTA serve as pre-approved, standardized clauses that maintain compliance with the GDPR, UK GDPR, and related laws when transferring data internationally.

No transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place, including the security of your data and other personal information.

8. Disclosure of Data

8.1 Business Transactions

If Sidero Labs, Inc. is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

8.2 Law Enforcement and Legal Requirements

Under certain circumstances, Sidero may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency). Sidero may also disclose your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of Sidero Labs, Inc.
  • Prevent or investigate possible wrongdoing in connection with the Services
  • Protect the personal safety of users of the Services or the public
  • Protect against legal liability

9. Security of Data

The security of your data is important to us. Sidero maintains a comprehensive information security program, including:

  • SOC 2 Type II certification, with annual independent audits
  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls and the principle of least privilege
  • Regular vulnerability assessments and penetration testing
  • Incident response procedures and employee security training

While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Sidero will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.

For SaaS Service customers, we will notify the customer (as Data Controller) of any breach affecting their data in accordance with the timeframes specified in our Data Processing Addendum.

11. Do Not Track Signals

We do not currently support Do Not Track (“DNT”) signals. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

12. Your Data Protection Rights (GDPR / UK GDPR)

If you are a resident of the European Economic Area (EEA) or the United Kingdom (UK), you have the following data protection rights:

  • Right of Access: You can request access to the Personal Data we hold about you.
  • Right to Rectification: You have the right to have inaccurate or incomplete information corrected.
  • Right to Erasure: You can request that we delete your Personal Data, subject to certain legal exceptions.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data.
  • Right to Data Portability: You have the right to receive your Personal Data in a structured, machine-readable, and commonly used format.
  • Right to Object: You have the right to object to our processing of your Personal Data.
  • Right to Withdraw Consent: Where we relied on your consent to process your personal information, you have the right to withdraw that consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For the UK, you may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.

We may ask you to verify your identity before responding to such requests. To exercise any of these rights, please contact us at [email protected].

13. Your Privacy Rights Under California Law (CCPA/CPRA)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), grants certain rights to California residents whose personal information is collected by businesses that meet specified statutory thresholds. Although Sidero Labs does not currently meet the CCPA’s applicability thresholds, we voluntarily extend the following rights and disclosures to California residents as part of our commitment to transparency and data protection.

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, IP address, account name)
  • Commercial information (products or services purchased, transaction history)
  • Internet or other electronic network activity information (browsing history on our Website, interactions with our Services)
  • Geolocation data (approximate location derived from IP address)
  • Professional or employment-related information (company name, job title, where voluntarily provided)

13.2 Use and Disclosure

We do not “sell” personal information as defined under the CCPA. We do not “share” personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA Section 1798.121.

13.3 Your California Privacy Rights

As a California resident, you have the right to:

  • Right to Know: Request the categories and specific pieces of personal information we have collected about you, the sources of collection, our business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information, so this right does not currently apply.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, contact us at [email protected] or write to us at the address below. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

14. Other U.S. State Privacy Laws

Residents of Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to those described above, including the right to access, delete, and correct personal information, and the right to opt out of targeted advertising, profiling, and the sale of personal data. To exercise any applicable rights, contact us at [email protected].

15. Sub-processors

To support the delivery of our Services, Sidero Labs, Inc. (the “Processor”) utilizes the following third-party service providers (“Sub-processors”) to process Customer Data (including Personal Data). These Sub-processors are engaged under written contracts that require them to maintain at least the same level of data protection as required by our Data Processing Addendum and applicable laws.

Sub-processor

Purpose

Location

Amazon Web Services (AWS)

Cloud Infrastructure & Hosting

USA / EMEA

HubSpot

Customer Relationship Management (CRM)

USA

Stripe

Payment Processing & Billing

USA

Google Analytics

Usage Analytics & Performance

USA

Pylon Labs, Inc.

Customer Support Management

USA

PhoenixNAP

Cloud Infrastructure & Hosting

USA / EU

SendGrid

Email Delivery

USA

Cloudflare

CDN

USA / EU

Auth0

Authentication

USA / EU

Google Workspace

Email for Sidero Employees

USA / EU

SecureDocs

Contract Signing and Storage

USA

UserPilot

Error Tracking and Analytics

USA / EU

PostHog

Usage Analytics

USA 

 

Changes to Sub-processors: We will notify Customers of any new Sub-processors by updating this page at least 14 days before the new Sub-processor begins processing Customer Data. Customers may subscribe to receive email notifications of such changes by contacting [email protected].

Our Data Processing Addendum (DPA), which governs Sidero’s processing of Customer Data in the SaaS Service, is available upon request by contacting [email protected].

16. Children’s Privacy

Our Services are not directed to anyone under the age of 18 (“Children”) and we do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

17. Links to Other Sites

Our Services may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

18. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last Updated” date. For material changes, we will provide additional notice (such as email notification or a prominent notice on our Website). You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

19. Contact Us

If you have any questions or comments about this Privacy Policy, or wish to exercise your privacy rights, please contact us:

Email: [email protected]

General Inquiries: [email protected]

 

Sidero Labs, Inc.

Attn: Legal Department

5662 Calle Real #471

Goleta, CA 93117

U.S.A.