Privacy Policy

Welcome to Layer5. We are Layer5, Inc., the company behind the cloud native management platform Meshery, the Layer5 Cloud service, Kanvas, and a vibrant global open-source community. We are committed to protecting your privacy and being transparent about how we handle your personal data.

This Privacy Notice explains what personal data we collect when you visit our websites, use our services, or participate in our community. It also describes why we collect it, how we use and protect it, and what rights you have regarding your personal data.

For detailed information about the third-party service providers we work with to deliver our services, please see our Sub-Processors and Service Providers, which includes our Data Protection Addendum.

Who We Are

Welcome to Layer5. We are Layer5, Inc., the company behind the cloud native management platform Meshery, the Layer5 Cloud service, Kanvas, and a vibrant global open-source community. We are committed to protecting your privacy and being transparent about how we handle your personal data.

The data controller responsible for your personal data is:

Layer5, Inc.

If you have any questions about this Privacy Notice or wish to exercise your data protection rights, please see the How to Contact Us section below.

Important Clarification: This Privacy Notice applies solely to the services, websites, and communities operated by Layer5, Inc., incorporated in the United States, accessible via the layer5.io domain and its subdomains. It does not apply to any other company or organization that may have a similar name, such as "Layer 5 Solutions Ltd". We are not affiliated with any other entity named "Layer5" or "Layer 5."

Personal Data We Collect, Our Purposes, and Lawful Bases

We process your personal data for a variety of purposes depending on how you interact with us. The table below details what we collect, why we collect it, and the legal justification (lawful basis) under the GDPR for doing so.

Cookies and Tracking Technologies

We use cookies and similar technologies on our website to help it function, to analyze performance, and to personalize your experience. A cookie is a small text file stored on your device.

• Strictly Necessary Cookies: These are essential for the website to function and cannot be switched off. They are usually set in response to actions made by you, such as setting your privacy preferences or filling in forms.
• Performance and Analytics Cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
• Marketing Cookies: These cookies may be set through our site by our advertising partners to build a profile of your interests and show you relevant adverts on other sites.

We will not set non-essential cookies on your device without your explicit consent. You can manage your cookie preferences at any time through our cookie consent tool, which is accessible via a link in the footer of our website. Withdrawing your consent is as easy as giving it.

Who We Share Your Personal Data With

We do not sell your personal data. However, we share it with trusted third-party service providers who act as our data processors to help us operate our business and services. We only share the minimum amount of data necessary and have contracts in place that require them to keep your information secure and only use it for the purposes we specify.

Categories of these recipients include:

• Cloud & Hosting Providers: We use third-party cloud infrastructure providers (e.g., Amazon Web Services, Equinix) to host our website, services, and data.
• Payment Processors: We use secure third-party payment processors (e.g., Stripe) to handle financial transactions for our paid services.
• Analytics & Monitoring Services: We use services (e.g., Google Analytics) to help us understand how our website and services are used so we can improve them.
• Communication & Collaboration Platforms: Our open source community operates on platforms like GitHub and Slack. When you participate, your data is processed by these platforms according to their own privacy policies.
• Business & Support Tools: We use third-party software for customer support (e.g., ClickUp) and customer relationship management to communicate with you effectively.
• Email and Marketing Automation Providers: We use third-party services to send transactional emails and marketing communications (e.g., MailChimp and Google Groups).

We may also disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

Linked Websites and Third-Party Apps

We may provide access or links to third-party websites, Apps, and services that are outside Layer5's control and governed by the respective third party’s privacy policy, not by this Privacy Statement. We encourage you to review the privacy statements posted on the websites you visit and in the applications you use.

Forums and Chat Rooms

If you participate in a discussion forum, local communities, or chat room on a Layer5 website, you should be aware that the information you provide there (such as your public profile and comments) will be made broadly available to others and could be used to contact you, to send you unsolicited messages, or for purposes neither Layer5 nor you have control over. Also, please recognize that individual forums and chat rooms may have additional rules and conditions. Layer5 is not responsible for the Personal Data or any other information you choose to submit in these forums. To request removal of your Personal Data from our blog or community forum, please submit a Privacy Request. In some cases, we may not be able to remove all Personal Data and comments. In such cases, we will provide you with a response and explanation.

International Transfers of Personal Data

Layer5, Inc. is based in the United States. Your personal data will be processed in the United States and other countries where our third-party service providers are located. When we transfer personal data from the European Economic Area (EEA), the UK, or Switzerland to other countries, we do so in compliance with applicable data protection laws.

For transfers of data to countries not deemed to provide an adequate level of data protection by the European Commission, we rely on legal safeguards, primarily the European Commission's Standard Contractual Clauses (SCCs), to ensure your data is protected.

How Long We Keep Your Personal Data

We retain your personal data only for as long as is necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

• Account Data: We retain your Layer5 Cloud account data for as long as your account is active and for a period of 12 months thereafter to allow for account reactivation and to resolve any final billing or support issues.
• Financial Data: Data related to financial transactions is retained for 7 years to comply with legal and tax obligations.
• Community Contributions: Your contributions to our open-source projects on platforms like GitHub (e.g., code, comments, issues) are part of the public project record and are retained indefinitely.
• Website Analytics Data: Data collected for analytics purposes is typically retained in an aggregated or anonymized form for up to 26 months.

Your Data Protection Rights

Under the GDPR, you have several important rights regarding your personal data. These include:

• The right to be informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your information and your rights.
• The right of access: You have the right to obtain access to your personal data.
• The right to rectification: You are entitled to have your information corrected if it is inaccurate or incomplete.
• The right to erasure: Also known as ‘the right to be forgotten,’ this enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it.
• The right to restrict processing: You have rights to ‘block’ or suppress further use of your information.
• The right to data portability: You have the right to obtain and reuse your personal data for your own purposes across different services.
• The right to object: You have the right to object to certain types of processing, such as direct marketing.
• Rights in relation to automated decision making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of the rights described above, please send your request to our dedicated privacy email address: privacy@layer5.io.

We will respond to your request within one month of receipt. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Children's Privacy

Our services and community are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information. If you believe that a child has provided us with personal data, please contact us at privacy@layer5.io.

Updates to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by posting the new notice on our website and, where appropriate, by notifying you directly via email. We encourage you to review this notice periodically.

How to Make a Complaint

We are committed to resolving any concerns you may have about our use of your information. If you have a complaint, we hope you will contact us first at privacy@layer5.io so that we can try to resolve it.

However, if you are not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority. This will typically be the authority in the EU country where you live or work, or where the alleged infringement of data protection law occurred.

Commitment to Data Privacy and Ongoing Compliance

Operationalizing Data Subject Rights

A privacy notice that promises data subject rights without the internal capacity to fulfill them creates a significant liability. Layer5 must establish a formal, documented process for managing received at the designated privacy@layer5.io email address.

1. Request Logging: Creating a centralized log to track the date of each request, the identity of the requester, the nature of the request, the deadline for response (30 days), and the date of fulfillment.
2. Identity Verification: Implementing a secure procedure to verify the identity of the individual making the request to prevent unauthorized disclosure of personal data.
3. Data Discovery and Compilation: Developing clear workflows for locating and gathering all relevant personal data for a specific individual across all of Layer5's systems. This includes the Layer5 Cloud production database, CRM systems, payment processor dashboards, community platforms (to the extent possible), and marketing automation tools.
4. Secure Delivery: Establishing a secure method for delivering the compiled information to the data subject.

Operational readiness is a core component of the accountability principle under GDPR. Having this process in place ensures that Layer5 meets legal obligations efficiently and demonstrably.

Implementing Compliant Consent Management

To lawfully use non-essential cookies for analytics and marketing, we obtain valid, explicit consent from users in the EU/EEA. This requires more than a simple "we use cookies" banner.

• Block all non-essential cookies and tracking scripts from firing until the user has given their explicit consent.
• Provide users with granular control, allowing them to consent to specific categories of cookies (e.g., "Analytics") while rejecting others (e.g., "Marketing").
• Make it as easy for users to withdraw consent as it was to give it, typically via an easily accessible link or icon on the website.
• Log user consent choices to provide an audit trail for demonstrating compliance.

We uphold our commitment to lawfully conducting website analytics and honoring users' right to withdraw consent at any time.

Maintaining a Record of Processing Activities (ROPA)

In accordance with Article 30 of the GDPR, as a data controller, we maintain an internal Record of Processing Activities (ROPA). This document details all categories of personal data we process, the purposes of processing, data subjects, data recipients, international transfers, retention periods, and security measures.