Privacy Policy
Last updated: May 8, 2026
1. Introduction
CloudPruneAI, Inc. ("CloudPruneAI," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our multi-cloud cost optimization platform (AWS and Azure as of the date of this Policy; additional providers added per roadmap). This policy applies to all users, including individual users and users operating as part of a Partner organization (consultancy, MSP, or similar).
CloudPruneAI acts as a Data Processor when processing data on behalf of Partners/clients, and as a Data Controller for our own user data.
2. Information We Collect
2.1 Personal Data
| Data | Source | Purpose | Legal Basis |
|---|---|---|---|
| Email address | Auth0 | Account creation, authentication | Contractual necessity |
| Full name | Auth0 | Account identification, reports | Contractual necessity |
| Profile picture | Auth0 (social login) | UI display | Legitimate interest |
| Payment information | Stripe | Billing and invoicing | Contractual necessity |
Note: We do NOT store credit card numbers, bank accounts, or other financial data directly. All payment processing is handled by Stripe.
2.2 Cloud Account Data
When you connect a cloud account or subscription (AWS or Azure), we collect read-only metadata about the infrastructure. Authentication and access are scoped to read-only roles per provider:
- AWS: connection via IAM AssumeRole + External ID. No long-lived AWS access keys are stored — only the role ARN and the External ID. STS temporary credentials are obtained at scan time and discarded when the scan completes.
- Azure: connection via App Registration + Service Principal with the built-in
ReaderandCost Management Readerroles assigned at the target subscription scope. The Service Principal client secret is encrypted at rest in AWS Secrets Manager under a path scope-limited per connected account; access is restricted by IAM to the minimum scope required.
Data we read includes (illustrative, not exhaustive):
- AWS: EC2 / EBS / S3 / RDS / DynamoDB / ElastiCache / EKS / Lambda / Secrets Manager / CloudWatch / NAT Gateway / VPC metadata; cost and usage from AWS Cost Explorer; resource tags.
- Azure: Virtual Machines / Managed Disks / Snapshots / Public IPs / NAT Gateways / Storage Accounts / SQL Databases / Cosmos DB / Redis Cache / App Service / Azure ML / Azure OpenAI / Container Registry / Key Vault / Log Analytics / Azure Monitor metadata; cost and usage from Azure Cost Management; reservation and savings-plan utilization; resource tags.
Important: We never access, store, or process the actual content of your data (e.g., files in S3 buckets or Azure Blob storage, rows in databases, secret values, application logs). We only analyze metadata, configuration, and aggregated cost / utilization information.
3. Legal Basis for Processing (GDPR Art. 6)
We process personal data under the following legal bases:
- Contractual necessity (Art. 6.1.b): Account creation, authentication, running scans, generating reports, payment processing, and service communications
- Legitimate interest (Art. 6.1.f): Security monitoring, protecting our platform and users, and improving service quality through aggregate analytics
We do NOT use personal data for advertising, automated decision-making with legal effects, or profiling unrelated to the service.
4. How We Use Your Information
We use the collected information to:
- Analyze cloud infrastructure (AWS, Azure) for cost optimization opportunities
- Generate Infrastructure as Code remediation (Terraform / CloudFormation / AWS CDK for AWS; Terraform AzureRM / Bicep for Azure)
- Produce scan reports and PDF summaries
- Enrich recommendations with business context using AI
- Send scan results, alerts, and reports via email
- Process payments and manage billing
- Provide aggregated metrics to Partner dashboards (see Section 6)
- Improve our service and develop new features
5. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data is encrypted in transit using TLS 1.2+
- Data at rest is encrypted using AES-256 (AWS RDS)
- Authentication via Auth0 with MFA support and SSO
- We use least-privilege, read-only access per provider: AWS IAM AssumeRole and Azure built-in
Reader+Cost Management Readerroles - External IDs (AWS) prevent confused deputy attacks
- We never store long-lived AWS credentials; STS temporary credentials are obtained per scan and discarded
- The Azure Service Principal client secret is encrypted at rest in AWS Secrets Manager under a path scope-limited per connected account
- Sensitive configuration is stored in AWS Secrets Manager
- Minimal data collection — we only collect data necessary for the service
6. Data Sharing and Sub-Processors
6.1 Partner Organizations
If you are part of a Partner organization, the following data is visible to other members of your Partner organization (based on their role and permissions):
- Aggregated metrics (total accounts, scans, savings) on the Partner dashboard
- List of users within the Partner organization
- Scan summaries and status for accounts connected by Partner members
Data isolation: Each Partner's data is strictly isolated. Partners cannot view data belonging to other Partners.
6.2 Branded Reports
If you are part of a Partner organization, PDF reports may include your Partner's branding (logo, name, contact information). This branding is configured by your Partner administrator.
6.3 Sub-Processors
We do not sell your data. We share information with the following service providers as necessary to operate the platform:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting CloudPruneAI; encrypted storage of customer scan data and Azure Service Principal client secrets | USA (us-east-1) |
| Microsoft Azure | Read-only target of Partner-connected Azure subscriptions (Azure does NOT host CloudPruneAI infrastructure) | Customer-selected Azure regions |
| Auth0 (Okta) | Authentication, identity management | USA |
| Stripe | Payment processing, invoicing | USA |
| Anthropic (Claude API) | AI-powered recommendation enrichment and Infrastructure as Code generation (Terraform / CloudFormation / AWS CDK / Bicep). Anthropic operates a zero data retention policy for API usage | USA |
| Resend | Transactional email delivery | USA |
All sub-processors maintain their own GDPR compliance programs and Data Processing Agreements. We will notify users of any changes to sub-processors via email or in-app notification.
6.4 Legal Requirements
We may disclose information when required by law or to protect our rights.
7. International Data Transfers
All data is stored and processed in the United States (AWS us-east-1 region).
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) — incorporated in our Data Processing Agreements
- EU-US Data Privacy Framework
- Sub-processor safeguards — AWS, Auth0, Stripe, and Anthropic maintain their own SCCs and DPF certifications
8. Data Retention
| Data Type | Retention Period |
|---|---|
| User account data | Until account deletion by user |
| cloud account connections | Until disconnected or account deletion |
| Scan results and recommendations | Until scan or account deletion |
| Generated IaC code (Terraform / CloudFormation / AWS CDK / Bicep) | Until scan or account deletion |
| Access logs | 90 days |
| Payment records | Per Stripe retention policy and tax/legal requirements |
After deletion, data is permanently removed from our databases. Backups containing deleted data are purged within 30 days.
9. Your Rights
Under GDPR and applicable data protection laws, you have the following rights:
- Access (Art. 15): Request a copy of your personal data
- Rectification (Art. 16): Correct inaccurate personal data
- Erasure (Art. 17): Delete your account and all associated data — available via User Settings > Delete Account
- Restriction (Art. 18): Restrict processing of your data
- Portability (Art. 20): Receive your data in a machine-readable format
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw consent: Where processing is based on consent
- Disconnect cloud accounts and revoke access at any time
Account deletion: You can permanently delete your account at any time via User Settings > Danger Zone > Delete Account. This removes your user profile, all connected cloud accounts, scan results, recommendations, generated code, and billing records.
Response time: We will respond to all rights requests within 30 days. For complex requests, we may extend by up to 60 additional days with notice.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify affected users without undue delay if the breach poses a high risk (GDPR Art. 34).
11. Cookies
We use essential cookies for authentication and session management. We may use analytics cookies to improve our service. You can control cookie preferences through your browser settings.
12. Children's Privacy
CloudPruneAI is a B2B service not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service with 30 days' prior notice. Your continued use of CloudPruneAI after the notice period constitutes acceptance of the updated policy.
14. Contact Us & Complaints
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about our data practices:
Email: privacy@cloudpruneai.com
If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).