Privacy Policy

Effective Date: January 1, 2026

SOC 2 AlignedGDPR CompliantCCPA Ready

CloudFinOps ("we", "us") processes data strictly as a Data Processor on behalf of our customers. We adhere to the principle of Data Minimization: we only access the metadata necessary to identify cost savings.

1. Data We Collect (Strictly Metadata)

1.1 Infrastructure Metadata Only

Our access is technically limited to configuration data. We collect:

  • Resource IDs (e.g., i-0abc123)
  • Utilization Metrics (CPU %)
  • Configuration (Instance Type)
  • Cost & Billing Tags

1.2 What We DO NOT Access

To prevent any liability or data leakage, our system is architected to be blind to:

  • Source Code: We cannot read your repositories.
  • Database Content: We cannot query tables or view records.
  • S3/Blob Objects: We cannot view file contents.
  • User PII: We do not access your end-user data.

2. Subprocessors & Data Residency

AWS (Amazon Web Services)Primary Infrastructure Hosting.
SupabaseEncrypted Metadata Storage (PostgreSQL).
Google GeminiAI Analysis (Zero-Retention Policy enabled).
ClerkSecure Authentication & Identity.

3. Security & Encryption

At RestASE-256 Encryption for all db volumes.
In TransitTLS 1.3 Strict Enforcement.
KeysRotated annually via AWS KMS.

4. Data Protection Officer (DPO)

For data deletion requests ("Right to be Forgotten") or compliance inquiries:

Email: sambhav@cloudfinops.solutions

Response Time: Within 48 hours.