Legal

Privacy Policy

Effective Date: June 17, 2026  ·  Last Updated: June 17, 2026  ·  Issued by NextGenRails™
THE SHORT VERSION We never store the manifests you submit — they are hashed and discarded. We do keep limited account data (your email and access-code records) to run your purchase, and we use a small set of third-party providers for payments, hosting, bot-protection, analytics, and fonts. We do not sell your data. This page explains exactly what we collect, what we never retain, and who our providers are.
Table of Contents
  1. Who We Are & Scope
  2. Information We Collect
  3. What We Never Retain
  4. How We Use Information
  5. Third-Party Providers
  6. How We Share Information
  7. Data Retention
  8. Security & Your Access Code
  9. Your Rights & Choices
  10. International Transfers
  11. Children's Privacy
  12. Changes to This Policy
  13. Contact

Who We Are & Scope

CBOMCompliance.com ("CBOMCompliance," the "service," "we," "us," or "our") is operated by NextGenRails™. The service accepts CycloneDX and SPDX manifests and issues cryptographically signed receipt artifacts. This Privacy Policy explains what personal information we collect through the website and service, how we use and protect it, and the choices you have. It works alongside our Terms of Service, including the Zero Retention Policy described there.

This policy does not cover third-party websites we link to, which maintain their own privacy practices.

Information We Collect

2.1 — Manifests & submitted content

When you submit a manifest for processing, it is read into memory, hashed (SHA-384), and used to compute your signed receipt. The receipt records the manifest's hash and derived metadata (such as detected format and component counts) — not the manifest itself. We keep no copy of your submitted manifest and cannot reconstruct it. See Section 3.

2.2 — Account & purchase data

When you purchase a pack or subscription, we receive and store records needed to deliver and manage your access, including your email address, your Stripe customer and subscription identifiers, your plan/tier, usage counts, status, and timestamps. Access codes are stored only as a one-way hash, not in plain text. This account data is stored using Netlify Blobs.

2.3 — Payment data

Payments are processed by Stripe. We do not collect, see, or store your full payment card number, CVV, or bank details — Stripe handles those directly under its own privacy policy. We retain only transaction and customer references for fulfillment and reconciliation.

2.4 — Security & abuse-prevention data

To protect the service from automated abuse, the verification page uses Cloudflare Turnstile, which receives your IP address and a challenge token to confirm you are human. For the free trial, we enforce usage limits using a counter keyed to a one-way hash of your IP address combined with the date; the counter resets daily and we do not store your raw IP address in our application records.

2.5 — Usage analytics

We collect limited analytics about site usage, including the page visited, referring URL, browser/user-agent string, and an approximate location (country, region, and city) derived from your IP address. This data is stored in our analytics table hosted by Supabase. The IP-to-location lookup is performed by a third-party service, our hosting provider, which receives your IP address to return coarse location data. We do not use this analytics data for advertising, and we do not sell it.

2.6 — Web fonts & server logs

The site serves fonts via Google Fonts, which may receive your IP address when your browser requests them. Our hosting and CDN providers (Netlify and Cloudflare) also process connection data such as IP addresses to deliver and secure the site.

2.7 — Communications

If you email us, we receive your email address and the contents of your message and use them to respond to your request.

What We Never Retain

Consistent with the Zero Retention Policy in our Terms, NextGenRails™ does not retain, store, log, or archive:

This information exists only in memory for the duration of computation and is discarded immediately afterward. Because we keep no copy, we cannot reproduce, recover, or provide your submitted manifest in response to any request or legal process. You should retain your own copies of submitted manifests.

How We Use Information

Where you submit a manifest, the components it lists are evaluated against vulnerability data sourced from third-party databases (OSV and NVD) to produce the intelligence included in applicable tiers. This evaluation is informational and is not retained after processing.

Third-Party Providers

We share personal data only with the service providers ("sub-processors") that make the service work, and only as needed for them to perform their function:

ProviderPurposeData involved
Stripe, Inc.Payment & subscription processingEmail, payment details, customer/subscription IDs
Netlify, Inc.Hosting, serverless functions & account-data storage (Blobs)Account/access-code records, email, connection logs
Cloudflare, Inc.CDN & Turnstile human-verificationIP address, challenge token
Supabase, Inc.Usage-analytics storagePage, referrer, user-agent, approximate location
Google LLC (Fonts)Serving web fontsIP address

We also use OSV and NVD as vulnerability data sources. Neither receives your manifest — only package coordinates already present in it. No personal data is sent to either.

How We Share Information

We do not sell your personal information, and we do not use it for cross-context behavioral advertising. Beyond the providers listed above, we may disclose information if required by law, regulation, or valid legal process, or where necessary to protect the rights, property, or safety of NextGenRails™, our users, or others. If NextGenRails™ is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction, subject to this policy.

Data Retention

You may request deletion of your personal data at any time (see Section 9). Requests are processed within 30 days.

Security & Your Access Code

Data is transmitted over encrypted connections (HTTPS/TLS). Access codes are stored as one-way hashes, and free-trial IP counters use hashed identifiers.

YOUR ACCESS CODE IS YOUR CREDENTIAL. Anyone who has it can consume your receipt entitlement. Keep it confidential and do not share it. If you lose it, contact us with your purchase confirmation and we can help recover or replace it.

No method of transmission or storage is perfectly secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.

Your Rights & Choices

Depending on where you live, you may have the right to access, correct, delete, export, or restrict the processing of your personal data, and to object or withdraw consent. To exercise any of these, email ngr.admin@proton.me. We will respond within the timeframe required by applicable law, and within 30 days for deletion requests.

California residents: we do not sell or share your personal information as defined by the CCPA/CPRA, and we will not discriminate against you for exercising your rights.

You may also lodge a complaint with your local data protection authority. For the full analytics disclosure covering all NextGenRails™ properties, see nextgenrails.net/legal.

International Transfers

NextGenRails™ operates from the United States, and our providers process and store data in the United States and other countries. If you access the service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws that differ from those where you live.

Children's Privacy

The service is intended for business and professional use and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us information, contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted to this page with a revised "Last Updated" date. Continued use of the service following any modification constitutes acceptance of the revised policy.

Contact

For privacy questions or to exercise your data rights, contact NextGenRails™ at:

ngr.admin@proton.me
NextGenRails™ — Principal Steward
CBOMCompliance.com

This Privacy Policy is provided for transparency and does not constitute legal advice.