Legal

Privacy Policy

Last updated: March 16, 2026

At Burrow, we take the privacy of your data seriously. It was a founding principle and it remains central to how we build and operate the platform. We promise we never sell your data — never have, never will.

This policy explains what data we collect, why we collect it, how it's handled, and your rights regarding that data.

Website Visitors

The privacy of our website visitors is important to us, so we do not track individual people. We use Plausible Analytics, a privacy-focused analytics tool that collects no personal data and uses no cookies.

As a visitor to useburrow.com:

No personal information is collected
No cookies are stored in the browser
No information is shared with, sent to, or sold to third parties
No information is shared with advertising companies
No information is mined for personal or behavioral trends

We collect anonymous, aggregate usage data for statistical purposes only — referral sources, top pages, visit duration, device type, country, and browser.

Account Holders

Our guiding principle is to collect only what we need and to process information solely to provide the service you signed up for.

Email address

Required to create an account, log in, send invoices, and deliver essential communications like updates and security alerts.

Name and profile image

Collected during registration or via third-party sign-in. Used to personalize your account and display in team settings.

Session & authentication

We store a session cookie when you log in so you don't have to re-authenticate on each visit. You can clear cookies at any time through your browser settings.

Third-party sign-in

You may authenticate using Google or GitHub OAuth. When signing in through a third-party provider, we receive your name, email, and profile image as authorized by that provider. We do not access other data from your Google or GitHub account through the sign-in flow.

Additional cookies

In addition to the session cookie, we may store: (a) a temporary invite token cookie for up to 15 minutes during sign-up when accepting an early access invitation, automatically removed after use or expiration; and (b) a preference cookie for up to 7 days to remember your sidebar layout preference.

Integration data

When you authorize a third-party integration (e.g., GitHub, Google Analytics, Plausible, Fathom, Oh Dear), our platform accesses data made available by that integration's API, limited to the permission scopes you approve. This data is used to ingest events, build dashboards, and generate reports within Burrow.

Operational event data

Events ingested through connected integrations, webhooks, SDKs, or custom channels are stored and processed to power your dashboards, client portals, and reports. This includes event metadata such as timestamps, event types, and source identifiers.

Encryption

All sensitive data we collect is kept fully secured and encrypted at rest and in transit. This includes client names, project identifiers, integration tokens, and event payloads.

AI & Scout Agent

The Scout Agent uses third-party large language model providers to process your queries and operational data in order to generate insights, summaries, and configuration recommendations.

Data sent to LLM providers is used solely to generate responses to your specific queries
Your data is not used to train third-party models
We minimize the data sent to only what's necessary for the requested operation
AI-generated outputs are ephemeral and not stored by the LLM provider beyond the request lifecycle

You can use Burrow without engaging the Scout Agent. AI features are opt-in.

Client Portals

When you generate a read-only sharing link for a client, the recipient can view the data you've chosen to share without creating a Burrow account. We do not collect personal data from portal viewers beyond anonymous page-view analytics.

You control which data is visible in each portal, and links can be revoked at any time from your dashboard.

Third-Party Services

We use a select number of trusted external providers to deliver the Services. These providers are carefully selected and meet high data protection and security standards. We only share information required for the services they provide.

Stripe

Payment processing (when paid plans are introduced). Burrow does not store credit card information. See Stripe's Privacy Policy.

Resend

Transactional email delivery for reports and account communications. Open tracking and link tracking are disabled on all emails. See Resend's Privacy Policy.

Anthropic

AI model provider for the Scout Agent. Data is processed via Anthropic's API and is not used to train models. See Anthropic's Privacy Policy.

Plausible Analytics

Privacy-focused website analytics with no personal data collection. See Plausible's Data Policy.

Infrastructure providers

We use industry-standard cloud hosting, CDN, edge delivery, and background processing providers to operate the platform. These providers process data only as necessary to deliver their services and are bound by their respective data protection obligations.

A complete list of sub-processors is available upon request. Contact us if you need this information for compliance purposes.

Personal Data

Burrow is designed for operational intelligence, not personal data tracking. Our Services should not be used to collect, store, or process personal data of individuals (such as full names, email addresses, or mailing addresses of end users) through event ingestion.

If we detect intentional misuse of Burrow for personal data tracking, we may terminate your account without warning.

Data Retention

We retain your information as long as your account is active and as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

When your account is deleted, all associated data is queued for permanent removal. You may request account deletion by contacting us. Deleted accounts and their data cannot be recovered.

Your Rights

You have the right to access, correct, or delete your personal data at any time. You can manage most of this through your account settings. For requests we can't handle through the dashboard, contact us and we'll respond promptly.

Changes

We may update this policy as needed to comply with relevant regulations and reflect new practices. Significant changes will be communicated through our website or email.