Privacy Policy
Last updated: March 17, 2026
1. Introduction
CloudPruneAI, Inc. ("CloudPruneAI," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AWS cost optimization platform. This policy applies to all users, including individual users and users operating as part of a Partner organization (consultancy, MSP, or similar).
CloudPruneAI acts as a Data Processor when processing data on behalf of Partners/clients, and as a Data Controller for our own user data.
2. Information We Collect
2.1 Personal Data
| Data | Source | Purpose | Legal Basis |
|---|---|---|---|
| Email address | Auth0 | Account creation, authentication | Contractual necessity |
| Full name | Auth0 | Account identification, reports | Contractual necessity |
| Profile picture | Auth0 (social login) | UI display | Legitimate interest |
| Payment information | Stripe | Billing and invoicing | Contractual necessity |
Note: We do NOT store credit card numbers, bank accounts, or other financial data directly. All payment processing is handled by Stripe.
2.2 AWS Account Data
When you connect an AWS account, we collect read-only metadata about the infrastructure, including:
- EC2 instance configurations and CloudWatch metrics
- EBS volume information and utilization data
- S3 bucket metadata and storage class information
- RDS instance configurations and connection metrics
- EKS cluster versions and ElastiCache engine versions
- Lambda runtime versions
- Cost and usage data from AWS Cost Explorer
- Resource tags and identifiers
- CloudWatch log group metadata (names, retention, storage class)
- NAT Gateway and VPC networking metadata
- Secrets Manager metadata (names and last access dates, never secret values)
Important: We never access, store, or process the actual content of your data (e.g., files in S3 buckets, data in databases, secret values, application logs). We only analyze metadata and configuration information.
3. Legal Basis for Processing (GDPR Art. 6)
We process personal data under the following legal bases:
- Contractual necessity (Art. 6.1.b): Account creation, authentication, running scans, generating reports, payment processing, and service communications
- Legitimate interest (Art. 6.1.f): Security monitoring, protecting our platform and users, and improving service quality through aggregate analytics
We do NOT use personal data for advertising, automated decision-making with legal effects, or profiling unrelated to the service.
4. How We Use Your Information
We use the collected information to:
- Analyze AWS infrastructure for cost optimization opportunities
- Generate CDK code recommendations
- Produce scan reports and PDF summaries
- Enrich recommendations with business context using AI
- Send scan results, alerts, and reports via email
- Process payments and manage billing
- Provide aggregated metrics to Partner dashboards (see Section 6)
- Improve our service and develop new features
5. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data is encrypted in transit using TLS 1.2+
- Data at rest is encrypted using AES-256 (AWS RDS)
- Authentication via Auth0 with MFA support and SSO
- We use AWS IAM roles with minimum required permissions (read-only)
- External IDs are used to prevent confused deputy attacks
- We never store AWS credentials; we use cross-account IAM roles with temporary credentials
- Sensitive configuration is stored in AWS Secrets Manager
- Minimal data collection — we only collect data necessary for the service
6. Data Sharing and Sub-Processors
6.1 Partner Organizations
If you are part of a Partner organization, the following data is visible to other members of your Partner organization (based on their role and permissions):
- Aggregated metrics (total accounts, scans, savings) on the Partner dashboard
- List of users within the Partner organization
- Scan summaries and status for accounts connected by Partner members
Data isolation: Each Partner's data is strictly isolated. Partners cannot view data belonging to other Partners.
6.2 Branded Reports
If you are part of a Partner organization, PDF reports may include your Partner's branding (logo, name, contact information). This branding is configured by your Partner administrator.
6.3 Sub-Processors
We do not sell your data. We share information with the following service providers as necessary to operate the platform:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage | USA (us-east-1) |
| Auth0 (Okta) | Authentication, identity management | USA |
| Stripe | Payment processing, invoicing | USA |
| Anthropic (Claude API) | AI-powered recommendation enrichment and CDK code generation. Anthropic operates a zero data retention policy for API usage | USA |
| Resend | Transactional email delivery | USA |
All sub-processors maintain their own GDPR compliance programs and Data Processing Agreements. We will notify users of any changes to sub-processors via email or in-app notification.
6.4 Legal Requirements
We may disclose information when required by law or to protect our rights.
7. International Data Transfers
All data is stored and processed in the United States (AWS us-east-1 region).
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) — incorporated in our Data Processing Agreements
- EU-US Data Privacy Framework
- Sub-processor safeguards — AWS, Auth0, Stripe, and Anthropic maintain their own SCCs and DPF certifications
8. Data Retention
| Data Type | Retention Period |
|---|---|
| User account data | Until account deletion by user |
| AWS account connections | Until disconnected or account deletion |
| Scan results and recommendations | Until scan or account deletion |
| Generated CDK code | Until scan or account deletion |
| Access logs | 90 days |
| Payment records | Per Stripe retention policy and tax/legal requirements |
After deletion, data is permanently removed from our databases. Backups containing deleted data are purged within 30 days.
9. Your Rights
Under GDPR and applicable data protection laws, you have the following rights:
- Access (Art. 15): Request a copy of your personal data
- Rectification (Art. 16): Correct inaccurate personal data
- Erasure (Art. 17): Delete your account and all associated data — available via User Settings > Delete Account
- Restriction (Art. 18): Restrict processing of your data
- Portability (Art. 20): Receive your data in a machine-readable format
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw consent: Where processing is based on consent
- Disconnect AWS accounts and revoke access at any time
Account deletion: You can permanently delete your account at any time via User Settings > Danger Zone > Delete Account. This removes your user profile, all connected AWS accounts, scan results, recommendations, generated code, and billing records.
Response time: We will respond to all rights requests within 30 days. For complex requests, we may extend by up to 60 additional days with notice.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify affected users without undue delay if the breach poses a high risk (GDPR Art. 34).
11. Cookies
We use essential cookies for authentication and session management. We may use analytics cookies to improve our service. You can control cookie preferences through your browser settings.
12. Children's Privacy
CloudPruneAI is a B2B service not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service with 30 days' prior notice. Your continued use of CloudPruneAI after the notice period constitutes acceptance of the updated policy.
14. Contact Us & Complaints
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about our data practices:
Email: privacy@cloudpruneai.com
If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).