Privacy Policy
Last updated: March 2, 2026
Overlay Security Inc. ("Overlay", "we", "us") operates the Overlay platform — a security monitoring and control layer for AI coding agents. This Privacy Policy explains how we collect, use, and protect information when you use our services.
Data We Collect
Agent Telemetry
When you connect AI coding agents to Overlay, we collect telemetry data including: file paths accessed, network connection metadata (URLs, IPs, ports), shell commands executed, and security event details. We do not store your source code.
Account Information
When you create an account, we collect your name, email address, and organizational membership through our authentication provider. If you subscribe to a paid plan, payment information is processed by Stripe and is not stored on our servers.
Usage Metadata
We collect standard usage data such as timestamps, session identifiers, API request logs, and browser information to operate and improve the service.
How We Use Your Data
We use the data we collect to:
- Provide real-time security monitoring and threat detection for your AI coding agents
- Generate security alerts, reports, and AI-assisted analysis
- Operate, maintain, and improve the Overlay platform
- Communicate with you about your account and service updates
- Comply with legal obligations
We do not sell your data. We do not use your telemetry data for advertising or profiling purposes.
Third-Party Services
We use the following third-party services to operate Overlay:
| Service | Purpose |
|---|---|
| Cloudflare | Infrastructure, CDN, edge computing, data storage |
| WorkOS | Authentication, SSO, user management |
| Stripe | Payment processing and billing |
| Anthropic | AI-assisted security analysis |
For the full list of subprocessors and their data processing roles, see our Data Processing Agreement.
Data Retention
Agent telemetry data is retained according to your subscription plan's retention period (7 days for Starter, 30 days for Team, custom for Enterprise). Account information is retained for the duration of your account. When you delete your account, we delete your data within 30 days, except where retention is required by law.
Data Deletion
You can request deletion of your data at any time by contacting us. Upon account deletion, all associated telemetry data, account information, and configuration is permanently removed from our systems within 30 days.
Your Rights
Depending on your jurisdiction, you may have rights including access to your data, correction, deletion, data portability, and the right to object to processing. To exercise these rights, contact us at the address below.
Contact
For privacy-related questions or requests, contact us at [email protected].
For more information about how we handle data processing, see our Data Processing Agreement. For our real-time compliance status and audit reports, visit our Trust Center.