Aller au contenu principal
Cloudios
Legal

Privacy Policy — Cloudios

Last updated : 2026-05-24

Effective date : 2026-06-01

This Privacy Policy describes how Cloudios SAS ("Cloudios", "we", "us") collects,

uses, and discloses your information when you use our FinOps multi-cloud

optimization platform (the "Service").

1. Information We Collect

1.1 Account Information

  • Name, email, organization name (collected via Clerk SSO)
  • Billing information (processed by Stripe — we do NOT store credit card numbers)
  • User preferences (theme, locale, currency)

1.2 Cloud Account Metadata

When you connect AWS/GCP/Azure/Kubernetes accounts to Cloudios, we collect:

  • Account identifiers (AWS Account ID, GCP Project ID, Azure Subscription ID)
  • Resource metadata (instance types, regions, tags, sizes)
  • CloudWatch/Cloud Monitoring metrics (CPU, memory, network — last 90 days)
  • IAM permissions (read-only via assumed roles + external IDs)

What we DON'T collect :

  • Resource contents (S3 object data, RDS database rows, EBS volume content)
  • Network traffic payloads
  • User credentials (AWS keys, GCP service account JSON — only encrypted in DB)

1.3 Usage Data

  • Authentication events (login timestamps, IP addresses for security)
  • API requests (path, status, latency — no body content)
  • Feature usage (which modules run, which recommendations approved)
  • Error logs (sanitized — no PII, no secrets)

1.4 Cookies

We use the following cookies (essential only — GDPR baseline):

  • `__clerk_session` : authentication (essential)
  • `cloudios-theme` : UI preference (functional)
  • `cloudios-locale` : i18n preference (functional)
  • Stripe.js cookies on billing pages (essential for checkout)

No advertising or third-party tracking cookies.

2. How We Use Information

  • Provide the Service : run cost optimization scans, generate recommendations
  • Customer support : respond to inquiries (support@cloudios.com)
  • Billing : process payments via Stripe
  • Security : detect fraud, abuse, unauthorized access
  • Service improvement : aggregate analytics (anonymized — never per-user identified)

3. Sharing of Information

We share your information ONLY with:

  • Service providers (sub-processors — see DPA for full list) :

- Supabase (database hosting, EU region)

- Vercel (web hosting, EU edge)

- Clerk (authentication)

- Stripe (billing)

- OpenRouter / Anthropic (AI Verifier — request body sanitized)

- Sentry (error tracking — PII redacted)

  • Legal requirements : court orders, subpoenas (we will notify you when legally permitted)

We do NOT sell or rent your data to third parties.

4. Data Retention

  • Active accounts : indefinitely (you control via /dashboard/settings)
  • Cancelled accounts : 30 days then permanent deletion
  • Backup retention : 90 days (encrypted S3, daily snapshots)
  • Audit logs (audit_events table) : 7 years (SOC2 compliance)
  • Health check history : 30 days

You can request data deletion at any time via support@cloudios.com or

`/api/account/delete` (GDPR right to erasure).

5. Security

  • Encryption at rest : AES-256-GCM for all sensitive data (webhook secrets,

OAuth tokens, cluster tokens, kubeconfig)

  • Encryption in transit : TLS 1.3, HSTS 2-year preload
  • Multi-tenant isolation : Row Level Security (Supabase RLS) + thread-local

credentials in scanner (no cross-tenant data exposure)

  • Access controls : Clerk SSO + RBAC (owner/admin/member)
  • Audit logs : append-only with SHA-256 hash chain (tamper detection)
  • Vulnerability management : Dependabot weekly + Sentry security monitoring
  • Pen testing : annual third-party audit (scheduled Q3 2026)

6. Your Rights (GDPR / CCPA)

You have the right to:

  • Access : request a copy of your data (`/api/account/export`)
  • Correct : update inaccurate information (via /dashboard/settings)
  • Delete : request erasure (`/api/account/delete`)
  • Restrict : pause processing for specific purposes
  • Port : export data in machine-readable JSON
  • Object : opt out of specific processing activities

Email support@cloudios.com to exercise these rights. Response within 30 days.

7. International Transfers

Your data is stored in the European Union (eu-west-3, Frankfurt region).

We do not transfer personal data outside the EU/EEA without :

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Your explicit consent

8. Children's Privacy

Cloudios is B2B FinOps and is not directed at children under 16. We do not

knowingly collect data from children.

9. Changes to This Policy

We will notify you of material changes via email at least 30 days before

they take effect. Continued use of the Service after the effective date

constitutes acceptance.

10. Contact

Cloudios SAS

Email : privacy@cloudios.com

Address : [TBD — France HQ]

Data Protection Officer : dpo@cloudios.com

For GDPR complaints in the EU : your local Data Protection Authority

(CNIL for France).