Effective Date: May 21, 2026

This Privacy Policy explains how SubImage Inc. ("SubImage", "we", "us", or "our") collects, uses, shares, and protects information in connection with our websites, services, cloud security products, and customer-authorized integrations. Our website is https://www.subimage.io. You can contact us at privacy@subimage.io.

This policy is not a Data Processing Agreement or Terms of Service. Customer data processing may also be governed by a separate customer agreement, Data Processing Agreement, order form, or similar contract. If there is a conflict between this Privacy Policy and a signed customer agreement for customer-provided data, the signed agreement will control for that customer data.

Scope

This Privacy Policy applies to SubImage's websites, services, cloud security products, and integrations. SubImage customers may authorize integrations with third-party cloud, SaaS, identity, code, collaboration, security, and infrastructure platforms so SubImage can provide security visibility, asset inventory, risk analysis, reporting, remediation guidance, and related security and compliance functionality.

Customer-authorized integrations may include Atlassian, Jira, Confluence, Google Workspace, Google Cloud, GitHub, AWS, Okta, Microsoft Entra, and other connected SaaS or cloud platforms depending on the customer's configuration and the permissions granted.

Information We Collect

We collect information from customers, users, administrators, visitors, and customer-authorized third-party systems. The categories of information we collect may include:

• Account and contact information: name, email address, company, role, account settings, support requests, sales communications, and other business contact information.
• Authentication and integration information: OAuth tokens, API credentials, app installation metadata, tenant IDs, workspace IDs, site IDs, account IDs, user IDs, scopes granted, authorization records, connection status, and related integration metadata.
• Customer environment data: metadata and security-relevant data from connected cloud, SaaS, identity, code, collaboration, and security tools, such as assets, identities, users, groups, permissions, configurations, repositories, alerts, vulnerabilities, security findings, audit metadata, and relationships between resources.
• Usage and diagnostics: logs, timestamps, IP addresses, browser and device metadata, product usage events, feature interactions, error reports, performance data, and security audit logs.
• Billing and business information: billing contacts, contract details, invoice information, and payment-related business records where applicable.

SubImage is designed for enterprise security and infrastructure visibility. Customers control which integrations they connect and which permissions they authorize.

How We Use Information

We use information to:

• Provide, operate, secure, maintain, and improve SubImage services.
• Ingest and analyze customer-authorized security, cloud, SaaS, identity, code, and infrastructure data.
• Generate asset inventory, security insights, findings, reports, attack-path analysis, risk analysis, remediation guidance, and related customer-requested functionality.
• Maintain authentication, authorization, access control, audit logs, monitoring, support, billing, compliance, and abuse-prevention processes.
• Troubleshoot issues, respond to support requests, and communicate with customers about service, support, security, product updates, and administrative matters.
• Comply with legal obligations, enforce agreements, protect rights and safety, and investigate misuse or security incidents.

OAuth and Third-Party Integrations

SubImage only accesses third-party data after an authorized user or administrator grants permission or configures an integration. We request scopes intended to be reasonably necessary to provide the applicable SubImage service or integration functionality.

Customers may revoke access through the third-party provider's authorization, app, or admin settings, or by contacting SubImage at privacy@subimage.io. Revocation may limit or disable the related SubImage functionality.

OAuth tokens, API keys, and integration credentials are protected using appropriate security controls, including access controls, encryption where appropriate, and operational safeguards. Data from integrations is not sold. Data from integrations is not used for advertising. SubImage does not use customer data from integrations to train general-purpose AI models unless the customer expressly agrees in writing.

Google API Services User Data Policy

If SubImage accesses Google user data, SubImage's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

SubImage uses Google API data only to provide customer-authorized security visibility, asset inventory, risk analysis, reporting, and related customer-requested functionality. Customers can revoke Google access through Google account or administrator settings, or by contacting SubImage.

Atlassian, Jira, and Confluence Data

When a customer authorizes an Atlassian, Jira, or Confluence integration, SubImage may access Atlassian account, site, project, issue, group, permission, and configuration metadata depending on the scopes granted and the customer's configuration. SubImage uses this data only to provide security analysis, visibility, reporting, and related customer-requested functionality.

Customers can revoke the integration from Atlassian's app or authorization settings, or by contacting SubImage at privacy@subimage.io.

Sharing and Disclosure

We may share information with:

• Service providers and subprocessors that help us host, operate, secure, monitor, support, and improve SubImage services.
• Customer-authorized users and administrators within the customer's organization, according to the customer's configuration and access controls.
• Legal, compliance, and security recipients when required by law, regulation, legal process, contractual obligation, or to protect the rights, safety, and security of SubImage, our customers, users, or others.
• Corporate transaction parties in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction, subject to appropriate confidentiality protections.

SubImage does not sell personal data. SubImage does not share personal data for cross-context behavioral advertising.

Security

SubImage maintains a security program designed to protect systems, data, and customer environments. Our safeguards include encryption in transit and, where appropriate, encryption at rest; access controls based on least privilege; multi-factor authentication for company systems; logging and monitoring; vendor and security review practices; secure software development practices; vulnerability management; and incident response processes.

No security program can guarantee absolute security. Customers should configure integrations using appropriate administrative controls and promptly notify SubImage of suspected unauthorized access involving SubImage services.

Retention and Deletion

SubImage retains information for as long as needed to provide the service, maintain integrations, comply with legal obligations, resolve disputes, enforce agreements, maintain security and audit records, and support legitimate business purposes.

Customers may request deletion of customer data by contacting privacy@subimage.io. Deletion requests may be subject to contractual, legal, compliance, security, backup, and audit-log limitations. Revoking an integration may stop future collection from that provider but may not automatically delete previously processed data.

Customer Responsibilities

Customers are responsible for obtaining all necessary rights, consents, permissions, and authorizations before connecting third-party systems to SubImage. Customers are also responsible for configuring integrations appropriately, selecting scopes and permissions suitable for their environment, managing their users' access to SubImage, and complying with laws and third-party provider terms that apply to their connected systems.

International Transfers

SubImage is based in the United States. Information may be processed in the United States and other locations where SubImage or its service providers operate. These locations may have data protection laws different from those in your jurisdiction. Where required, SubImage uses appropriate safeguards for international transfers.

Privacy Rights

Depending on your location and applicable law, you may have rights to access, correct, delete, port, restrict, or object to certain processing of your personal data, and to appeal or complain to a regulator. California and other U.S. state privacy laws may also provide rights related to access, correction, deletion, portability, and opting out of certain sharing or sales. SubImage does not sell personal data or share it for cross-context behavioral advertising.

For personal data that SubImage processes on behalf of a customer, the customer is typically the controller or business responsible for responding to privacy rights requests. If you are an end user of a SubImage customer, please contact that customer directly. You may also contact us at privacy@subimage.io, and we will route the request as appropriate.

Children

SubImage services are intended for business and enterprise use and are not directed to children. We do not knowingly collect personal data from children.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the Effective Date above. Material changes may be communicated through the website, product, or other appropriate channels.

Contact

For privacy questions, requests, or concerns, contact SubImage at privacy@subimage.io.