Legal
Privacy Policy
This policy covers how we handle personal data under the UK GDPR and EU GDPR. It applies to both (a) account data we hold about you as a controller, and (b) telemetry data we process on behalf of customers.
- Last updated
- 22 April 2026
- Version
- v1.0
- Questions
- legal@greenslope.io
1. Who we are
Essorix Ltd(“Greenslope”, “we”) is a company registered in England and Wales. Our registered office is recorded on Companies House.
Contact the person responsible for privacy queries at privacy@greenslope.io. We don’t have a designated Data Protection Officer — we are not required to at V1 — but every privacy email is read and answered.
2. What we mean by controller vs. processor
Controller (we decide the purpose):account holder’s email, name, billing contact, payment record via Paddle, marketing-site analytics events (with consent), support emails, and audit logs about account activity. You’re our direct counterparty; this policy applies in full.
Processor (our customer decides the purpose, we act on their instructions): everything customers send us via the OpenTelemetry sink — traces, spans, attributes, release metadata, change events. We process this under our Data Processing Agreement. If you are an end-user of a company that uses Greenslope, that company is the controller; talk to them first.
3. The personal data we hold as controller
Account data
- Name, email address, and any role information provided at signup.
- Company / organisation name and (optional) tax or VAT identifiers you enter for invoicing.
- Paddle transaction references — we do not store full card numbers. Paddle handles card data under PCI DSS.
- Authentication artefacts (password hashes, session tokens, multi-factor device records).
Support and sales data
- Email threads with support@greenslope.io and sales enquiries.
- Demo call notes (if you book a demo).
Marketing-site analytics
- Basic, cookieless page-view and referrer data via Plausible (EU-hosted). See the Cookie Policy.
- Product-analytics events via PostHog Cloud EU when you sign up, gated behind consent.
4. Legal bases
- Contract — account creation, service delivery, billing, support.
- Legitimate interest — securing the service against fraud and abuse, improving the product using aggregated operational metrics, emailing customers about their account.
- Consent — analytics and functional cookies, marketing emails (if you opt in separately).
- Legal obligation — responding to valid legal process, retaining tax records.
5. Where your data lives
Customer telemetry and account-control data are processed in a single EU region (europe-west1, Belgium), regardless of where the customer is located. We don’t operate a US region at V1.
EU↔UK transfers:we rely on the UK-EU adequacy decision. No Standard Contractual Clauses are needed for EU customers because data doesn’t leave the EU for processing; as a UK controller we rely on the UK Extension to the EU-US Data Privacy Framework and adequacy regulations where relevant.
Sub-processors. See the full, current list at /legal/subprocessors. We’ll announce additions before they take effect — our formal 30-day advance-notice machinery is V2+, but we commit now not to silently add sub-processors.
6. How long we keep it
- Hot span retention: 24 hours (Solo) / 48 hours (Starter) — indexed and queryable in real time.
- Warm span archive: 30 days — queryable with latency.
- Aggregates (burn-rate series, SLO history): 3 months.
- Audit log: 12 months rolling.
- Account record: for the duration of your subscription, plus a 30-day grace on cancellation, plus the minimum retention required for tax / legal purposes (UK tax records: 6 years).
- Support emails: 2 years, then archived with reduced access.
7. Your rights
Under UK GDPR and EU GDPR, you can:
- Ask us what personal data we hold about you.
- Ask us to correct, update, or delete it.
- Port a copy of your account data in a machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent (where we rely on consent).
- Complain to your supervisory authority — in the UK, the ICO; in the EU, the authority in your country.
To exercise any of these rights, email privacy@greenslope.io. We respond within 30 days. If your request is complex, we may extend by up to 60 days and tell you why.
8. Telemetry processed on behalf of customers
Greenslope receives OpenTelemetry traces from customer systems. Traces may incidentally contain personal data (e.g. a user ID in a span attribute) if a customer has chosen to instrument it.
We do not perform ingest-side PII redaction at V1 — customers are responsible for redacting at the source. This is a deliberate V1 constraint; short retention (30 days warm, max) is the residual mitigation. Ingest-side redaction is on the V2+ roadmap.
If you’re an end user and want your data removed from a customer’s tenant, contact the customer directly. We’ll help them action your request as outlined in the DPA.
9. AI processing
The Auto-SRE triage and postmortem drafting features run inference on Gemini on Vertex AI in the EU region. Your prompt data (span content, release metadata) is not used to train models by Google or by us. See the Security page for detail.
10. Cookies and tracking
See the Cookie Policy for specifics on categories, vendors, and consent mechanics.
11. Security
Transport is TLS 1.2+. At rest we use encryption provided by Google Cloud (AES-256 managed keys). Access controls are role-based and audited. Security posture is summarised on the Security page.
For suspected vulnerabilities please see our responsible-disclosure policy on the Security page.
12. Breach notification
We operate a Sev-1 Data Breach doctrine: if a breach occurs, we notify the UK ICO within 72 hours where required, and notify affected data subjects without undue delay for high-risk breaches.
13. Children
Greenslope is a B2B engineering tool and is not directed at children. We don’t knowingly process personal data of anyone under 16. If you believe a child’s data has ended up in our systems, email privacy@greenslope.ioand we’ll remove it.
14. Changes to this policy
We update this policy as our processing changes. Material changes are announced by email to account owners. The version and date are recorded at the top of the page.
15. Contact
privacy@greenslope.io for privacy requests. legal@greenslope.io for legal notices. support@greenslope.io for anything else.