Privacy Policy
How we handle your data
Privacy Policy
Effective Date: February 24, 2026
Last Updated: February 24, 2026
Introduction
OpsCurb ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AWS cost optimization service.
Information We Collect
1. Account Information
When you create an account, we collect:
- Email address (required for authentication)
- Company name (optional)
- Full name (optional)
- Password (hashed and encrypted)
- Billing information (processed by Stripe, not stored by us)
2. AWS Infrastructure Data
When you connect your AWS account, we collect:
- AWS Account ID (for cross-account access)
- IAM Role ARN (for authentication)
- External ID (for security)
- Resource metadata (EC2 instances, EBS volumes, RDS instances, etc.)
- Cost and usage data (from AWS Cost Explorer)
- CloudWatch metrics (aggregated performance data)
Important: We do NOT collect:
- ❌ S3 object contents
- ❌ Database data (RDS, DynamoDB)
- ❌ Application logs or data
- ❌ Secrets or credentials
- ❌ EC2 instance data
3. Usage Information
We automatically collect:
- Login activity (timestamps, IP addresses)
- Feature usage (which scanners you run, reports generated)
- API requests (endpoints accessed, response times)
- Browser information (user agent, device type)
4. Communication Data
- Support tickets (your questions and our responses)
- Email communications (newsletters, product updates)
- Notification preferences (Slack, Discord, Email settings)
How We Use Your Information
Primary Uses
- Provide the Service: Scan your AWS infrastructure and generate cost optimization reports
- Authentication: Verify your identity and manage your account
- Billing: Process payments and manage subscriptions
- Support: Respond to your questions and troubleshoot issues
- Notifications: Send scan results, alerts, and weekly reports
Secondary Uses
- Product Improvement: Analyze usage patterns to improve features
- Security: Detect and prevent fraud, abuse, and security incidents
- Compliance: Meet legal and regulatory requirements
- Marketing: Send product updates and feature announcements (opt-out available)
Data Sharing and Disclosure
We DO NOT Sell Your Data
We will never sell, rent, or trade your personal information or AWS data to third parties.
Third-Party Service Providers
We share data with trusted service providers who help us operate:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database & Auth | Account info, scan results | Supabase Privacy |
| Stripe | Payment processing | Billing info | Stripe Privacy |
| Railway.app | API hosting | Application logs | Railway Privacy |
| Vercel | Frontend hosting | Access logs | Vercel Privacy |
| AWS | Infrastructure | Scan results (S3) | AWS Privacy |
| Sentry | Error tracking | Error logs | Sentry Privacy |
All providers are contractually obligated to protect your data.
Legal Requirements
We may disclose your information if required by law:
- Court orders or subpoenas
- Government investigations
- Protection of our legal rights
- Prevention of fraud or illegal activity
Business Transfers
If we're acquired or merged, your data may be transferred to the new owner. We'll notify you before this happens.
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Until account deletion | Service provision |
| Scan Results | 90 days (Free), 1 year (Paid) | Historical analysis |
| Billing Records | 7 years | Tax compliance |
| Support Tickets | 3 years | Quality assurance |
| Audit Logs | 1 year | Security monitoring |
Your Rights
Access and Portability
- View your data: Access all data we have about you
- Export your data: Download scan results in JSON/CSV format
- API access: Programmatic access to your data
Modification and Deletion
- Update information: Change your email, name, or preferences
- Delete account: Request complete account deletion
- Data erasure: We'll delete your data within 30 days of request
Privacy Controls
- Opt-out of marketing: Unsubscribe from promotional emails
- Notification preferences: Choose which alerts you receive
- Data sharing: Control what data is shared (limited options)
How to Exercise Your Rights
Email us at: privacy@opscurb.com (replace with your actual email)
GDPR Compliance (EU Users)
If you're in the European Economic Area (EEA), you have additional rights:
Legal Basis for Processing
- Contract: To provide the service you signed up for
- Legitimate Interest: To improve our service and prevent fraud
- Consent: For marketing communications (opt-in)
Your GDPR Rights
- Right to access your data
- Right to rectification (correction)
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
Data Transfers
We primarily store data in the US. For EU users, we use Standard Contractual Clauses (SCCs) approved by the European Commission.
EU Representative
For GDPR inquiries: gdpr@opscurb.com
CCPA Compliance (California Users)
If you're a California resident, you have rights under the California Consumer Privacy Act (CCPA):
Your CCPA Rights
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt-out of sale of personal information (we don't sell data)
- Right to Non-Discrimination: We won't discriminate for exercising your rights
How to Exercise CCPA Rights
Email: privacy@opscurb.com with "CCPA Request" in the subject line
Cookies and Tracking
Essential Cookies
- Authentication: Keep you logged in
- Security: Prevent CSRF attacks
- Preferences: Remember your settings
Analytics Cookies
- Usage tracking: Understand how you use our service
- Performance monitoring: Identify and fix issues
Third-Party Cookies
- Stripe: Payment processing
- Google Analytics: Website analytics (optional, can be disabled)
Cookie Control
You can disable cookies in your browser settings, but some features may not work.
Children's Privacy
OpsCurb is not intended for users under 18. We don't knowingly collect information from children. If you believe we've collected data from a child, contact us immediately.
International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs)
- Privacy Shield frameworks (where applicable)
- Adequacy decisions by regulatory authorities
Security Measures
We implement industry-standard security measures:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Control: Role-based access, MFA for admins
- Monitoring: 24/7 security monitoring and alerts
- Audits: Regular security audits and penetration testing
See SECURITY.md for detailed security information.
Changes to This Policy
We may update this Privacy Policy periodically. We'll notify you of significant changes via:
- Email notification
- In-app notification
- Banner on our website
Continued use of the service after changes constitutes acceptance.
Contact Us
For privacy questions or concerns:
- Email: privacy@opscurb.com
- Support: support@opscurb.com
- Mail: [Your Company Address]
Regulatory Information
- Data Controller: OpsCurb, Inc.
- DPO Email: dpo@opscurb.com (if applicable)
- Registration: [Your business registration number]
Version: 1.0
Effective: February 24, 2026