Privacy Policy

Last updated: January 19, 2026

1. Introduction

Cloudventory ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AWS resource inventory and monitoring service ("Service").

By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Personal Information

We collect the following personal information when you create an account:

  • Email address (required for account creation and communication)
  • First and last name (optional, for personalization)
  • Organization name
  • Password (securely hashed, never stored in plain text)
  • Timezone preference

2.2 AWS Connection and Resource Data

To provide our Service, we collect information depending on how you connect your AWS account:

  • IAM Cross-Account Role (Recommended): We store the IAM Role ARN you provide. No long-term credentials are stored—we assume the role temporarily when scanning.
  • Access Keys: If you choose this method, we store your AWS Access Key ID and Secret Access Key (encrypted at rest).
  • AWS Account IDs and aliases
  • AWS resource metadata (EC2 instances, S3 buckets, RDS databases, Lambda functions, IAM resources, VPCs, Security Groups, EBS volumes)
  • AWS resource tags and configurations
  • Resource relationships and network topology

Security Note: When access keys are used, they are encrypted at rest using industry-standard encryption.

2.3 Usage Data

We automatically collect certain information when you use the Service:

  • Log data (IP addresses, browser type, pages visited, timestamps)
  • Session cookies (for authentication)
  • Feature usage analytics
  • Scan history and frequency

2.4 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or payment details on our servers. Stripe processes and stores payment information according to their Privacy Policy.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Scan and monitor your AWS resources
  • Generate insights and recommendations about your infrastructure
  • Authenticate your identity and prevent unauthorized access
  • Process subscription payments and manage billing
  • Send administrative emails (account verification, password resets, security alerts)
  • Respond to customer support requests
  • Improve and optimize the Service
  • Detect and prevent fraud or security incidents
  • Comply with legal obligations

4. Data Storage and Security

4.1 Data Location

Your data is stored on secure servers located in the United States. We use industry-standard cloud hosting providers with SOC 2 Type II compliance.

4.2 Security Measures

We implement robust security measures to protect your data:

  • AWS access keys (when used) encrypted at rest using industry-standard encryption
  • Passwords securely hashed (never stored in plain text)
  • HTTPS/TLS encryption for all data in transit
  • Multi-factor authentication (MFA) available for all accounts
  • Regular security audits and vulnerability scanning
  • Tenant isolation (organization-level data separation)
  • Role-based access control (RBAC)
  • Automated security scanning of our codebase

4.3 Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Resource scan data is retained for historical tracking and trend analysis.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • Service Providers: We use trusted sub-processors for infrastructure, payments, and analytics. See our Sub-processors page for the complete list.
  • Legal Requirements: When required by law, court order, or government request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (users will be notified)
  • Consent: With your explicit consent for any other purpose

We never share your AWS credentials or resource data with third parties for marketing or analytics purposes.

6. Cookies and Tracking

We use cookies for the following purposes:

6.1 Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled:

  • Session cookies: Keep you logged in during your visit
  • CSRF tokens: Protect against cross-site request forgery attacks
  • Cookie consent: Remember your cookie preferences

6.2 Analytics Cookies

We use privacy-friendly product analytics to understand feature usage and improve the Service.

  • Tracks page views and feature usage
  • Helps us identify and fix issues
  • Data is not sold or shared with third-party advertisers

6.3 Cookie Consent (EU/EEA Users)

If you are located in the European Union, European Economic Area, or United Kingdom, we will ask for your consent before enabling analytics cookies. You can:

  • Accept All: Enable analytics to help us improve the Service
  • Reject All: Only essential cookies will be used

You can change your preference at any time by clearing your browser's local storage and refreshing the page. Your choice is stored in your browser and persists across sessions.

6.4 Browser Settings

You can also configure your browser to refuse cookies, but this may limit Service functionality (e.g., you may need to sign in repeatedly).

7. Your Privacy Rights

7.1 GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (30-day GDPR-compliant process)
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing of your data
  • Right to Withdraw Consent: Withdraw consent at any time

7.2 CCPA Rights (California Users)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Request deletion of your personal information
  • Opt-out of the sale of personal information (we do not sell your information)
  • Non-discrimination for exercising your privacy rights

7.3 Account Deletion

You may request account deletion at any time from your profile settings. Upon deletion:

  • Your account is immediately deactivated
  • A 30-day grace period allows you to cancel the deletion request
  • After 30 days, all personal data and AWS credentials are permanently deleted
  • Anonymized usage data may be retained for analytics

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction. By using the Service, you consent to the transfer of your information to the United States and other countries.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Email: privacy@cloudventory.io
Subject Line: Privacy Request

We will respond to privacy requests within 30 days as required by applicable law.