Privacy Policy

1. Introduction

envnest ("we", "us", "our") operates the envnest platform, including the web application, CLI tool, and API (collectively, the "Service"). This Privacy Policy explains how we collect, use, and protect your information when you use the Service.

2. Information We Collect

Account Information

When you create an account, we collect your email address, name, and authentication credentials. You may also sign up or log in using a third-party provider. We receive the following profile information depending on the provider you authorize:

• Google: Name, email address, and profile picture.
• GitHub: Name, email address, username, and avatar.

We only request the minimum scopes necessary for authentication. We do not post to your social media accounts, access your contacts, or read private repositories. You can revoke envnest's access at any time through your provider's account settings.

Secrets and Environment Variables

The core purpose of envnest is to store and manage your secrets and environment variables. All secrets are encrypted at rest using industry-standard encryption with unique per-secret data encryption keys, wrapped via envelope encryption. envnest is not a zero-knowledge system. The server performs encryption and decryption using key encryption keys managed through our key management system.

When you use AI-powered features (described below), certain secret metadata — such as secret names (keys) and, where you explicitly invoke AI analysis, secret values — may be transmitted to a third-party AI provider. See the "AI Features" section for details.

Usage Data

We collect information about how you interact with the Service, including CLI commands executed (command names and flags, not secret values), API requests, timestamps, IP addresses, and browser or client metadata. This data is used for audit logging, security monitoring, and service improvement.

CLI Device Metadata

When you use the envnest CLI tool, each request transmits a device identifier (UUID), the CLI application version, and the operating system. This metadata is used to identify sessions, support debugging, and enforce per-device access controls. It is not used for advertising and is not shared with third parties beyond our infrastructure providers.

Audit Logs

Every secret access, modification, and permission change is logged for security and compliance purposes. Failed login attempts — including web and CLI — and organization permission denials are also audit-logged with IP address and user context. Audit log retention varies by plan: 7 days (Free), 30 days (Team), and 1 year or more (Business).

Bot and Fraud Prevention

We use Cloudflare Turnstile on authentication pages to detect automated abuse. Turnstile operates client-side and may collect browser signals to verify that you are a human. Cloudflare's processing of this data is governed by Cloudflare's Privacy Policy. We do not receive or store the raw signals Cloudflare processes.

Payment Information

Billing for paid plans is handled by Stripe. We do not collect or store your full payment card details. When you subscribe, you interact directly with Stripe's payment forms. We receive and store only limited billing metadata (plan type, subscription status, Stripe customer ID). Stripe's processing is governed by Stripe's Privacy Policy.

3. AI Features and Data Sent to Third-Party AI Providers

envnest offers optional AI-powered features on Team and Business plans. These features are powered by large language models (LLMs) provided by third parties. By using AI features, you consent to the relevant data being transmitted to the AI provider as described below.

AI Diff Analysis and Risk Assessment

When you use the AI diff feature or request AI analysis of environment changes, secret keys and their change status (added, removed, modified) are sent to the AI provider to generate a natural-language summary and risk assessment. Secret values are not sent to the AI provider for diff analysis. Only key names and change metadata are transmitted.

Secret Grouping Recommendations

When you request AI-powered secret grouping recommendations, your secret key names (not values) are sent to the AI provider to generate suggested group labels. This is processed as a background job. You can trigger grouping only for ungrouped secrets or request a full regroup.

AI Assistant (/ask)

The AI assistant endpoint allows you to ask questions scoped to your organization and environment. Your question and the names of secrets in the selected environment are included in the prompt sent to the AI provider. Secret values are not included in AI assistant prompts. The assistant includes prompt injection guardrails and is constrained to respond only within the scope of your environment.

AI Provider

AI features are powered by an appropriate third-party AI provider. Data sent to the AI provider is subject to their applicable privacy policy and API data usage terms. We configure our AI provider account such that data submitted via the API is not used to train AI models by default.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and authorize access to secrets
• Encrypt, store, and decrypt your secrets as requested
• Generate audit logs for your organization
• Send transactional communications (account verification, security alerts, member invitations)
• Monitor for abuse, unauthorized access, and security threats
• Process payments and manage subscriptions via Stripe
• Power AI features when you explicitly invoke them (Team and Business plans only)
• Improve the Service based on aggregated, non-identifiable usage patterns

5. How We Protect Your Information

We implement technical and organizational measures to protect your data, including:

• Encryption at rest: All secrets are encrypted using industry-standard encryption with unique data encryption keys. Each key is wrapped by a key encryption key managed through our key management system.
• Encryption in transit: All communications between clients and the Service use TLS 1.2 or higher.
• Access control: Role-based access control (RBAC) at the organization, project, and environment level. Environments can be designated as protected, requiring elevated permissions to modify secrets.
• KMS options: You may use envnest's built-in key management system or bring your own KMS provider (BYOK) on Business plans.
• IP whitelisting: Business plan organizations can restrict API and CLI access by IP address or CIDR range.
• Two-factor authentication: Available for all accounts to protect against credential compromise.
• Secret leak scanning: Password-type secrets are checked against the Have I Been Pwned (HIBP) Pwned Passwords service using a privacy-preserving technique. Only a partial hash prefix is transmitted; the plaintext value is never sent.

6. Secret Sharing

envnest allows you to create shareable links for individual secrets or entire environment sets, including encrypted file attachments. Share links can be protected with a password, limited to a maximum number of views, configured to expire after a set duration, and optionally restricted to members of your organization.

Public share links are accessible to anyone with the link unless you apply access restrictions. Shared data is encrypted at rest. When a share link is revoked, the underlying data is no longer accessible. You are responsible for managing the lifecycle and access controls of any share links you create.

7. Integrations

envnest supports integrations with third-party secret providers. When you configure an integration, secrets may be pushed to or pulled from the connected service under your direction. The following integrations are currently supported:

• GitHub: Synchronize secrets as GitHub Actions secrets or repository variables via the GitHub API.
• GitLab: Synchronize secrets as GitLab CI/CD variables via the GitLab API.
• Vercel: Synchronize secrets as Vercel environment variables via the Vercel API.

When an integration is active, envnest transmits only the secrets you have explicitly authorized to sync, in plaintext, to the connected provider over an encrypted (TLS) connection. The connected provider's privacy policy governs how they store and handle that data. We store OAuth tokens for integrations in encrypted form and revoke them if you disconnect the integration.

8. Data Sharing and Disclosure

We do not sell your personal information or secret data. We may share information only in the following circumstances:

• With your authorization: When you configure integrations (GitHub, GitLab, Vercel), secrets are shared with those third-party services as you direct.
• AI providers: When you use AI features, limited metadata (secret key names, not values) is sent to our AI provider as described in Section 3.
• Payment processor: Billing data is processed by Stripe on our behalf.
• Bot protection: Cloudflare Turnstile processes browser signals on authentication pages.
• Secret leak scanning: Password hash prefixes are sent to Have I Been Pwned for privacy-preserving hash lookups.
• Infrastructure providers: We use cloud hosting and KMS providers to operate the Service. These providers process data on our behalf under contractual obligations and data processing agreements.
• Legal requirements: We may disclose information if required by law, court order, or governmental request.

9. Multi-Tenant Data Isolation

envnest is a multi-tenant platform. Each organization's data is logically isolated. Users can only access secrets, audit logs, and configuration belonging to organizations they are members of, subject to their assigned role. Organization switching requires active membership. We do not commingle secret data across organizations.

10. Change Requests

On Business plans, your organization may require a change request workflow before secrets can be modified in protected environments. Change request records — including the requesting user, approvers, proposed changes, and approval status — are stored and visible to authorized members of your organization. Change request data is subject to the same retention and deletion policies as audit logs.

11. Data Retention

Account data is retained for the duration of your account. Secrets are retained until you delete them or your account is terminated. Soft-deleted secrets and their version history are retained until permanently deleted. Audit logs are retained according to your plan's retention period (7 days Free, 30 days Team, 1 year or more Business). After account deletion, we remove your data within 30 days, except where retention is required by law.

12. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data. You can manage your secrets and account data directly through the CLI or web application. Secret data can be exported in ENV, JSON, or YAML format at any time. For data access or deletion requests, contact us at privacy@envnest.dev.

13. Cookies and Tracking

The envnest web application uses strictly necessary cookies for authentication and session management. Session cookies are HttpOnly and Secure. We do not use advertising cookies on the application.

Our marketing site uses Google Analytics, a web analytics service provided by Google LLC, to help us understand how visitors interact with the site. Google Analytics collects information such as page views, referral sources, approximate geographic location, browser type, and device information through cookies and similar technologies. This data is aggregated and anonymized. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

14. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact

If you have questions about this Privacy Policy, contact us at privacy@envnest.dev.