Dosanjh Labs / Legal / Privacy Policy
Privacy Policy
Last updated June 12, 2026
The short version
We collect the minimum we need to run the business: your email (and name/company at checkout), account and sign-in data through Clerk, and payment data handled by Stripe (we never see your full card number). We don't sell your data. Inside the products, your data largely stays with you — Bastion processes CUI entirely in your browser and it never reaches us; Cairn runs in your own environment. You can ask us to access, export, or delete your personal data via the contact form.
1. Who We Are
Dosanjh Labs is a sole proprietorship operated by Jasvant Dosanjh, based in Washington State, USA. For the personal data we handle to run our business and accounts, Dosanjh Labs is the data controller. For data you process inside our products about your own users and systems, you are generally the controller and we act as your processor (see Section 7).
2. What We Collect
- Account & contact data: your email address, and your name and/or company name provided at checkout or through the contact form.
- Authentication data: sign-in events, passkey/MFA metadata, and SSO identifiers, handled by our authentication provider, Clerk. Accounts are passwordless — we do not store passwords.
- Payment data: handled by Stripe. Stripe processes and stores your card details and billing information. We never receive or store your full card number; we receive limited records such as the last four digits, card brand, billing country, and payment status.
- Subscription & order data: which products and tiers you bought, quantities, billing interval, and invoice history.
- Support data: messages you send us through the contact form.
- Site analytics: our storefront is privacy-respecting and uses no third-party advertising or tracking cookies by default. We may collect basic, aggregated, non-identifying technical information (such as error logs) needed to operate and secure the site.
3. How & Why We Use It (Legal Bases)
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide accounts & the Service | Account, auth, subscription | Performance of a contract |
| Process payments & renewals | Payment, order | Performance of a contract |
| Provide support | Contact, support | Contract / legitimate interests |
| Secure & improve the Service | Logs, aggregated data | Legitimate interests |
| Send service & transactional email | Email, account | Contract / legitimate interests |
| Comply with law (tax, accounting) | Order, payment | Legal obligation |
We do not sell your personal information, and we do not use it for third-party advertising.
4. Sub-Processors We Share Data With
We share personal data only with vetted service providers ("sub-processors") who help us run the Service:
| Sub-processor | Purpose |
|---|---|
| Stripe | Payment processing, card data storage, billing, and tax calculation. |
| Clerk | Passwordless authentication, account management, passkeys, MFA, and SSO. |
| Cloudflare | Hosting, content delivery, security, and the application database. |
| Resend | Sending transactional and account email (e.g., sign-in links, receipts). |
Each sub-processor handles your data under its own privacy and security terms. We may also disclose data if required by law or to protect our rights, users, or the public.
5. Cookies & Authentication Tokens
We use cookies and similar technologies that are strictly necessary to operate the Service — primarily authentication and session tokens set by Clerk so you can stay signed in, and security cookies set by Cloudflare. We do not use advertising or cross-site tracking cookies by default. You can control cookies through your browser, though disabling essential cookies may break sign-in.
6. Retention
We keep personal data only as long as needed to provide the Service, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we delete or de-identify it. You may request deletion as described in Section 9.
7. Your Data Inside Each Product
How customer data is handled differs by product, by design:
- Sightline connects to tools you operate and processes your security/compliance posture data on your behalf. For this data, you are the controller and we act as your processor, processing it to provide the Service and under your instructions.
- Bastion processes Controlled Unclassified Information (CUI) and your assessment content locally in your own browser. That CUI never reaches Dosanjh Labs — we do not receive, store, or have access to it.
- Lookout agents send server health metrics (status, performance, and similar operational data) to the dashboard so we can display alerts. The agents are outbound-only.
- Cairn is open-source and runs entirely in your own environment. Its data (device inventory and reconciliation) stays with you; Dosanjh Labs does not receive it.
8. Security
We use reasonable administrative, technical, and organizational measures appropriate to the data we handle, including encryption in transit, passwordless authentication with MFA, reputable infrastructure providers, and least-privilege access. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.
9. Your Privacy Rights (GDPR / CCPA & Similar)
Depending on where you live, you may have rights to access, correct, delete, export (port), or restrict the processing of your personal data, to object to certain processing, and to withdraw consent. California residents have rights under the CCPA/CPRA, including the right to know and delete and the right not to be discriminated against for exercising those rights — and note that we do not sell or share personal information for cross-context behavioral advertising.
To exercise any right, contact us through the contact form. We will verify your request and respond within the timeframe required by applicable law. You may also have the right to lodge a complaint with your local data-protection authority.
10. Children
The Service is intended for businesses and is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.
11. HIPAA / Protected Health Information
Dosanjh Labs is not a HIPAA covered entity or business associate, and no Business Associate Agreement ("BAA") is created by this policy or by your use of the Service. Do not submit PHI to any current product. PHI-oriented products (such as the planned Ward) are not yet available and will require a separate, signed BAA before any PHI is processed.
12. International Data Transfers
We and our sub-processors are based in or operate from the United States. If you access the Service from outside the U.S., your data may be transferred to and processed in the U.S. and other countries. Where required, we and our sub-processors rely on appropriate safeguards (such as Standard Contractual Clauses) for such transfers.
13. Data Breach
If we become aware of a security breach affecting your personal data, we will investigate promptly and notify affected users and authorities as required by applicable law, including the timing and content those laws require.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date above and, for material changes, take reasonable steps to notify you. Continued use of the Service after changes take effect constitutes acceptance.
15. Contact
For any privacy question or request, reach us through our contact form — our sole support, legal, and privacy contact channel.