Privacy Policy

1.1 Account and User Information

We collect the following information directly from you when you register for and use our Services:

• Contact Information: Email address, name, job title, and company name
• Authentication Information: Password (stored in encrypted form) or authentication tokens when using third-party authentication methods (Google, GitHub)
• Account Preferences: User settings, notification preferences, and dashboard configurations
• Team/Organisation Information: Team structure, member roles, and permissions
• Payment Information: Billing address and payment method details (processed through our payment processor, Stripe)
• Communication Records: Records of your communications with our support team, including emails and support tickets
• Marketing Preferences: Your preferences regarding receiving marketing communications from us

1.2 AWS/Cloud Environment Data

To provide our Services, we collect the following information from your AWS accounts:

• Resource Utilisation Metrics: CPU, memory, network, and storage usage patterns collected from AWS CloudWatch (Amazon's monitoring service) including historical performance data
• Configuration Information: Technical details about your cloud resources such as server types, locations, and settings obtained through AWS service APIs
• Cost Data: Billing information, cost allocation, and resource pricing
• Resource Metadata: Tags, identifiers, and attributes associated with your cloud resources
• Network Traffic Data (VPC Flow Logs): Records of network connections between your cloud resources, collected from AWS VPC Flow Logs and extracted from S3 buckets or CloudWatch (if you enable this optional feature)
• Account Activity Logs (CloudTrail): Detailed records of API calls and actions taken in your AWS account, collected through AWS CloudTrail (if you enable this optional feature or in the future when this feature is developed)
• Cloud Security Information: Security group configurations, IAM role settings, encryption usage, and compliance status

1.3 Technical Information

We automatically collect the following technical information when you use our Services:

• Device Information: Device type, operating system, browser type and version
• IP Address: Your Internet Protocol address
• Usage Data: How you interact with our Services, including features used, frequency of use, and duration of sessions
• Performance Data: Response times, error rates, and system stability metrics
• Cookies and Similar Technologies: Information collected through cookies and similar tracking technologies
• Log Data: Server logs, application performance logs, and error reports

1.4 Analytics Data

We collect analytics data about how our Services are used:

• Feature Usage Statistics: Which features are most frequently used
• User Behaviour: Navigation paths through the Services
• Performance Metrics: Load times, error rates, and responsiveness
• Business Metrics: Conversion rates, retention rates, and account growth patterns

2.1 Service Provision and Improvement

• To provide and maintain our cloud cost optimisation Services
• To generate cost-saving recommendations and security assessments
• To identify patterns and opportunities for improvement in your AWS environment
• To enhance, improve, and develop new features for our Services
• To ensure the technical functionality and security of our Services
• To provide customer support and respond to your inquiries

2.2 Account Management and Security

• To create and manage your user account
• To authenticate your identity and prevent fraud and unauthorised access
• To manage your team and organisation settings
• To process transactions and send related information
• To send administrative notices, updates, and security alerts
• To maintain the security and integrity of our Services

2.3 Communication and Marketing

• To communicate with you regarding your account and our Services
• To send you technical notices, updates, and security alerts
• To provide you with news, special offers, and general information about our Services
• To conduct surveys and collect feedback about our Services
• To create case studies and reference materials with your permission

2.4 Analytics and Research

• To understand how our Services are used
• To monitor and analyse usage patterns and trends
• To measure the effectiveness of our marketing campaigns
• To improve user experience and interface design
• To generate anonymised benchmarks and industry statistics
• To conduct research and development for future Services

2.5 Legal and Compliance

• To comply with legal obligations
• To enforce our Terms of Service
• To protect our rights, privacy, safety, or property
• To respond to lawful requests from public authorities
• To prevent, detect, and address fraud, security breaches, and prohibited activities
• To establish, exercise, or defend legal claims

3.1 Information You Provide Directly

• Account Registration: Information you provide when creating an account
• Service Configuration: Information you provide when setting up our Services
• Customer Support: Information you provide when contacting our support team
• Feedback and Surveys: Information you provide in response to surveys or feedback requests
• AWS Integration: Information you provide when connecting your AWS accounts

3.2 Automated Collection Methods

• AWS API Access: Data collected through read-only access to your AWS environment via IAM roles with external IDs to prevent confused deputy situations
• Scripts and Tools: Automated processes that analyse your cloud infrastructure, including cost optimization scripts that examine resource utilisation patterns
• Logging and Monitoring: Automatic collection of system logs and performance data
• Cookies and Tracking Technologies: Information collected through cookies, pixels, and similar technologies
• Analytics Tools: Data collection through third-party analytics services, including PostHog, to analyse Service usage patterns and improve our offerings
• Data Caching and Processing: Initial data storage in Redis/Postgres cache hosted in Germany before transfer to the data lake for longer-term storage

3.3 Third-Party Sources

• AWS Marketplace: If you subscribe through AWS Marketplace, we receive basic account information
• Authentication Providers: Limited profile information from third-party authentication providers (Google, GitHub)
• Payment Processors: Transaction status and limited payment information from payment processors
• Business Partners: Information shared by our business partners with your consent

4.1 Account and User Information

We use account and user information to:

• Create and manage your user account
• Authenticate your identity when you log in
• Process your payments and manage billing
• Communicate with you about your account
• Provide customer support
• Enforce our Terms of Service
• Send important notices and updates
• Contact you with marketing information (where permitted)
• Manage team members and permissions

4.2 AWS/Cloud Environment Data

We use AWS and cloud environment data to:

• Generate cost optimisation recommendations
• Identify security improvements for your environment
• Analyse resource utilisation patterns
• Create historical usage and cost analyses
• Provide detailed reports and visualisations
• Detect anomalies and potential issues
• Track changes in your environment over time
• Generate customised dashboards

4.3 Technical Information

We use technical information to:

• Monitor and improve the performance of our Services
• Troubleshoot technical issues
• Enhance the security of our Services
• Analyse usage patterns and user behaviour
• Optimise our user interface and experience
• Prevent fraudulent or unauthorised access
• Develop new features and capabilities

4.4 Analytics Data

We use analytics data to:

• Improve our Services and user experience
• Develop new features based on user behaviour
• Create anonymised industry benchmarks
• Measure the effectiveness of our features and updates
• Inform our product roadmap decisions
• Generate aggregate statistics for internal reports
• Analyse market trends and opportunities

5.1 Data Storage Locations

We store and process your information in the following locations:

• EU Customers: Data is processed on servers located in Germany and stored in Germany
• US Customers: Data is processed on servers located in Germany and stored in the United States
• Failover Processing: In the event of service disruption, data processing may occur in Helsinki or other EU locations

5.2 Data Storage Providers

We use the following data storage and processing providers:

• Hetzner and Netcup: For primary infrastructure hosting in Germany
• Supabase: For database services and structured data management
• AWS S3: For secure storage of certain data sets when required
• Cloudflare R2: May be used as an additional storage solution for certain data sets
• Internal caching systems: Including Redis and PostgreSQL databases for temporary data processing

5.3 Security Measures

We implement and maintain robust technical and organisational security measures to protect your information, including:

• Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher
• Access Controls: Strict role-based access controls limiting access to authorised personnel only
• Authentication: Multi-factor authentication for administrative access
• Regular Security Assessments: Of our infrastructure and applications
• Monitoring: For unauthorised access attempts
• Secure Development Practices: Including code reviews and security testing
• Regular Security Training: For all staff
• Physical Security: For all data centres

5.4 International Data Transfers

When your personal data is transferred outside the UK or EEA through our service providers, we ensure appropriate safeguards by:

• Using service providers who maintain their own EU Commission-approved Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs)
• Relying on adequacy decisions where transfers are to countries deemed adequate by the UK or EU
• Selecting major service providers who have established international data transfer frameworks
• Primarily transferring data to countries within the EEA (such as Germany and Finland) and to the United States
• Ensuring all service providers implement appropriate safeguards for any international transfers

We verify that our service providers have appropriate transfer mechanisms in place as part of our provider selection process.

6.1 Service Providers and Sub-processors

We may share your information with third-party service providers who perform services on our behalf:

• Hetzner and Netcup: For infrastructure hosting
• Supabase: For database services
• PostHog: For analytics processing and service usage insights
• Stripe: For payment processing
• Email Service Providers: For sending transactional and marketing emails

These service providers have their own privacy policies and terms of service. We select established providers with appropriate security measures and privacy practices. Where applicable, we rely on their standard terms and privacy commitments. For services processing EU/UK personal data, we utilise their standard Data Processing Addendums where available.

6.2 Business Transfers

If CloudWrangler is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your information, as well as any choices you may have regarding your information.

6.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose your information to:

• Enforce our Terms of Service
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Services
• Protect the personal safety of users of the Services or the public
• Protect against legal liability

6.4 With Your Consent

We may share your information with third parties when we have your consent to do so. We will always make it clear what information will be shared and with whom.

6.5 Anonymised and Aggregated Data

We may share anonymised and aggregated data derived from your information with:

• Partners for joint industry reports
• Customers for benchmarking purposes
• Marketing materials as statistical information
• Research institutions for analysis and publication

This data does not identify you or any individuals and cannot be used to identify you when combined with other information.

7.1 Account and User Information

• Active Accounts: Retained for as long as your account remains active
• After Account Closure: Deleted within 30 days of account termination, except as required for legal or business purposes
• Payment Information: Retained for 7 years to comply with tax and financial regulations

7.2 AWS/Cloud Environment Data

• Free Tier: AWS account data retained for 30 days
• Paid Tier: AWS account data retained for 180 days
• Extended Storage: Additional retention available for purchase at $0.10 per GB per month
• After Account Closure: Deleted within 30 days of account termination

7.3 Technical Information

• Logs: Retained for 90 days for security and debugging purposes
• Performance Data: Retained for 12 months to track Service improvements
• IP Addresses: Retained for 30 days for security monitoring
• Device Information: Retained for the duration of your session

7.4 Analytics Data

• Identified Data: Retained for 12 months, then anonymised
• Anonymised Data: May be retained indefinitely
• Usage Statistics: Retained for 24 months to track Service usage trends
• Benchmark Data: Anonymised and may be retained indefinitely

7.5 Data Deletion Process

When we delete your data:

• Data is removed from our active systems immediately
• Backups containing your data are automatically deleted within 30 days as part of our normal backup rotation
• Upon written request, we can perform human verification of data deletion and provide confirmation
• Metadata necessary for legal compliance may be retained for longer periods

8.1 Access and Control of Your Information

Depending on your location, you may have certain rights regarding your personal data:

For All Users:

• Access your personal data
• Correct inaccurate or incomplete data
• Delete your personal data (subject to certain exceptions)
• Object to the processing of your personal data
• Restrict how we use your personal data
• Export your personal data in a portable format
• Withdraw consent where processing is based on consent

For UK and EEA Users (UK GDPR and GDPR):

• Lodge a complaint with a supervisory authority
• Object to automated decision-making and profiling

For California Residents (CCPA/CPRA):

• Request disclosure of categories of personal information collected
• Request disclosure of specific pieces of personal information collected
• Request deletion of personal information
• Opt-out of the sale or sharing of personal information
• Right to non-discrimination for exercising CCPA rights

8.2 How to Exercise Your Rights

You can exercise your rights by:

• Self-Service Tools: Using the privacy controls in your account settings
• Email Request: Contacting our Privacy Team at privacy@cloudwrangler.io
• Written Request: Sending a letter to our address listed in the "Contact Us" section

We will respond to your request within 30 days (or the timeframe required by applicable law). We may ask for additional information to verify your identity before fulfilling your request.

8.3 Opting Out of Marketing Communications

You can opt out of receiving marketing communications by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us at privacy@cloudwrangler.io

Even if you opt out of marketing communications, we will still send you service-related communications.

9.1 What We Use

We use cookies and similar tracking technologies to:

• Keep you logged in to our Services
• Remember your preferences
• Understand how you use our Services
• Improve our Services
• Provide personalised features
• Analyse the effectiveness of our marketing

9.2 Types of Cookies We Use

• Essential Cookies: Required for the operation of our Services
• Functional Cookies: Remember your preferences and settings
• Analytical Cookies: Collect information about how you use our Services
• Marketing Cookies: Track your browsing habits to display relevant advertising

9.3 Your Cookie Choices

You can manage your cookie preferences by:

• Adjusting your browser settings to refuse cookies
• Using the cookie preference centre on our website
• Opting out of analytics tracking through our preference centre

9.4 Sponsored Free Tier and Advertising

If you use our Free Tier Services:

• Your access is sponsored by third-party cloud resellers or similar businesses
• Advertisements from these sponsors may appear within our platform when you use the Free Tier
• These advertisements are clearly labelled as sponsored content
• We do not share your personal data with our sponsors solely for advertising purposes, though anonymised or aggregated usage statistics may be shared
• If you upgrade to a Paid Tier, sponsored advertisements will no longer be displayed

12.1 European Economic Area (EEA) and United Kingdom

Legal Basis for Processing:

For users in the EEA and UK, we process your personal data on the following legal bases:

• Contract: Processing necessary for the performance of our contract with you
• Legitimate Interests: Processing necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms
• Legal Obligation: Processing necessary to comply with our legal obligations
• Consent: Processing based on your consent, which you can withdraw at any time

Data Protection Rights:

As detailed in Section 8, users in the EEA and UK have specific rights under the GDPR and UK GDPR.

12.2 California, USA

For California residents, we provide the following additional information as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected:

• Identifiers (name, email address, IP address)
• Commercial information (subscription details, payment records)
• Internet activity information (browsing history, service usage)
• Professional information (job title, employer)
• Geolocation data (at the city/region level)

Business Purpose for Collection:

As detailed in Section 2.

Categories of Personal Information Disclosed for Business Purposes:

• Identifiers
• Commercial information
• Internet activity information

Categories of Third Parties with Whom We Share Personal Information:

• Service providers
• Data analytics providers
• Payment processors

Your California Privacy Rights:

As detailed in Section 8.

We do not sell or share personal information as defined by the CCPA/CPRA.

13.1 Security Incident Response

In the event of a security incident affecting your data, we will:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the incident
• Provide you with a description of the incident, likely consequences, and measures being taken to address it
• Cooperate with your reasonable requests for information regarding the incident
• Take appropriate measures to mitigate any potential damage

13.2 Breach Notification

We maintain a breach response plan that includes:

• A dedicated security incident response team
• Documented procedures for identifying, reporting, and responding to incidents
• Clear communication protocols
• Regular testing and updating of our response procedures

13.3 Data Backup and Recovery

To mitigate the impact of potential security incidents:

• Customer data is regularly backed up
• We test our backup and recovery procedures regularly
• We maintain separate secure storage for backups

14.1 Current Sub-processors

We use the following sub-processors to help provide our Services:

• Hetzner and Netcup: For infrastructure hosting
• Supabase: For database services
• PostHog: For analytics
• Stripe: For payment processing

14.2 Sub-processor Management

For our sub-processors:

• We select established, reputable service providers with appropriate security measures in place
• We use their standard terms of service and privacy policies
• For providers processing EU/UK data, we rely on their standard Data Processing Addendums where available
• We implement appropriate access controls on our end to limit what data is shared with these services

14.3 Changes to Sub-processors

If we make significant changes to our key sub-processors:

• We will select replacement providers with appropriate security standards
• We will update this Privacy Policy during our regular review cycles
• We will notify enterprise customers with specific contractual requirements