LEGAL

Effective: 20 March 2026

Last updated: 20 March 2026

This Privacy Policy governs the collection, use, storage, and disclosure of personal and organisational data when you use Cloud Review Services's AWS cost intelligence platform. By accessing our website or using our services, you consent to the practices described in this policy.

1. Who We Are

Cloud Review Services (operated as a sole proprietorship under Indian law) operates the Cloud Review Services platform accessible at https://cloud-review.com and https://app.cloud-review.com. We provide AWS cost intelligence services to engineering teams and organisations worldwide.

For data protection purposes, Cloud Review Services is the data controller for personal data collected through our website and platform.

Contact: legal@cloud-review.com

2. Information We Collect

2.1 Account and Identity Information

When you register for Cloud Review Services, we collect:

Full name and work email address
Organisation name and size
Billing information (processed by Paddle — we do not store card numbers)
Authentication credentials (passwords stored as bcrypt hashes, never in plaintext)
Multi-factor authentication data (TOTP secrets stored encrypted at rest)

2.2 AWS Account and Scan Data

When you connect an AWS account and run scans, we collect and store:

AWS Account IDs you connect to Cloud Review Services
IAM Role ARNs used for cross-account access
Scan findings: resource identifiers (e.g. instance IDs, volume IDs, bucket names), resource types, estimated costs, and waste classifications
AWS Cost Explorer data: historical spend aggregations, Savings Plan coverage percentages
CloudWatch metrics: CPU utilisation, connection counts, and similar performance indicators — at the resource level only

IMPORTANT: Cloud Review Services does NOT access, read, download, or store the contents of your AWS resources. We do not read your S3 objects, EC2 user data, RDS database contents, Lambda function code, or any application-level data. We read only AWS metadata and metrics via read-only APIs.

2.3 Usage and Technical Data

Log data: IP addresses, browser type, pages visited, timestamps
Session tokens and authentication events
Scan timing, API call counts, and feature usage patterns
Error logs and diagnostic information

2.4 Communications

Emails you send to our support address
Responses to surveys or feedback requests

3. How We Use Your Information

3.1 Service Delivery

Authenticating your identity and maintaining your session
Performing AWS account scans using your connected IAM roles
Generating cost findings, AI-enriched explanations, and fix recommendations
Storing scan history and findings for your dashboard
Processing billing and subscription management via Paddle

3.2 Service Improvement

Analysing aggregate usage patterns to improve detection accuracy
Identifying new waste patterns across service types
Testing and improving AI enrichment quality

3.3 Communications

Sending transactional emails: scan completion notifications, invoice receipts, security alerts
Sending product updates and feature announcements (you may opt out at any time)
Responding to support requests

3.4 Legal and Security

Detecting and preventing fraud, abuse, and security incidents
Complying with applicable laws and responding to lawful requests
Enforcing our Terms of Service

4. AWS Credentials and Access — Security Model

This section is specifically important for engineering and security teams evaluating Cloud Review Services.

4.1 How Cloud Review Services Accesses Your AWS Account

Cloud Review Services uses AWS Security Token Service (STS) cross-account assume-role. This means:

You deploy a read-only IAM role in your AWS account via CloudFormation
Cloud Review Services assumes this role using a unique ExternalId assigned to your organisation
AWS issues temporary credentials valid for one scan session (maximum 1 hour)
These temporary credentials are used in memory during the scan and are NEVER stored
Every API call made appears in your CloudTrail logs under the Cloud Review Services role

4.2 Temporary Credentials Option

If you provide temporary STS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) directly, these are:

Used in memory for the duration of the scan only
Never written to disk, database, or logs
Discarded immediately after the scan completes or fails

4.3 What the IAM Role Can and Cannot Do

CAN: Read resource metadata, list services, retrieve CloudWatch metrics, read Cost Explorer data
CANNOT: Create, modify, delete, or stop any AWS resource
CANNOT: Access the contents of S3 objects, RDS databases, or any application data
CANNOT: Modify IAM policies or create IAM users/roles
CANNOT: Access secrets, keys, or credentials stored in your account

5. Data Storage and Retention

5.1 Where Data Is Stored

Cloud Review Services stores data in AWS us-east-1 (Northern Virginia). Enterprise customers may request data residency in other AWS regions under a separate agreement.

5.2 Retention Periods

Account data (name, email, organisation): retained while your account is active
Scan findings and history: retained for 12 months from scan date on Starter, 24 months on Pro and Enterprise
Billing records: retained for 7 years as required by Indian tax law (IT Act, GST obligations)
Audit logs and security events: retained for 90 days
Deleted account data: permanently deleted within 30 days of account deletion, except billing records retained per legal requirement

5.3 Encryption

All data transmitted between your browser, our servers, and AWS is encrypted via TLS 1.2 or higher
Data at rest in our database is encrypted using AES-256
TOTP secrets for MFA are encrypted at the application layer before database storage

6. Data Sharing and Disclosure

We do not sell your personal data. We do not share your AWS scan findings with any third party except as follows:

6.1 Service Providers

Paddle: payment processing (subject to Paddle's privacy policy)
AWS: infrastructure hosting (subject to AWS's privacy policy)
Sentry: error tracking — anonymised error reports only, no AWS data
These providers are contractually restricted from using your data for their own purposes

6.2 Legal Requirements

We may disclose information where required by law, including:

Court orders, subpoenas, or other legal process
Requests from Indian law enforcement agencies under the IT Act 2000
Requests from foreign authorities through mutual legal assistance treaties (MLATs)

We will notify you of such requests where legally permitted to do so.

6.3 Business Transfers

If Cloud Review Services is acquired, merged, or undergoes a change of control, customer data may be transferred to the acquiring entity. We will provide 30 days' notice before any such transfer and allow you to delete your account.

7. Your Rights

7.1 Rights Under Indian Law (IT Rules 2011 and Consumer Protection Act 2019)

Right to access your personal data we hold
Right to correct inaccurate personal data
Right to withdraw consent for data processing (subject to contractual obligations)
Right to file a complaint with appropriate authorities

7.2 Rights Under GDPR (EU/EEA Users)

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / 'right to be forgotten' (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object to processing (Article 21)
Right to lodge a complaint with a supervisory authority

To exercise any of these rights, email legal@cloud-review.com. We will respond within 30 days.

8. Cookies and Tracking

Cloud Review Services uses the following cookies and similar technologies:

Session cookies: strictly necessary for authentication and maintaining your login state
Preference cookies: remembering your UI preferences
Analytics cookies: aggregate usage analytics (you may opt out in account settings)

We do not use advertising cookies. We do not track you across third-party websites.

9. Children's Privacy

Cloud Review Services is a B2B professional service not directed at children. We do not knowingly collect data from individuals under 18 years of age. If you believe we have inadvertently collected such data, contact us immediately at legal@cloud-review.com.

10. Changes to This Policy

We will notify you of material changes to this Privacy Policy by email (at the address on your account) at least 14 days before changes take effect. Continued use of Cloud Review Services after the effective date constitutes acceptance of the updated policy.

Non-material changes (clarifications, formatting, contact updates) take effect immediately upon posting.

11. Contact

For privacy-related queries, data requests, or complaints:

Email: legal@cloud-review.com

Subject line: Privacy — [Your Request]

Response time: Within 5 business days for acknowledgement, 30 days for resolution