Privacy Policy
Last updated: January 2025
This Privacy Policy explains how CutCosts ("we", "us", or "our") collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Your GDPR Rights
Under the GDPR (Regulation EU 2016/679), you have the following rights:
- ✓ Right to Access:Request a copy of your personal data
- ✓ Right to Rectification:Correct inaccurate or incomplete data
- ✓ Right to Erasure:Request deletion of your data ("right to be forgotten")
- ✓ Right to Data Portability:Receive your data in a machine-readable format
- ✓ Right to Object:Object to certain processing of your data
- ✓ Right to Restriction:Request temporary restriction of processing
To exercise any of these rights, contact us at: privacy@cutcosts.tech
1. Data Controller
The data controller responsible for your personal data is:
CutCosts
[YOUR COMPANY ADDRESS]
[CITY, POSTAL CODE, COUNTRY]
Email: privacy@cutcosts.tech
Company Registration: [SIRET/VAT NUMBER]
Note: If you have questions about how we process your data, please contact our Data Protection Officer (DPO) at the email above.
2. What Data We Collect
We collect different types of data depending on how you interact with CutCosts:
2.1 Account Information
- Email address (required for account creation and authentication)
- Full name (optional, for personalization)
- Hashed password (encrypted using bcrypt, we never store plaintext passwords)
- Account preferences (notification settings, language, theme)
2.2 Cloud Credentials (Encrypted)
Security: All cloud credentials (AWS keys, Azure service principals, GCP service accounts) are encrypted at rest using Fernet symmetric encryption with a master key stored securely outside the database. We only request read-only permissions and cannot perform any destructive actions on your cloud resources.
2.3 Usage Data
- Scan history: Cloud account scans you initiate (timestamps, regions scanned, resources found)
- Resource management: Actions you take on detected resources (ignore, mark for deletion)
- Cost savings: Estimated savings based on resources you optimize
2.4 ML Data (Optional, Consent-Based)
If you opt-in to ML data collection (fully optional), we collect anonymized data for improving our AI predictions:
- Resource patterns: Types of resources detected and their characteristics (anonymized)
- CloudWatch metrics trends: CPU, I/O, network usage patterns (no identifiable info)
- Optimization decisions: Your choices on what to keep/delete (anonymized)
- Industry/company size: If you provide it (fully optional and anonymized)
What we DON'T collect: AWS account IDs, resource names/IDs, tags, IP addresses, your company name, or any personally identifiable information in ML data.
2.5 Technical Data
- IP address: For security (rate limiting, fraud prevention)
- Browser type and version: For compatibility
- Device information: Operating system, screen resolution
- Cookies: See our Cookie Policy
3. Legal Basis for Processing
Under Article 6(1) GDPR, we process your data based on the following legal grounds:
(a) Consent (Article 6(1)(a) GDPR)
For ML data collection, marketing emails, and non-essential cookies
(b) Contract Performance (Article 6(1)(b) GDPR)
For providing CutCosts services (scanning, resource detection, cost analysis)
(c) Legal Obligation (Article 6(1)(c) GDPR)
For compliance with tax, accounting, and regulatory requirements
(f) Legitimate Interest (Article 6(1)(f) GDPR)
For security (fraud prevention, rate limiting), analytics (service improvement), and technical operations
4. How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: Scanning your cloud accounts, detecting orphaned resources, calculating cost savings
- Account Management: User authentication, password resets, email verification
- Communication: Transactional emails (scan completed, account alerts), optional marketing emails (if consented)
- Security: Rate limiting, fraud prevention, abuse detection
- Improvement: Analyzing usage patterns to improve features (anonymized data only)
- ML Training: Training AI models for better predictions (only if you opted in, fully anonymized)
- Legal Compliance: Complying with legal obligations (e.g., tax records, GDPR requests)
5. Data Sharing and Third Parties
We do not sell your personal data. We only share data with trusted third parties for the following purposes:
5.1 Service Providers
- Hosting: [Your VPS provider / AWS / Azure] (for infrastructure)
- Email: [AWS SES / SendGrid / Mailgun] (for transactional emails)
- Analytics: [Google Analytics / Plausible] (anonymized usage analytics)
All service providers are GDPR-compliant and bound by Data Processing Agreements (DPAs).
5.2 Legal Requirements
We may disclose your data if required by law, court order, or government request, or to protect our legal rights.
6. Data Retention
We retain your data for the following periods:
- Account data: Until you delete your account + 30 days (for recovery)
- Cloud credentials: Until you remove the cloud account from CutCosts
- Scan history: 12 months (configurable in settings)
- ML data: 1-3 years (your choice) or until you withdraw consent
- Anonymized analytics: Indefinitely (cannot be linked back to you)
- Legal/tax records: As required by law (typically 7 years)
7. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: TLS 1.3 for all connections
- Encryption at rest: Fernet encryption for cloud credentials, bcrypt for passwords
- Access control: Role-based access, least-privilege principle
- Rate limiting: Protection against brute-force attacks
- Regular audits: Security reviews and vulnerability scanning
- Secure infrastructure: Isolated VPS, firewall rules, regular updates
No breach so far: We have never experienced a data breach. If one occurs, we will notify affected users within 72 hours as required by GDPR Article 33.
8. International Data Transfers
Your data is primarily stored in: [EU / Your server location]
If we transfer data outside the EU/EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved data transfer contracts
- Adequacy Decisions: Transfers to countries recognized by the EU Commission
10. Exercising Your Rights
You can exercise your GDPR rights by:
Export Your Data
Go to Settings → Privacy → Export My Data to download your data in JSON format
Delete Your Data
Go to Settings → Privacy → Delete My ML Data or contact us to delete your entire account
Contact Us
Email privacy@cutcosts.tech for any privacy-related requests
Response time: We will respond to your request within 30 days as required by GDPR Article 12. If we need more time, we will inform you and provide a reason.
11. Children's Privacy
CutCosts is not intended for children under 16 years old (or the minimum age in your country). We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately at privacy@cutcosts.tech.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or a prominent notice on our website. Continued use of CutCosts after changes constitutes acceptance.
Last updated: January 2025
13. Contact Us
For any questions about this Privacy Policy or our data practices, please contact us:
CutCosts Privacy Team
Email: privacy@cutcosts.tech
Address: [YOUR COMPANY ADDRESS]
Response time: We aim to respond within 48 hours (business days)
Complaint to Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights. For EU residents, find your authority at edpb.europa.eu.