Privacy Policy

Last updated: April 12, 2026

This Privacy Policy applies to both cloudretina.com (the marketing website) and app.cloudretina.com (the cloud audit platform). CloudRetina ("we", "us", or "our") is committed to handling your information with transparency and care. By using either property you agree to the practices described here.

1. Information We Collect

We collect only the information necessary to operate and improve the Service:

Account information: Your name and email address, provided by your identity provider (Microsoft or Google) when you authenticate through Auth0. We do not collect or store your password : authentication is fully delegated to Auth0.
Subscription information: Your active plan and subscription status, stored in association with your email address to control feature access.
Payment information: Payments are processed via Stripe payment links. All billing and payment-card details are entered directly on Stripe's platform and are collected, stored, and processed solely by Stripe. We receive only a Stripe customer ID and subscription status confirmation : we never see, handle, or store your card number, CVV, bank details, or any other payment credentials.
Cloud credentials (transient): Azure or AWS credentials you enter to initiate a scan. These are used exclusively for the duration of the scan session and are never written to any database, log file, or persistent storage. They exist only in memory while the scan runs and are discarded immediately on completion.
Saved credential profiles (optional): If you choose to save a named credential profile for re-use, those credentials are encrypted at rest using AES-256 and stored only within your account. You can delete any saved profile at any time from the dashboard. If you do not opt to save a profile, no credentials are retained after the scan.
Usage and request logs: Standard server logs (IP address, browser type, pages accessed, response status codes) are collected automatically for security monitoring and operational reliability. These logs are not used for advertising or profiling.

2. What We Do NOT Collect

We do not store the raw results of your cloud scans in our systems. Findings and cost estimates are computed in real time and returned directly to your browser session. No resource inventory data from your cloud environment is persisted on our servers after a scan completes.

We do not use advertising networks, tracking pixels, or third-party analytics scripts. We do not sell, rent, or share your personal information with any third party for marketing purposes.

3. How We Use Your Information

We use the information we collect to:

Authenticate your identity and control access to the Service.
Verify your subscription status and enable the features included in your plan.
Process payments and manage billing through Stripe.
Send transactional communications (e.g., billing receipts, account notices, material policy updates).
Respond to support requests and enquiries sent to us.
Detect, investigate, and prevent unauthorized access or fraudulent activity.
Monitor and improve the reliability and performance of the Service.

We do not use your cloud credentials, scan inputs, or scan outputs to train machine learning models or to improve our product for other users.

4. Cloud Credentials

When you provide Azure or AWS credentials to run a scan, those credentials are used exclusively to make read-only API calls to your cloud provider. The Service requests only the minimum permissions required to enumerate resources and retrieve cost and configuration metadata.

Credentials are held in server memory for the duration of the scan only. Once the scan response is returned to your browser, the credentials are discarded from memory and are not written to any log, database, or cache.

CloudRetina scans are read-only by default. The one deliberate exception is the optional resource deletion feature: if you select a specific resource and explicitly confirm deletion in the on-screen confirmation dialog, CloudRetina will call the cloud provider's delete API for that resource only. Deletion is always a manual, user-initiated action : it is never triggered automatically. You bear full responsibility for any resources you choose to delete via the Service.

5. Data Storage and Retention

The following data is stored in Azure Table Storage hosted in the Canada Central region:

Account data: Your email address and subscription status. Retained while your account is active and for up to 90 days after account closure for fraud-prevention and billing reconciliation purposes.
Saved credential profiles: Named credential sets you explicitly save, stored encrypted with AES-256. Deleted immediately when you remove the profile from the dashboard, or within 30 days of account closure.

If you close your account or submit a deletion request, we will remove your personal data within 30 days, except where retention is required by law (e.g., tax or financial records) or where we have a legitimate interest in retaining minimal data for fraud prevention.

6. Third-Party Services

We use the following third-party services. Each has its own privacy policy and data practices that we encourage you to review:

Auth0 (Okta) : identity and authentication. Auth0 manages sign-in via Microsoft and Google on our behalf and handles the secure storage of authentication tokens.
Stripe : payment processing via Stripe payment links. Stripe is solely responsible for collecting, storing, processing, and securing your payment card details under PCI-DSS standards. When you pay for a CloudRetina subscription, you are transacting directly with Stripe. Their privacy policy is available at stripe.com/privacy.
Microsoft Azure : cloud infrastructure for our API backend and encrypted data storage (Canada Central region).

We do not transfer your personal data to any other third parties for processing, unless required by law or with your explicit consent.

7. Cookies and Tracking

The scanner application at app.cloudretina.com uses browser session storage (not persistent cookies) to maintain your authentication state within a single browser session. Session storage is cleared automatically when you close the browser tab. We do not set advertising cookies, cross-site tracking identifiers, or any third-party analytics cookies on either cloudretina.com or app.cloudretina.com.

8. Data Security

We implement industry-standard technical and organizational controls to protect your information, including:

HTTPS/TLS encryption for all data in transit between your browser and our servers.
AES-256 encryption at rest for any stored credential profiles.
Role-based access controls and least-privilege principles on our cloud infrastructure.
Regular security reviews of our API and data-handling practices.

However, no system is completely secure. We cannot guarantee absolute protection against all possible threats. If you suspect that your account has been compromised, please contact us immediately at support@cloudretina.com.

9. Your Rights

Depending on your location and applicable law (including GDPR, PIPEDA, and other privacy statutes), you may have the right to:

Access a copy of the personal data we hold about you.
Request correction of any inaccurate or incomplete data.
Request deletion of your personal data ("right to erasure").
Object to or restrict certain processing of your data.
Withdraw consent where processing is based on consent.
Receive your data in a portable, machine-readable format.

To exercise any of these rights, contact us at support@cloudretina.com. We will acknowledge your request within 5 business days and respond fully within 30 days. We may need to verify your identity before fulfilling certain requests.

10. International Users

CloudRetina is operated from Canada. If you access the Service from outside Canada, your information may be transferred to and processed in Canada or in other jurisdictions where our infrastructure partners operate. By using the Service, you consent to such transfers. Where required by law, we ensure that appropriate safeguards (such as contractual protections) are in place for cross-border data transfers.

11. Children's Privacy

The Service is not directed to persons under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us at support@cloudretina.com and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes, we will notify you by email to your registered address at least 14 days before the changes take effect. For minor updates, we will update the "Last updated" date at the top of this page. Your continued use of the Service after changes are in effect constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at support@cloudretina.com. We take all privacy enquiries seriously and will respond promptly.