1. What this is
This page says exactly what labpoe — operated by Defensible Logic,
Inc. — records about you, what it doesn't, and for how long. It's
intentionally short and concrete. For the terms of use, see our Terms of Service.
2. What we store
For your account:
- your email address (sign-in, verification, password reset, invitations);
- a bcrypt hash of your password — we never store the password itself;
-
if you enable two-factor auth, your TOTP secret (encrypted at rest) and bcrypt hashes of your backup codes;
- which labs (tenants) you belong to and your role in each.
Within a lab you create:
-
switches and PDUs you configure, including their credentials, which are encrypted at rest;
-
devices, device classes, and the agents you enroll (agent tokens stored as hashes);
-
API keys (only a bcrypt hash of the secret — the raw key is shown once, at creation);
-
observed port state (link, PoE, draw), a short power-draw time series, and an audit log of admin actions.
For marketing pages you view, the analytics records:
- the URL path and referrer (same-site referrers are stripped);
-
your user-agent and coarse country (resolved locally against a MaxMind database, if configured);
-
not your IP address
— it's mixed with your user-agent, the date, and a secret into a daily-rotating hash, then discarded;
-
if you're signed in, your account id (so we can tell signed-in from anonymous visits). The tracker never runs on
/admin, /api, or /dashboard.
3. What we don't do
We don't sell your data. Analytics is first-party and self-hosted —
no third-party ad or tracking networks, no cross-site trackers. We
don't inspect what your devices are for; we only store the
configuration and state you give us.
4. How long we keep it
-
Page-view analytics: 90 days, then permanently deleted.
- Power-draw samples: 7 days.
- Audit log: 365 days.
-
Account, labs, and their configuration: kept as long as they exist. Deleting your account (Danger Zone on the Security page) removes your email, password hash, MFA, and memberships immediately, and deletes any lab you solely own along with everything in it.
(Self-hosted deployments can tune these retention windows.)
5. Who we share it with
-
Our SMTP provider
— delivers verification, password-reset, and invitation mail; your email address passes through it as the destination.
-
MaxMind
— geolocation is resolved locally against a downloaded database; no requests leave our infrastructure.
- Nobody else. No advertising networks, no resale.
We may disclose information if compelled by valid legal process or to
protect the rights, property, or safety of users or the service.
6. Cookies
We set first-party cookies only:
-
_labpoe_key
— your signed login session (HTTP-only, SameSite=Lax, cleared on logout);
-
_labpoe_mfa_remember
— lets a browser skip MFA for 30 days after you opt in;
-
_labpoe_last_tenant — remembers which lab to drop you into on sign-in.
No third-party cookies.
7. Your rights
You can:
-
change your email/password and manage MFA on the
Security
page;
-
rename or delete a lab you own from the
Tenant
page;
-
delete your account — and any lab you solely own — from the Danger Zone on the Security page;
-
email
privacy@defensiblelogic.com
for anything else, including data-access or portability requests.
8. Children
labpoe isn't directed at children under 13, and we don't knowingly collect their data.
9. Changes
Material changes are announced by email to registered users at least
30 days before they take effect. The effective date at the top always
reflects the current version.