Privacy Policy

1. Data we collect

We collect only the minimum data needed to operate the service:

• Account information: email, company name, contact name, AWS Account ID.
• Scan results: AWS resource configuration (resource type, region, usage metrics, security posture). We do NOT read the contents of your data (databases, files, S3 objects).
• Usage data: scan timestamps, pages visited (via anonymous analytics).

2. How we access AWS

We access your AWS account via AWS STS AssumeRole with an External ID — a standard AWS mechanism. We NEVER store your AWS credentials.

The primary IAM Role (FinOpsAuditRole) is read-only. Temporary sessions expire after at most 1 hour. The External ID prevents Confused Deputy attacks.

Optional roles (Scheduler, Cleanup) have limited write/delete permissions — you only deploy them if you choose to use those features.

3. Data storage and location

• Data is stored in AWS region ap-southeast-1 (Singapore): DynamoDB for configuration and results, S3 for detailed reports.
• Scan results auto-delete after 30 days (DynamoDB TTL).
• Passwords are hashed with PBKDF2-HMAC-SHA256; API keys are stored as hashes, never in plaintext.

4. Third parties

We use the following services, each with its own privacy policy:

• Amazon Web Services — storage and compute infrastructure.
• Vercel — web frontend hosting.
• Calendly — consultation booking (only when you actively book).
• Amazon SES — notification email.
• Lemon Squeezy — payment processing (only if you upgrade to a paid plan).

5. Your rights

• Access and view your data at any time in Settings.
• Revoke AWS access immediately by deleting the CloudFormation stack in your account — no need to notify us.
• Request full data deletion by contacting us via email.

6. Changes to this policy

We may update this policy over time. The new version will be posted on this page with the update date.