PRIVACY POLICY

CloudFix & RightSpend (Aurea, Inc.)

Effective Date: May 27, 2026 | Version: 1.0

This Privacy Policy describes how Aurea, Inc. ("CloudFix", "we", "us", or "our") collects, uses, and protects information in connection with our CloudFix and RightSpend services.

1. Information We Collect

1.1 Information You Provide

Account information: Name, email address, company name, and job title when you create an account or subscribe via AWS Marketplace.
Support communications: Content of support tickets and correspondence with our team.
Payment information: Billing is handled through AWS Marketplace. We do not collect or store credit card details.

1.2 Information Collected Automatically

Usage data: How you interact with the CloudFix or RightSpend dashboard — features used, pages visited, fix approvals.
Device information: Browser type, operating system, IP address (collected by our CDN provider, Cloudflare).

1.3 AWS Account Metadata

When you connect your AWS account, we access the following through a read-only IAM role that you deploy via CloudFormation:

AWS account configuration and metadata
Cost and Usage Report data
EC2 instance metadata, reservation status, and usage metrics
Resource configuration across supported AWS services (EBS, S3, RDS, CloudWatch, etc.)

We do not access your application data, databases, S3 objects, or any content stored in your AWS environment.

2. Information We Do NOT Collect

AWS credentials (secret keys, access keys) — we use IAM role assumption
Application data or content from your AWS environment
Personally identifiable information about your customers or end users from your AWS account
Credit card numbers or payment details

3. How We Use Information

We use collected information to:

Provide, maintain, and improve the CloudFix and RightSpend services
Generate cost optimization recommendations and automated fixes
Optimize Convertible Reserved Instances through RightSpend
Communicate with you about your account, support requests, and service updates
Improve our product through usage analytics (via PostHog)
Comply with legal obligations

4. How We Share Information

4.1 We do NOT sell your information.

4.2 Sub-Processors

We share limited data with the following third-party service providers:

Provider	Purpose	Data Shared
Amazon Web Services	Infrastructure hosting, Marketplace billing	Service data, account metadata
Cloudflare	CDN, DNS, DDoS protection	HTTP request metadata (does not see AWS data)
PostHog	Product analytics	Anonymized usage events. No AWS data or cost data.
Kayako	Customer support	Support ticket content, email, name

4.3 Legal Requirements

We may disclose information when required by law, subpoena, or government request, or when we believe in good faith that disclosure is necessary to protect our rights or the safety of others.

5. Data Security

All data encrypted in transit using TLS 1.2+
All data encrypted at rest using AES-256
AWS VPC isolation with security groups and no public data endpoints
Read-only IAM role for AWS account access — no write permissions without explicit approval
SOC 2 Type 2 certified
Principle of least privilege across all access controls
Regular security assessments and audit logging

6. Data Retention

Data Type	Retention Period
Active account data	Duration of subscription
Deleted account data	Purged within 30 days of deletion
Audit logs	1 year
Support communications	Duration of relationship + 1 year
Analytics data (PostHog)	Per PostHog retention policy

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Deletion: Request deletion of your personal data
Portability: Receive your data in a structured, machine-readable format
Objection: Object to processing of your personal data
Restriction: Request restriction of processing

To exercise any of these rights, please submit a request through the CloudFix Trust Center contact form. We will respond within 30 days.

8. International Transfers

Our services are hosted primarily in the United States (AWS us-east-1). If you access our services from outside the US, your data may be transferred to and processed in the US. By using our services, you consent to this transfer. We implement appropriate safeguards including Standard Contractual Clauses where required.

9. Children's Privacy

Our services are not intended for individuals under 18. We do not knowingly collect personal data from children.

10. Cookies and Tracking

We use minimal cookies for authentication and session management. We use PostHog for product analytics, which uses first-party cookies. We do not use third-party advertising trackers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Trust Center and updating the "Effective Date" at the top. Your continued use of the services after changes constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or to exercise your data rights:

Submit a request through the CloudFix Trust Center contact form

Data Controller: Aurea, Inc.
Privacy Officer: Available via contact form