1. Home
  2. Legal
  3. Privacy

Legal

Privacy Policy

How Capnode collects, uses, and protects your data — including the Kubernetes cluster telemetry our agent processes on your behalf. We hold ourselves to least-privilege by design, and this policy explains exactly what that means.

Last updated: 2026-06-05

Introduction

This Privacy Policy explains how Capnode handles personal data and the operational data we process to run the service. Capnode is an autonomous AI Site Reliability platform for Kubernetes: you install a lightweight agent into your cluster, and it streams cluster state and events to the Capnode server so we can detect, diagnose, remediate, and learn from the conditions inside your clusters.

We have written this policy to be specific about an architecture that is unusual for a SaaS product: a meaningful amount of what we process is infrastructure telemetry that you control, not direct personal data about identifiable people. Where personal data is involved, we apply the protections described below. This policy applies to capnode.io, the Capnode web application, the Capnode agent, and related services (collectively, the "Service").

This policy should be read together with our Terms of Service, Cookie Policy, Data Processing Addendum, and the list of our Sub-processors.

Who we are

The Service is operated by AIKAY Technologies Pvt Ltd ("AIKAY", "we", "us", "our"), the company behind the Capnode product. Registered office: AIKAY Technologies Pvt Ltd, India (registered office available on request).

For personal data relating to your account, billing, and your use of the Service, AIKAY acts as a data controller. For the Kubernetes cluster telemetry the agent processes on your behalf, AIKAY acts as a data processor, and you (our customer) are the controller; that relationship is governed by our Data Processing Addendum. If you have any questions about this policy or our data practices, contact us at support@capnode.io.

Data we collect

We collect the following categories of data, each for a specific, limited purpose.

a) Account and contact data

When you sign up, request a demo, or contact us, we collect data you provide directly — such as your name, work email address, company name, role, and the contents of your messages to us. If you subscribe to a paid plan, our payment processor collects billing details; we receive limited information such as plan, billing status, and the last four digits of a card, but not full card numbers.

b) Kubernetes cluster telemetry (processed by the agent)

The Capnode agent runs inside your cluster under RBAC-scoped, least-privilege permissions and streams operational telemetry to the Capnode server over a long-lived, authenticated connection. This includes:

  • Object metadata — names, namespaces, labels, annotations, and ownership references for pods, nodes, deployments, services, and other Kubernetes objects.
  • Events and conditions — Kubernetes events, pod restart reasons (for example CrashLoopBackOff, OOMKilled, ImagePullBackOff), node pressure, and similar health signals.
  • Resource metrics — CPU and memory requests, limits, and usage where available, used to right-size workloads and surface cost.
  • Kubernetes object specs — the declarative spec of your objects so we can diagnose drift and propose remediations.

Important: object specs and metadata are customer-controlled and may contain configuration you place there — including environment variable names, ConfigMap and annotation contents, and image references. We do not request or read the contents of Kubernetes Secret values. You decide what your objects contain; if you avoid putting personal data or credentials in plain-text specs, annotations, and ConfigMaps, that data is never transmitted to us. We process this telemetry on your behalf and under your instructions.

c) Usage and analytics data

When you use the Capnode web application, we collect limited technical and usage data — pages and features used, actions taken (such as approving a remediation), browser and device type, approximate location derived from IP, and timestamps. We use this to operate, secure, and improve the Service. We do not use this data to build advertising profiles.

d) Cookies and similar technologies

We use a small number of strictly necessary and (with your consent where required) analytics cookies. For full detail on what we set, why, and how to control them, see our Cookie Policy.

How we use it

We use the data described above to:

  • Operate the Service — authenticate you, maintain the agent-to-server connection, store cluster state, and render the web application.
  • Detect, diagnose, and remediate — identify failure modes in your clusters, propose fixes, and execute approved remediations. Safe, low-risk actions may run automatically; risky actions always require a human approval click.
  • Improve the Service — analyze aggregated, operational signals to improve detection accuracy and the platform. Our remediation learning operates on your own cluster's patterns to serve you; we do not train models on one customer's data to benefit another without appropriate safeguards.
  • Provide support — respond to your requests, troubleshoot issues, and communicate service-related notices.
  • Secure the Service — detect, investigate, and prevent abuse, security incidents, and fraud, and enforce our terms.
  • Meet legal obligations — comply with applicable law, respond to lawful requests, and keep records we are required to keep.

If you are in the European Economic Area or the UK, we rely on the following legal bases under the GDPR / UK GDPR to process personal data:

  • Performance of a contract — to provide the Service you have signed up for, manage your account, and process billing.
  • Legitimate interests — to secure and improve the Service, prevent abuse, and run essential analytics, balanced against your rights and freedoms.
  • Consent — for non-essential cookies and any optional communications; you may withdraw consent at any time.
  • Legal obligation — where processing is required to comply with applicable law.

For cluster telemetry processed on your behalf, your organization is responsible for establishing the legal basis for that processing as the controller; we act on your documented instructions under the Data Processing Addendum.

Sharing & disclosure

We do not sell personal data. We share data only in these limited circumstances:

  • Service providers (sub-processors) — vetted vendors who process data on our behalf to deliver the Service, under contractual confidentiality and data-protection obligations.
  • Within your organization — with users and administrators you have authorized on your Capnode account.
  • Legal and safety — where required by law, valid legal process, or to protect the rights, property, or safety of AIKAY, our customers, or the public.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, with notice and continued protection of your data.

Sub-processors

We engage a limited set of sub-processors for infrastructure hosting, payments, error monitoring, and communications. We maintain a current list, including each sub-processor's purpose and processing location, on our Sub-processors page. We require each sub-processor to provide data protection at least as protective as this policy and our customer agreements.

International transfers

We and our sub-processors may process data in countries other than the one in which you are located, including outside the EEA, UK, and India. Where we transfer personal data internationally, we rely on appropriate safeguards — primarily the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable — together with supplementary technical and organizational measures. You can request more information about these safeguards at support@capnode.io.

Data retention

We retain data only as long as necessary for the purposes described in this policy:

  • Account and billing data — for the life of your account and as required afterward to meet legal, tax, and accounting obligations.
  • Cluster telemetry — current cluster state is retained to operate the Service; historical state, events, and incident records are kept for a limited operational window and then aggregated or deleted in line with your plan and our retention configuration.
  • Support and communications — for as long as needed to resolve your request and maintain a reasonable record.

When you close your account, we delete or anonymize personal data within a reasonable period, except where retention is required by law. Disconnecting the agent triggers cleanup of your cluster's transient state from our systems.

Security measures

Security is foundational to how Capnode is built. Our measures include:

  • Least-privilege agent — the agent runs under RBAC-scoped permissions, never mutates its own namespace, and is designed for a contained blast radius.
  • Human-in-the-loop safety — risky remediations always require explicit human approval; only low-risk actions are eligible for automation.
  • Encryption — data is encrypted in transit between the agent, server, and web application, and at rest in our managed datastores.
  • Access controls — role-based access, authentication, and tenant isolation so each customer's data is logically separated.
  • Monitoring — logging, anomaly detection, and incident response processes to detect and respond to threats.

No system is perfectly secure, but we work continuously to protect your data and to harden the platform.

Your rights

Depending on where you live, you have rights over your personal data.

If you are in the EEA or UK (GDPR)

You have the right to access, rectify, and erase your personal data; to restrict or object to processing; to data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.

If you are in California (CCPA / CPRA)

You have the right to know what personal information we collect and how we use it, to request access and deletion, and to correct inaccurate information. You may exercise these rights without discrimination. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

To exercise any of these rights, email support@capnode.io. We will verify your request and respond within the timeframes required by applicable law. If your request relates to data we process on behalf of a customer (cluster telemetry), we will refer you to that customer or assist them in responding.

Children

The Service is a business tool intended for organizations and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us personal data, contact support@capnode.io and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an update takes effect constitutes acceptance of the revised policy.

Contact

Questions, requests, or concerns about this policy or your personal data are always welcome. This policy is governed by the laws of India, with GDPR/EEA and CCPA protections applied where relevant.

Contact us about privacy

AIKAY Technologies Pvt Ltd, India (registered office available on request). For any privacy question or to exercise your data rights, email support@capnode.io.