1. Introduction
Welcome to CostOptix. This Privacy Policy describes how CostOptix ("we," "us," or "our"), operated by Yosolix Inc., a Delaware corporation, collects, uses, and shares information about you when you use our Software-as-a-Service (SaaS) platform for multi-cloud cost management.
Key Points
- What we collect: Account information, cloud cost data, usage analytics
- How we use it: To provide cost management services, improve our platform, and communicate with you
- Your control: You can access, export, and delete your data at any time
- Security: AES-256-GCM encryption at rest, TLS 1.3 in transit
- No selling: We never sell your personal or cost data to third parties
2. Information We Collect
2.1 Information You Provide to Us
Account Registration
- Full name and email address
- Password (hashed with bcrypt, never stored in plain text)
- Organisation name and details
- Job title and role
Cloud Provider Credentials
Read-Only Access Only. We request the minimum permissions needed:
- AWS: Access Key ID and Secret Access Key (read-only IAM policy)
- Azure: Service Principal (Client ID, Client Secret, Tenant ID) with Reader role
- GCP: Service Account JSON key with Billing Account Viewer permissions
- Heroku: API tokens with read-only access
- Kubernetes: Cluster configuration for metrics collection only
All credentials are encrypted at rest using AES-256-GCM and in transit using TLS 1.3. We never modify your cloud resources.
Enterprise self-hosted deployments: If you deploy CostOptix on your own infrastructure, you can configure your own AI provider API keys directly in your environment. These keys are never transmitted to or stored by CostOptix — they remain entirely within your infrastructure.
Payment Information
- Payment details are processed by our third-party payment processor — we do not store card numbers
- Billing address, payment history, and invoice records
Communications
- Support tickets and customer service correspondence
- Feedback and survey responses
2.2 Information Collected Automatically
Cloud Cost Data
- Billing and cost information from your connected cloud accounts
- Resource usage metrics (compute, storage, network)
- Service and resource metadata
- Cost allocation tags and labels
- Historical spending trends and patterns
Usage Information
- Pages visited, features used, and time spent
- API usage statistics and request logs
- Search queries within the platform
- Product analytics events (feature interactions, session data) collected via PostHog
Device and Technical Information
- IP address and approximate geolocation (country/region level)
- Browser type, version, and operating system
- Referring URLs
Log Data
- Application logs and error reports
- Authentication and session logs
- Security event logs (retained for 1 year)
2.3 Information from Third Parties
- Cloud Providers: Cost and usage data via their APIs
- SSO / Identity Providers: If you authenticate via OIDC (Business and Enterprise tiers only)
- Payment Processors: Payment confirmation and transaction data
3. How We Use Your Information
3.1 To Provide and Improve Our Services
- Collect and display cloud cost data from your accounts
- Generate cost reports, forecasts, and anomaly detection alerts
- Provide budget tracking and spending insights
- Enable AI-powered cost optimisation recommendations (where enabled)
- Send webhook notifications (Slack, Teams, Discord)
- Maintain and improve platform performance and reliability
3.2 To Communicate With You
- Send account-related emails (verification, password reset)
- Deliver cost alerts and budget notifications
- Respond to support requests
- Send product updates and security notices
- Provide billing and payment notifications
3.3 For Security and Fraud Prevention
- Verify identity and authenticate access
- Detect and prevent unauthorised access
- Monitor for suspicious activity and security threats
- Enforce our Terms of Service
3.4 For Analytics and Research
- Understand how users interact with our platform to improve features
- Measure feature adoption, session behaviour, and product engagement via PostHog
- Create anonymised, aggregated industry benchmarks
- Measure the effectiveness of communications and product changes
3.5 For Legal Compliance
- Comply with applicable laws and regulations
- Respond to legal requests and court orders
- Protect our legal rights and interests
What We DON'T Do With Your Data
- ❌ Sell your personal information or cost data to third parties
- ❌ Share identifiable data with competitors
- ❌ Use your data for advertising or marketing by others
- ❌ Modify, create, or delete your cloud resources
- ❌ Access your application data, code, or storage
4. Data Sharing and Disclosure
4.1 With Your Consent
We share your information only when you explicitly direct us to do so.
4.2 Within Your Organisation
- Users within your organisation can access cost data for accounts they have permission to view
- Organisation administrators can manage users and permissions
- Multi-tenant isolation ensures other organisations cannot access your data
4.3 Service Providers
We share information with trusted third-party service providers solely to operate our platform:
Infrastructure
- Managed cloud hosting provider (United States)
- Cloudflare (CDN, DDoS protection, AI Gateway)
Communications
- Resend (transactional email delivery)
- Webhook destinations you configure (Slack, Teams, Discord)
Payments
- Stripe (payment processing)
- We do not store credit card numbers
Analytics
- PostHog (product analytics, session recording)
- Google Analytics via Google Tag Manager
AI Services (Optional)
- Cloudflare AI Gateway → Google Gemini
- Only used when AI features are enabled
- You can opt out of AI features at any time
All service providers are contractually required to protect your data and use it only for the specific services they provide to us.
4.4 Legal Requirements
We may disclose your information in response to valid legal processes (subpoenas, court orders), government or regulatory requests, or to protect the rights, property, or safety of CostOptix, our users, or the public.
4.5 Business Transfers
If CostOptix is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and your options.
4.6 Aggregated and Anonymised Data
We may share aggregated, anonymised data that cannot identify you individually for industry benchmarking, public reporting, or product research.
5. Data Security
5.1 Encryption
- At Rest: AES-256-GCM encryption across all databases
- In Transit: TLS 1.3 for all data transmission
- Credentials: Cloud provider credentials use dedicated key management
- Passwords: Hashed with bcrypt and per-user salt
5.2 Access Controls
- Role-based access control (RBAC) for all user permissions
- Multi-tenant database isolation per organisation
- Admin infrastructure access restricted via Tailscale VPN
- API key authentication with granular permission scopes
5.3 Infrastructure Security
- Firewall and intrusion prevention on all production systems
- DDoS protection via Cloudflare
- Regular security patches and dependency updates
- Automated vulnerability scanning
5.4 Operational Security
- Security incident response procedures
- Limited employee access to production data
- Audit logging of all administrative actions
- Regular encrypted backups
While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We will notify you within 72 hours if we discover a data breach affecting your account.
Report security issues: security@costoptix.com
6. Data Retention
6.1 Active Account Data
- Account Information: Retained for the duration of your subscription
- Historical Cost Data: Retained according to your subscription tier:
- Starter: 30 days
- Professional: 90 days
- Business: 365 days
- Enterprise: Unlimited
- Usage Logs: 90 days
- Security Logs: 1 year
6.2 After Account Deletion
- Cloud Credentials: Deleted within 30 days
- Personal Information & Cost Data: Deleted within 90 days
- Anonymised Data: May be retained indefinitely for analytics
- Legal Retention: Data required by law may be retained longer
6.3 Inactive Accounts
- Free accounts inactive for 12+ months may be deleted after 30 days' notice
- Paid accounts retain data until the subscription ends or is cancelled
6.4 Backups
- Backups are encrypted and retained for 30 days
- Deleted data is removed from backups during the next backup cycle
7. Your Privacy Rights
7.1 Access and Portability
- View your account information and cost data at any time via the platform
- Export your cost data in CSV format
- Retrieve data programmatically via our API
7.2 Correction and Update
- Update your account information and organisation details in Settings
- Modify or rotate cloud provider credentials at any time
7.3 Deletion and Erasure
- Delete your account via Settings
- Disconnect and remove individual cloud provider credentials
- Request complete data erasure (GDPR right to be forgotten)
7.4 Restriction and Objection
- Opt out of marketing emails via the unsubscribe link
- Disable AI features and the associated third-party data sharing
- Object to automated decision-making
7.5 How to Exercise Your Rights
- Self-Service: Settings page in your CostOptix account
- Email: privacy@costoptix.com
- Support: Submit a support ticket
We will respond to requests within 30 days. Identity verification may be required.
9. Third-Party Services
CostOptix integrates with various third-party services. We are not responsible for their privacy practices.
9.1 Cloud Providers
- Amazon Web Services: aws.amazon.com/privacy
- Microsoft Azure: privacy.microsoft.com
- Google Cloud Platform: policies.google.com/privacy
- Heroku: salesforce.com/privacy
9.2 AI Providers (When AI Features Are Enabled)
AI insights are powered through Cloudflare AI Gateway using Google Gemini models. Your cost data context may be sent to Google when AI features are active.
- Cloudflare AI Gateway: cloudflare.com/privacypolicy
- Google AI (Gemini): policies.google.com/privacy
9.3 Analytics Providers
- PostHog: posthog.com/privacy — product analytics and session recording (US-based)
- Google Analytics: policies.google.com/privacy — traffic analytics via Google Tag Manager
9.4 Webhook Integrations
When you configure webhooks, cost alerts and anomaly notifications are sent to your chosen destination (Slack, Microsoft Teams, Discord, or custom HTTP endpoints). You control which data is shared via webhook configuration.
9.5 External Links
Our Service may contain links to external websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies.
10. International Data Transfers
10.1 Data Storage Location
CostOptix is incorporated in the United States (Delaware) and operated by Yosolix Inc. Our primary infrastructure is hosted in the United States. By using CostOptix, you consent to the processing and storage of your information in the United States.
10.2 Cross-Border Transfers
Data may be transferred across borders for:
- Cloud provider API requests (AWS, Azure, GCP, Heroku, and others)
- Third-party service providers operating in different countries
- AI service requests via Cloudflare AI Gateway (if AI features are enabled)
- Analytics processing via PostHog and Google Analytics
10.3 EU/EEA Users — Data Transfers to the US
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please be aware that your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
We rely on the following mechanisms to lawfully transfer your data:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Your explicit consent where required
- Performance of a contract with you
A Data Processing Agreement (DPA) incorporating SCCs is available upon request at legal@costoptix.com.
10.4 Safeguards
- Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) for all data
- Contractual data protection obligations with all service providers
- Regular security assessments and compliance reviews
11. Children's Privacy
CostOptix is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we discover we have collected such information, we will delete it immediately. If you believe we have collected information from a child, please contact privacy@costoptix.com.
12. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
12.1 Right to Know
You may request the categories and specific pieces of personal information we have collected, the sources, business purposes, and categories of third parties with whom we share it.
12.2 Right to Delete
You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).
12.3 Right to Opt-Out
We do not sell your personal information. If this ever changes, we will provide a "Do Not Sell My Personal Information" link.
12.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
12.5 How to Exercise CCPA Rights
- Email: privacy@costoptix.com
- Subject Line: "CCPA Request — [Your Request Type]"
- Response Time: 45 days (may extend to 90 days for complex requests)
13. GDPR Compliance (EU/UK Users)
13.1 Legal Basis for Processing
- Contract Performance: To provide our Service as outlined in our Terms of Service
- Legitimate Interests: To improve our Service, prevent fraud, and ensure security
- Consent: For marketing communications and optional AI features
- Legal Obligations: To comply with applicable laws and regulations
13.2 Your GDPR Rights
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data
- Right to Restriction: Limit how we use your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent where processing is consent-based
- Right to Lodge a Complaint: File a complaint with your local data protection authority
As our infrastructure is located in the United States, transfers of your personal data from the EEA/UK to the US are governed by Standard Contractual Clauses. Please contact legal@costoptix.com to request our DPA.
13.3 Data Protection Contact
- Email: privacy@costoptix.com
- Subject: "GDPR Inquiry — [Your Topic]"
13.4 Data Processing Agreement (DPA)
For customers processing personal data of EU/UK data subjects, we offer a DPA including Standard Contractual Clauses (SCCs). Request one at legal@costoptix.com with the subject "DPA Request".
13.5 Supervisory Authority
You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.
14. Changes to This Privacy Policy
14.1 Updates
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements.
14.2 Notification
We will notify you of material changes by email to your registered address and via in-app notification upon login.
14.3 Acceptance
Continued use of CostOptix after changes take effect constitutes acceptance. If you do not agree, you must stop using the Service and may delete your account.
14.4 Review History
Previous versions are available upon request at privacy@costoptix.com.
15. Contact Us
If you have questions or requests regarding this Privacy Policy, please contact us: