Privacy Policy

TurboFinOps is the data controller responsible for the personal data processed through the TurboFinOps platform. We are registered in Romania. For all privacy-related inquiries, you may contact our data protection team at privacy@turbofinops.com.

This policy applies to all individuals who interact with TurboFinOps, including visitors to our website, registered account holders, organization administrators, and invited team members (Users). It covers data processed through the web application, APIs, and any associated integrations.

Where TurboFinOps processes personal data on behalf of a Customer (for example, data contained within cloud resource tags or audit logs belonging to the Customer's organization), TurboFinOps acts as a data processor and the Customer acts as the data controller. This scenario is governed by separate enterprise contractual data processing terms. Enterprise customers can request a countersigned copy via legal@turbofinops.com.

We collect the following categories of personal data directly from you:

• Account data: Email address, full name, and organization name, collected at registration via Supabase Auth. If you sign in with a third-party OAuth provider (Google, GitHub, Microsoft), we receive the profile information your provider shares with us under your consent.
• Authentication data: Session tokens, login timestamps, SSO/SAML identity provider configurations (for enterprise accounts), and multi-factor authentication status.
• Billing data: Stripe customer ID, subscription plan, billing cycle, and payment method metadata (last four digits, card type, expiry). Full payment card numbers are never stored by TurboFinOps -- they are handled exclusively by Stripe.
• Communication data: Email address used for transactional notifications (scan completions, alerts, billing receipts) sent via Resend, and the content of support or contact form submissions.
• Role and preference data: Your assigned role within an organization (Admin, FinOps, Security, Auditor, Viewer), notification preferences, and dashboard configuration settings.

We do not collect sensitive personal data (such as racial or ethnic origin, health data, biometric data, or political opinions) and ask that you do not submit such data through the platform.

In the course of providing the Service, TurboFinOps retrieves and processes operational and cloud infrastructure data from Customer-connected cloud accounts. This data is predominantly technical and organizational in nature rather than personally identifying; however, it may incidentally contain personal information (for example, resource names, tag values, or log entries that include employee names, email addresses, or identifiers).

The operational data we process includes:

• Cloud resource metadata: Resource IDs, names, types, regions, availability zones, sizes, configurations, status, creation dates, and cost allocation tags -- retrieved from AWS, Azure, and GCP APIs.
• Cost and pricing data: Resource-level cost estimates, savings opportunities, and rightsizing recommendations derived from cloud provider pricing APIs.
• Findings and scores: Security, governance, compliance, and FinOps findings generated by the rule engine, including severity ratings, remediation suggestions, and historical trends.
• Audit and action history: Immutable audit log entries recording who performed what action, when, with what result, and what evidence was generated.
• Integration data: Jira and ServiceNow ticket IDs and status, Slack webhook endpoints (not message content beyond notification payloads), and Microsoft Teams webhook configurations.
• AI usage data: Where the Customer configures a BYOAI provider, prompts constructed from inventory/findings data and model responses may be processed. Customer-provided AI API keys are encrypted at rest and are never logged or returned in API responses.

Cloud credential secrets (AWS access keys, Azure service principal secrets, GCP service account keys) are encrypted at rest using industry-standard encryption and are used solely for the purpose of scanning and executing authorized Cloud Actions on the Customer's behalf.

We process your personal data on the following legal bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): Processing account data, billing data, cloud resource metadata, findings, audit logs, and action history is necessary to provide the Service under the subscription agreement between TurboFinOps and the Customer.
• Legitimate interests (Art. 6(1)(f)): Processing for security monitoring, fraud prevention, service improvement, and aggregate analytics is based on our legitimate interest in operating and improving the platform, provided this does not override your interests or fundamental rights. You may object to processing based on legitimate interests (see Section 10).
• Legal obligation (Art. 6(1)(c)): Processing may be required to comply with applicable legal obligations, including tax record retention, responding to lawful regulatory or law enforcement requests, and maintaining accounting records.
• Consent (Art. 6(1)(a)): Where we rely on consent (for example, for optional marketing communications), you may withdraw your consent at any time without affecting the lawfulness of prior processing. Withdrawal does not affect your ability to use the Service.

Where we act as a data processor for Customer data (cloud operational data under Customer control), our legal basis for processing is the contract between TurboFinOps and the Customer, and we process such data only on documented instructions from the Customer.

We use the data we collect for the following purposes:

• Providing, maintaining, and operating the TurboFinOps platform and its features.
• Authenticating users and enforcing role-based access controls and organizational boundaries.
• Processing subscription payments, generating invoices, and managing billing lifecycle events.
• Sending transactional emails (account registration, scan completion, critical finding alerts, billing receipts).
• Generating cloud resource inventory, cost optimization findings, security posture assessments, and governance scores.
• Executing Cloud Actions authorized by the Customer and maintaining the associated audit trail.
• Providing AI-assisted recommendations and summaries (where the Customer has configured a BYOAI provider).
• Operating third-party integrations (Jira, ServiceNow, Slack, Teams) at the Customer's direction.
• Monitoring platform health, diagnosing technical issues, and improving service reliability.
• Detecting and preventing fraud, abuse, security incidents, and Terms of Service violations.
• Complying with legal obligations and responding to lawful requests from authorities.

We do not use Customer Data for advertising purposes, and we do not sell personal data to third parties. Aggregate, anonymized, or de-identified data may be used for internal analytics and product improvement.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We share data only as necessary to provide the Service, comply with legal obligations, or with your explicit consent.

We use the following sub-processors to deliver the Service:

Each sub-processor is bound by a data processing agreement or standard contractual clauses. We maintain an up-to-date list of sub-processors and will notify Customers of material changes with at least 14 days' advance notice, during which Customers may object.

We may disclose personal data to competent authorities when required by law, court order, or to protect the rights, property, or safety of TurboFinOps, our Customers, or the public. Where permitted, we will notify affected Customers of such requests.

Our primary infrastructure is deployed in EU regions where available (eu-west-2 preferred). Some subprocessors also operate in US regions depending on service type and customer configuration.

Where personal data is transferred outside the European Economic Area (EEA) to a country that does not provide an equivalent level of protection under GDPR, we ensure that appropriate safeguards are in place. These safeguards include:

• European Commission adequacy decisions where applicable.
• Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914).
• Binding Corporate Rules where applicable for data processor relationships.

You may request a copy of the relevant transfer mechanisms by contacting us at privacy@turbofinops.com.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to perform our contractual obligations, or as required by applicable law. The following retention periods apply:

• Account data: Retained for the duration of the subscription and then according to the plan retention window: 30 days for Free, 6 months for Professional, and custom contractual terms for Enterprise.
• Billing records: Retained for 7 years from the date of the transaction as required by applicable tax and accounting law.
• Audit logs: Retained according to the plan retention window: 30 days for Free, 6 months for Professional, and custom contractual terms for Enterprise.
• Cloud resource metadata and findings: Retained according to the plan retention window: 30 days for Free, 6 months for Professional, and custom contractual terms for Enterprise.
• Email logs: Retained by Resend per their data retention policy. Notification records in TurboFinOps are retained for 90 days.
• Error and performance data: Aggregated telemetry is retained for 90 days in Sentry; anonymized aggregate metrics for longer periods.

When data reaches the end of its retention period, it is deleted or anonymized such that it can no longer be attributed to any individual or organization. Backups are purged on a rolling 30-day schedule.

We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Our security practices include:

• Encryption of data in transit using TLS 1.2 or higher for all communications.
• Encryption of sensitive data at rest, including cloud credentials and AI provider API keys.
• Multi-tenant isolation enforced at the database layer -- all queries are scoped to an organization ID.
• Role-based access controls (RBAC) with server-side enforcement on every API request.
• Supabase Auth with session management, JWT validation, and support for SSO/SAML and multi-factor authentication.
• Background jobs processed via isolated BullMQ workers to prevent API event loop exposure.
• Immutable audit logs for all state-changing operations, with actor, timestamp, and result.
• Regular dependency updates and vulnerability scanning in the development pipeline.
• Incident response procedures including triage, containment, remediation, and post-incident review.

Despite our efforts, no security measures are perfect or impenetrable. In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR Article 33 and 34.

For responsible security disclosure, please contact security@turbofinops.com.

Under the GDPR and applicable national data protection laws, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at privacy@turbofinops.com. We will respond within 30 days of receiving a verifiable request.

• Right of access (Art. 15): You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to rectification (Art. 16): You may request that inaccurate or incomplete personal data be corrected. Account profile data can be updated directly in the platform settings.
• Right to erasure (Art. 17): You may request deletion of your personal data where there is no legal basis for continued processing. This right may be limited where retention is required by law (e.g., billing records) or for the performance of a contract.
• Right to data portability (Art. 20): You may request a machine-readable export of personal data you have provided to us where processing is based on consent or contract. Audit logs, findings, and resource inventory can be exported in CSV or JSON formats directly from the platform.
• Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests or rights.
• Right to restriction (Art. 18): You may request that we restrict processing of your personal data in certain circumstances, such as where you contest its accuracy or where processing is unlawful.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

We will verify your identity before fulfilling any request and will not charge a fee for reasonable requests. We may decline requests that are unfounded, excessive, or would require disproportionate effort, but we will explain our reasons if we do so.

TurboFinOps uses a limited set of cookies strictly necessary for authentication and session management. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies on the platform itself.

Cookies set by Supabase Auth are required for user authentication and session persistence. These are first-party, session-scoped or short-lived persistent cookies containing encrypted authentication tokens. Without these cookies, the platform cannot function.

The Stripe checkout flow (used for subscription management) may set cookies from Stripe's domain for fraud prevention and checkout state management. These are governed by Stripe's own privacy and cookie policy.

For full details on the cookies we use, including names, purposes, and durations, please see our Cookie Policy.

The Service is intended for use by professionals and business organizations and is not directed at children under the age of 16. We do not knowingly collect or process personal data of children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly.

If you believe we may have collected personal data from a child, please contact us immediately at privacy@turbofinops.com.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform functionality. Material changes will be communicated to registered users by email at least 14 days before they take effect.

The "Last Updated" date at the top of this page reflects when the policy was most recently revised. Continued use of the Service after the effective date of an updated policy constitutes acknowledgment of the changes. We encourage you to review this policy periodically.

For questions, concerns, or to exercise your data protection rights, please contact our data protection team:

If you are located in the EEA and believe that we have not addressed your privacy concern adequately, you have the right to lodge a complaint with your local supervisory authority. In Ireland (where our primary infrastructure is hosted), this is the Data Protection Commission (DPC) at www.dataprotection.ie. We kindly ask that you contact us first so we have an opportunity to resolve your concern directly.