Privacy policy
CloudCostIQ handles cloud billing data, usage evidence, recommendations, reports, account records, and workflow metadata for customers that use the product to understand and reduce cloud spend.
Last updated: June 6, 2026
Information we collect
We collect account information such as name, email address, authentication identifiers, organization membership, role, billing plan, and team invitations. We also collect product activity such as sign-ins, uploads, report views, recommendation updates, owner assignments, workflow actions, audit events, and support or sales communications.
Customers may provide cloud billing exports, invoices, Cost Management files, Cost and Usage Reports, BigQuery billing exports, resource metadata, ownership information, ticket links, reviewer notes, savings evidence, and related operational context. Connected integrations may provide recurring billing and cost metadata from AWS, Azure, Google Cloud, Slack, Jira, Linear, or similar systems.
Cloud credentials and billing evidence
When you connect a cloud provider, we may store encrypted credentials or tokens needed to retrieve billing evidence. Standard AWS and Azure connections are designed for billing and cost metadata, not infrastructure modification. Uploaded files and generated reports are stored under organization-scoped object paths.
We derive normalized cost facts, savings recommendations, verification records, executive summaries, and proof artifacts from the billing evidence customers provide or connect.
How we use information
We use customer information to:
- authenticate users and manage organizations, roles, and invites;
- process uploaded billing files and connected cloud billing data;
- generate reports, recommendations, proof packets, and summaries;
- send transactional emails, reminders, alerts, and workflow updates;
- operate billing, subscriptions, pilots, and customer support;
- secure the service, investigate abuse, and maintain audit logs;
- improve CloudCostIQ's reliability, workflows, and customer experience.
AI processing
CloudCostIQ may use AI providers to generate narrative explanations, summaries, and recommendations from structured or aggregated billing data. We do not intentionally send raw uploaded files to language model providers for narrative generation. AI output is used as decision support and should be reviewed before customers take action.
Subprocessors
CloudCostIQ uses trusted third-party services to operate the product. Current subprocessors include:
- Supabase for authentication, database, and organization metadata.
- Cloudflare R2 for uploaded files, generated PDFs, and proof artifacts.
- Anthropic for AI-generated explanations from structured or aggregated inputs.
- Stripe for checkout, subscriptions, invoices, and payment processing.
- Resend for transactional email.
- Inngest for background jobs and scheduled workflows.
Information sharing
We do not sell customer billing data. We share information only as needed to provide and secure the service, process payments, deliver emails and workflow notifications, comply with law, investigate misuse, or complete a business transaction such as a merger, acquisition, or financing. We may share information with customer-authorized users and integrations inside the customer's organization.
Security
We use HTTPS, encryption at rest, organization-scoped access controls, audit logging, signed upload and download flows, webhook signature verification, file validation, and credential encryption. More detail is available on the Security page.
Retention and deletion
We retain account data, billing evidence, reports, recommendations, verification records, audit logs, and workflow metadata while an account is active and as needed for security, billing, legal, tax, dispute, or operational purposes. Organization owners may request deletion by contacting us or using available in-product controls. After deletion, object storage and database records are removed according to our operational deletion process, subject to backups and legally required retention.
Customer controls
Customers can revoke cloud-provider access from their cloud console, disable integrations, remove invited users, download available reports, and request deletion. Customers are responsible for managing user roles and ensuring that uploaded or connected data is authorized.
International use
CloudCostIQ is operated from the United States and may process information in the United States or other locations where our subprocessors operate. Customers with specific data processing requirements may request a data processing agreement at /dpa.
Children
CloudCostIQ is a business service and is not intended for children under 16. We do not knowingly collect personal information from children.
Changes
We may update this Privacy Policy as CloudCostIQ evolves. If changes are material, we will take reasonable steps to notify customers through the product, email, or this page.
How long we keep it
Backup copies may persist for a limited period after deletion before they are overwritten or expired through normal backup cycles. Audit and billing records may be retained where needed for security, fraud prevention, legal compliance, or dispute resolution.
Contact
Questions about privacy, deletion, or data processing can be sent to [email protected].
