Privacy Policy

1. Information We Collect

CostSage collects information necessary to provide our FinOps Agent service and improve your experience. Here's what we gather:

Account Data

When you create a CostSage account, we collect:

• Name, email address, and company name
• Monthly cloud spending range
• Company size and industry (optional)
• Password (encrypted)
• Phone number (if provided for support)

Cloud Account Data

To analyze your cloud infrastructure and generate savings recommendations, we collect:

• AWS: EC2, RDS, S3, Lambda, and other service metadata via read-only IAM role
• Azure: VM, Database, Storage, and other resource metadata via read-only RBAC role
• Cloud billing and cost data (we only access cost allocation tags and resource pricing)
• Resource tags, configurations, and utilization metrics
• CloudWatch and Azure Monitor metrics (CPU, memory, network usage)

Usage Data

We track how you use CostSage to improve our service:

• Features you access and recommendations you view
• Recommendations you approve or dismiss
• Changes executed through CostSage
• Login timestamps and session duration
• API calls and integration activity

Cookies and Tracking

We use cookies and similar technologies to:

• Keep you logged in (essential cookies)
• Remember your preferences (preference cookies)
• Measure product usage and performance (analytics cookies)
• Track conversion events (marketing cookies)

Communication Data

When you contact us, we collect:

• Email messages and attachments
• Chat transcripts from live support
• Phone call recordings (with your consent)
• Support tickets and feedback forms

2. How We Use Your Information

CostSage uses your information for the following purposes:

Service Delivery

We use your data to:

• Create and maintain your CostSage account
• Analyze your cloud infrastructure for cost optimization opportunities
• Generate and deliver savings recommendations
• Execute approved changes to your cloud resources
• Provide customer support and technical assistance

Product Improvement

We use anonymized usage data to:

• Identify patterns in cloud waste and optimization opportunities
• Improve our recommendation algorithms
• Enhance user experience and product features
• Debug issues and prevent service disruptions

Security and Compliance

We process your data to:

• Prevent fraud, abuse, and security threats
• Enforce our Terms of Service and other agreements
• Comply with legal obligations and regulatory requirements
• Respond to lawful government requests and legal proceedings
• Maintain audit logs for compliance certifications (SOC 2, ISO 27001)

Marketing and Communications

With your consent, we send:

• Product updates and feature announcements
• Optimization tips and FinOps best practices
• Quarterly savings reports and insights
• Promotional offers and case studies
• Security alerts and account notifications

3. Data Sharing & Third Parties

CostSage does not sell your personal data. We share information with trusted partners only when necessary:

Cloud Provider APIs

We connect to AWS and Azure APIs using your credentials to:

• Read resource metadata and billing data (read-only access)
• Execute approved cost optimization changes (scoped permissions only)
• Your cloud credentials are encrypted and stored securely in our database

Service Providers

We share data with vendors who process it on our behalf:

• Analytics: Segment and Mixpanel for product analytics
• Email delivery: SendGrid for transactional emails
• Payment processing: Stripe for subscription billing
• Cloud infrastructure: AWS for hosting and data storage
• Support ticketing: Zendesk for customer support
• Security scanning: Snyk for vulnerability detection

Legal Requirements

We may disclose your information when required by law, including:

• Subpoenas, court orders, or government requests
• Investigations of suspected illegal activity
• Protection of CostSage's legal rights and security

Business Transfers

If CostSage is acquired, merges with another company, or files for bankruptcy, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your data.

Aggregated Data

We may share anonymized, aggregated insights about cloud cost trends and optimization patterns with industry partners and in case studies (with your explicit permission for named case studies).

4. Data Security

CostSage implements industry-leading security measures to protect your data:

Encryption

• In transit: All data transmitted to/from CostSage uses TLS 1.3 encryption
• At rest: Sensitive data (credentials, billing info) is encrypted using AES-256
• Cloud credentials: AWS and Azure keys are encrypted and rotated regularly

Access Controls

• Role-based access control (RBAC) limits employee access to customer data
• Multi-factor authentication required for all employee accounts
• Regular access reviews and least-privilege principles
• API authentication via OAuth 2.0 and API keys with rate limiting

Certifications & Compliance

• SOC 2 Type II certified (annual audits)
• ISO 27001:2022 certified
• ISO 9001 quality management certified
• GDPR compliant data processing
• CCPA compliant privacy practices

Incident Response

We maintain an incident response plan and will notify affected users within 72 hours of any data breach affecting personal information.

5. Data Retention

We retain your information as long as necessary to provide our service and comply with legal obligations.

Active Accounts

• Account data is retained for the duration of your subscription
• Cloud resource metadata is retained for 12 months for historical analysis
• Usage logs are retained for 90 days for security and troubleshooting
• Billing and payment history is retained for 7 years (tax/legal requirement)

Deleted Accounts

• When you delete your account, we immediately remove personally identifiable information
• Cloud credentials and keys are securely deleted
• Anonymized usage data may be retained for 12 months for analytics
• Backups containing your data are deleted within 30 days
• Legal holds may require us to retain data to comply with court orders

Marketing Communications

If you unsubscribe from marketing emails, we retain your email address on a suppression list to honor your preferences while still allowing us to send critical service announcements.

6. Your Rights

Depending on your location, you have certain rights regarding your personal data:

GDPR Rights (EU/UK/Switzerland Residents)

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate information
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a portable format
• Right to object: Opt out of marketing and profiling
• Right to withdraw consent: Withdraw consent for processing at any time

CCPA Rights (California Residents)

• Right to know: Request what personal information we collect
• Right to delete: Request deletion of your personal data
• Right to opt-out: Opt out of the sale or sharing of your data (we don't sell data)
• Right to correct: Request correction of inaccurate data
• Right to non-discrimination: You won't face discrimination for exercising your rights

How to Exercise Your Rights

To submit a data rights request, contact us at [email protected] with:

• Your name and email address
• Description of your request
• Proof of identity (for security verification)

We will respond within 30 days (45 days for complex requests). You may designate an authorized agent to submit requests on your behalf.

7. Cookies and Tracking Technologies

CostSage uses cookies and similar technologies for:

Essential Cookies (Always Active)

• Session ID: Keeps you logged in
• CSRF token: Protects against cross-site attacks
• Preference language: Remembers your language preference

Analytics Cookies (Required for Service)

• Segment: Tracks feature usage and conversion events
• Google Analytics: Measures website traffic (anonymized)
• Mixpanel: Analyzes user behavior in-product

Marketing Cookies (Consent Required)

• Pixel tracking from LinkedIn and HubSpot for remarketing
• Facebook Pixel for conversion tracking

No Advertising Cookies

CostSage does not use cookies to serve advertisements or behavioral targeting.

Cookie Preferences

You can control cookies in your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Disabling essential cookies may affect service functionality.

8. International Data Transfers

CostSage operates globally, and your data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States.

EU-US Data Transfers

For EU/UK/Swiss residents, we rely on:

• EU-US Data Privacy Framework (DPF): Our US operations are certified under the DPF for data transfers from the EU
• Standard Contractual Clauses (SCCs): We execute SCCs with service providers to provide adequate safeguards

Data Localization

If required by local law, we can store your data in specific regions. Contact us to discuss data residency requirements.

9. Contact Us

For questions, concerns, or requests regarding this privacy policy, contact:

CostSage Privacy Team

• Email: [email protected]
• Mailing address: CostSage Inc., 123 Cloud Lane, San Francisco, CA 94105, USA
• Response time: We respond to privacy inquiries within 5 business days

Data Protection Authority

If you're located in the EU and believe we haven't complied with GDPR, you have the right to lodge a complaint with your local data protection authority.

Updates to This Policy

We may update this privacy policy periodically. Material changes will be communicated via email or through our website. Your continued use of CostSage after changes constitutes acceptance of the updated policy.