CBOMCompliance.com ("CBOMCompliance," the "service," "we," "us," or "our") is operated by NextGenRails™. The service accepts CycloneDX and SPDX manifests and issues cryptographically signed receipt artifacts. This Privacy Policy explains what personal information we collect through the website and service, how we use and protect it, and the choices you have. It works alongside our Terms of Service, including the Zero Retention Policy described there.
This policy does not cover third-party websites we link to, which maintain their own privacy practices.
When you submit a manifest for processing, it is read into memory, hashed (SHA-384), and used to compute your signed receipt. The receipt records the manifest's hash and derived metadata (such as detected format and component counts) — not the manifest itself. We keep no copy of your submitted manifest and cannot reconstruct it. See Section 3.
When you purchase a pack or subscription, we receive and store records needed to deliver and manage your access, including your email address, your Stripe customer and subscription identifiers, your plan/tier, usage counts, status, and timestamps. Access codes are stored only as a one-way hash, not in plain text. This account data is stored using Netlify Blobs.
Payments are processed by Stripe. We do not collect, see, or store your full payment card number, CVV, or bank details — Stripe handles those directly under its own privacy policy. We retain only transaction and customer references for fulfillment and reconciliation.
To protect the service from automated abuse, the verification page uses Cloudflare Turnstile, which receives your IP address and a challenge token to confirm you are human. For the free trial, we enforce usage limits using a counter keyed to a one-way hash of your IP address combined with the date; the counter resets daily and we do not store your raw IP address in our application records.
We collect limited analytics about site usage, including the page visited, referring URL, browser/user-agent string, and an approximate location (country, region, and city) derived from your IP address. This data is stored in our analytics table hosted by Supabase. The IP-to-location lookup is performed by a third-party service, our hosting provider, which receives your IP address to return coarse location data. We do not use this analytics data for advertising, and we do not sell it.
The site serves fonts via Google Fonts, which may receive your IP address when your browser requests them. Our hosting and CDN providers (Netlify and Cloudflare) also process connection data such as IP addresses to deliver and secure the site.
If you email us, we receive your email address and the contents of your message and use them to respond to your request.
Consistent with the Zero Retention Policy in our Terms, NextGenRails™ does not retain, store, log, or archive:
This information exists only in memory for the duration of computation and is discarded immediately afterward. Because we keep no copy, we cannot reproduce, recover, or provide your submitted manifest in response to any request or legal process. You should retain your own copies of submitted manifests.
Where you submit a manifest, the components it lists are evaluated against vulnerability data sourced from third-party databases (OSV and NVD) to produce the intelligence included in applicable tiers. This evaluation is informational and is not retained after processing.
We share personal data only with the service providers ("sub-processors") that make the service work, and only as needed for them to perform their function:
| Provider | Purpose | Data involved |
|---|---|---|
| Stripe, Inc. | Payment & subscription processing | Email, payment details, customer/subscription IDs |
| Netlify, Inc. | Hosting, serverless functions & account-data storage (Blobs) | Account/access-code records, email, connection logs |
| Cloudflare, Inc. | CDN & Turnstile human-verification | IP address, challenge token |
| Supabase, Inc. | Usage-analytics storage | Page, referrer, user-agent, approximate location |
| Google LLC (Fonts) | Serving web fonts | IP address |
We also use OSV and NVD as vulnerability data sources. Neither receives your manifest — only package coordinates already present in it. No personal data is sent to either.
You may request deletion of your personal data at any time (see Section 9). Requests are processed within 30 days.
Data is transmitted over encrypted connections (HTTPS/TLS). Access codes are stored as one-way hashes, and free-trial IP counters use hashed identifiers.
No method of transmission or storage is perfectly secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.
Depending on where you live, you may have the right to access, correct, delete, export, or restrict the processing of your personal data, and to object or withdraw consent. To exercise any of these, email ngr.admin@proton.me. We will respond within the timeframe required by applicable law, and within 30 days for deletion requests.
California residents: we do not sell or share your personal information as defined by the CCPA/CPRA, and we will not discriminate against you for exercising your rights.
You may also lodge a complaint with your local data protection authority. For the full analytics disclosure covering all NextGenRails™ properties, see nextgenrails.net/legal.
NextGenRails™ operates from the United States, and our providers process and store data in the United States and other countries. If you access the service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws that differ from those where you live.
The service is intended for business and professional use and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us information, contact us and we will delete it.
We may update this Privacy Policy from time to time. Material changes will be posted to this page with a revised "Last Updated" date. Continued use of the service following any modification constitutes acceptance of the revised policy.
For privacy questions or to exercise your data rights, contact NextGenRails™ at:
This Privacy Policy is provided for transparency and does not constitute legal advice.