Privacy Policy

This Privacy Policy describes how Cloudarq (“we,” “us,” or “our”) collects, uses, stores, and protects your information when you use our cloud infrastructure auditing platform at cloudarq.net (the “Service”).

For questions about this policy, contact us at [email protected].

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address, full name, company or organization name, and password. Your password is stored as a bcrypt hash — we never store it in plain text.

1.2 AWS Credentials

To perform infrastructure audits, you provide us with AWS access credentials, which may include an AWS Access Key ID and Secret Access Key, or an IAM Role ARN and External ID.

• Credentials are encrypted at rest using AES-256-GCM encryption with a randomly generated initialization vector per operation
• Credentials are used exclusively to perform read-only scans of your AWS infrastructure
• We never modify, delete, or write to your AWS environment
• You can delete your stored credentials at any time

1.3 AWS Infrastructure Data

When you run a scan, we collect metadata about your AWS infrastructure configuration across approximately 30 services using up to 169 checks spanning six audit pillars (security, cost, reliability, performance, operational excellence, sustainability). This includes EC2 instance states, security group rules, S3 bucket policies, IAM account settings, RDS configurations, Lambda runtimes, DynamoDB table settings, KMS key status, CloudTrail configuration, ECS/EKS cluster metadata, OpenSearch domains, and similar resource metadata. We also access Cost Explorer data to check reserved instance utilization.

Crucially, we never access the contents of your data stores. Specifically: we never call s3:GetObject (your bucket contents), secretsmanager:GetSecretValue (your secrets), ssm:GetParameter (your parameter values), or any database read operations. For Secrets Manager and SSM Parameter Store, we access only metadata (names, rotation configuration, parameter types) — never the actual secret or parameter values.

1.4 Payment Information

Payment processing is handled by Paddle.com Market Limited, which acts as our Merchant of Record. This means Paddle is the legal seller of your subscription, even though the product is ours: when you purchase a Cloudarq subscription, you are buying it from Paddle, not directly from Cloudarq. Your credit-card statement will read “Paddle.com” with a Cloudarq descriptor.

We do not store, process, or have access to your credit card numbers, bank account details, or other payment credentials — card data is entered directly on Paddle’s hosted checkout page. Paddle handles payment processing, currency conversion, fraud screening, chargeback handling, tax compliance globally (VAT for EU/UK, GST for AU/IN/SG/JP, US sales tax across all states, and other local indirect taxes), and invoicing. Your payment data is governed by Paddle’s privacy policy and DPA.

1.5 Usage and Analytics Data

We collect data about how you use the Service, including scan history and feature usage. We also use Plausible Analytics to collect anonymous, aggregated website data such as page views and referral sources. Plausible does not use cookies, does not collect personal data, and does not track individual users.

1.6 API Keys

If you use the REST API (Max tier), we generate and store API keys associated with your account. API keys are hashed at rest. We log API usage metadata (endpoint, timestamp, IP) for security and rate-limiting purposes.

1.7 Support Requests

When you contact us via the support form or email, we collect the information you provide (name, email, message). Support tickets are stored in our system and associated with your account if one exists.

1.8 Cookies

We use a single functional cookie (refresh_token) — an HTTP-only, secure cookie used solely for authentication session management. It cannot be accessed by JavaScript, is only transmitted over HTTPS in production, and expires after 7 days. We do not use advertising, tracking, or third-party cookies.

1.9 Telemetry and Error Monitoring

To diagnose production incidents we send error events and a small amount of request metadata to Sentry. The events Sentry receives are: stack traces, exception types and messages, the HTTP method + path of the in-flight request (URL query strings are scrubbed before send), the request id our middleware generates per request, and the user-agent string. PII is removed by Sentry’s beforeSend hook before the event leaves our backend — we do not send request bodies, response bodies, form inputs, AWS-credential fragments, or session tokens. Sentry retains events for 90 days; we never replay them outside the on-call diagnosis context.

1.10 AI Training

Cloudarq does not train any AI model. AI features (remediation suggestions, finding enrichment, infrastructure-as-code samples) call Anthropic’s Claude API on a per-request basis. Per Anthropic’s commercial terms, prompts and outputs from API calls are not used to train Anthropic’s models unless an explicit opt-in is configured — we have not opted in. The data we send Claude is described in §3 (Anthropic row); it is processed transiently to generate the response and is not retained for training.

2. How We Use Your Information

We use the information we collect to provide the auditing service, authenticate your identity, process payments, send transactional emails (scan results, alerts, verifications), respond to support requests, and improve the Service. We do not use your data for advertising, marketing profiling, or sale to third parties.

3. Third-Party Services

We do not sell, rent, or trade your personal data to any third party. See /legal/subprocessors for the complete and current sub-processor list, including scheduled changes.

3.1 Sub-processor Data Flow

Which sub-processor sees which fields, in which order, at which lifecycle stage:

• Inbound HTTP request → Cloudflare (TLS termination, edge filtering) → our backend on Hetzner. Cloudflare sees IP, user-agent, URL path, TLS-encrypted request bodies in transit.
• Account creation + login → backend writes to Postgres on Hetzner; sends a verification email via Resend (recipient address, rendered email body, no other PII).
• Subscription purchase → the customer is redirected to Paddle (Merchant of Record). Paddle collects email, billing address, tax ID for B2B, and card data on its own infrastructure; Cloudarq receives only an opaque customer id + subscription status via webhook.
• AWS scan run → backend on Hetzner calls AWS APIs in your chosen region using the credentials you provided. AWS metadata is stored on Hetzner; raw findings never leave it.
• AI enrichment → if enabled, finding titles + resource ids + configuration states are sent to Anthropic’s Claude API. Response is written back to Postgres on Hetzner and shown in your dashboard. Prompts are not stored on Anthropic’s side beyond the request lifecycle (per §1.10).
• Outbound email → transactional emails (verification, scan-complete, payment receipts) are dispatched via Resend.
• Production error → PII-scrubbed event sent to Sentry (per §1.9).
• Anonymous web analytics → aggregated page-view counts to Plausible. No cookies, no per-visitor identifiers.

Each lifecycle event involves only the sub-processors named above; no data flows between sub-processors via Cloudarq.

4. Data Storage and Security

All data is stored on servers operated by Hetzner Online GmbH in Helsinki, Finland, within the European Union. We implement AES-256-GCM encryption for AWS credentials, bcrypt password hashing, JWT-based authentication with short-lived tokens, HTTPS enforcement with HSTS, rate limiting, account lockout protections, and optional two-factor authentication (TOTP).

5. Data Retention

We retain different categories of data for different periods. The shortest applicable retention always wins; for example, an account-deletion request triggers immediate erasure of account data even though the umbrella "while your account is active" rule would otherwise keep it.

5.1 Customer-facing data

• Account data (email, name, hashed password, role): retained while the account is active; erased on receipt of a deletion request after the cooling-off window described on the in-product deletion page.
• AWS credentials: retained while the connection exists; deletable at any time from the connection-detail page.
• Scan results and findings: retained for 24 months for trend analysis, then aggregated and anonymised. You can also delete a specific scan ahead of that window.
• Reports (generated PDFs and exports): 12 months from generation, then purged.
• Email-send logs (recipient, subject, status): 90 days for deliverability diagnostics.
• Support tickets: 24 months from last activity, then closed and anonymised.

5.2 Compliance and forensic retention

• Audit log (admin actions, billing changes, refunds): 7 years. This window matches the obligations placed on Cloudarq by Paddle as Merchant of Record for invoice + refund traceability and is the standard retention window for SaaS billing records.
• Webhook event log (paddle_webhook_events): 12 months for replay + reconciliation, then archived.
• Sentry events: 90 days, then purged by Sentry per their retention policy.
• Plausible analytics: aggregated and anonymous; no per-visitor data retained.

These retention windows apply on top of any legal-hold obligation (active investigation, regulator enquiry, or court-ordered preservation), in which case the relevant data is retained for the duration of the hold.

6. Your Rights (GDPR)

Because our infrastructure is located in the EU, we process data in accordance with the General Data Protection Regulation. The GDPR rights matrix in §11 below names each right, the legal basis, and the in-product or email path to exercise it.

7. Data Transfers

Our primary data storage is in the European Union (Helsinki, Finland). Several sub-processors operate outside the EEA: Anthropic (US), Resend (US), Sentry (US), Cloudflare (global edge with US HQ), Paddle (United Kingdom + Ireland for EU customers; United States for US customers).

7.1 Transfer Mechanism

Cross-border transfers to recipients outside the EEA / UK / Switzerland operate under the European Commission's Standard Contractual Clauses (Decision 2021/914) (Modules 1 and 2 as applicable), incorporated by reference into our Data Processing Agreement (see /legal/dpa). Cloudarq is a controller-to-processor relationship with each sub-processor; the SCCs flow through to them as part of their own DPAs (linked from the subprocessors page).

For Paddle specifically, payment-related transfers are governed by the Paddle DPA, including its transfer-impact assessment. Paddle, as Merchant of Record, is the controller for the payment data it collects; Cloudarq does not see raw card data and never holds it.

For all other sub-processors the transfer impact is reviewed annually as part of our internal sub-processor compliance review; material changes (new sub-processor, jurisdictional change, withdrawn adequacy decision) trigger an update to the subprocessors page and a 30-day notification window where practical.

8. Children’s Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service. Your continued use after changes take effect constitutes acceptance of the updated policy.

10. Contact

For questions about this policy: [email protected]

11. GDPR Rights Matrix

For each right under Articles 15–22 of the GDPR (and the equivalent rights under UK GDPR), the legal basis we rely on, and the route to exercise it:

You do not need to provide a reason to exercise a right; we may ask for proof of identity proportionate to the request to prevent unauthorised access to another person’s data. We do not charge a fee for a first-time exercise of any of these rights.