Privacy & Data Policy

Kernus is a container monitoring tool. We collect the minimum data needed to show you if your containers are healthy. Nothing more.

Last updated: April 2026

What we collect

  • Container metrics: CPU usage, memory usage, restart count, status, and health state.

  • Host metadata: the hostname you configure in the agent. Nothing else about your machine.

  • Account data: your email address and organization name.

  • Payment data: handled entirely by Stripe. We store a Stripe customer ID — never your card number.

What we don't collect

  • No application logs. Ever.

  • No environment variables or secrets.

  • No container filesystem access.

  • No network traffic inspection.

  • No process-level data inside containers.

  • No usage analytics or telemetry from the agent itself.

How data is stored

  • Metrics are stored in ClickHouse, partitioned by organization. Your data is physically isolated from other organizations.

  • Transactional data (accounts, alert rules, billing) is stored in PostgreSQL.

  • All data is encrypted in transit (TLS). Database access is restricted to the application layer only.

Retention & automatic deletion

  • Metrics are automatically deleted based on your plan's retention period. Free: up to 24 hours. Pro: 7 days. Business: 30 days. Enterprise: 90+ days on default tiers.

  • This is enforced at the database level via TTL — not a background job that might lag. When the retention window passes, the data is gone.

  • Alert history follows the same retention policy as metrics.

Account deletion & data portability

  • You can delete your account at any time. When you do, all associated metrics, alert rules, and organization data are permanently removed.

  • If you cancel a paid plan, your data remains accessible until the end of your billing period, then follows the Free tier retention (24 hours).

  • We don't hold your data hostage. If you need an export before leaving, contact us and we'll provide your metrics in CSV format.

Security practices

  • The agent is fully open source — you can audit every line of code running on your servers.

  • Agent authentication uses revocable tokens with optional expiration dates. Tokens are stored as hashes, never in plaintext.

  • The agent connects outbound only. It doesn't open any ports or accept incoming connections.

  • Passwords are hashed with bcrypt. Sessions use short-lived JWTs with refresh token rotation.

A note on compliance

Kernus is not SOC 2 or ISO 27001 certified. We're a small, focused team — not a company with a compliance department. What we can tell you:

  • We collect only container-level metrics. No PII beyond your email address.

  • Data is automatically purged via database-level TTL. We don't retain data beyond your plan's retention period.

  • The agent is open source. You can verify exactly what leaves your servers before deploying it.

  • If your organization requires a formal DPA or has specific data residency requirements, reach out — we'll work with you.

Questions about your data? Contact us at privacy@kernus.app