Privacy Policy

KloudLytics ("we", "our", "us") operates the KloudLytics platform — an agentless AWS Cloud Security Posture Management service available at kloudlytics.com and app.kloudlytics.com. If you have questions about this policy, contact us at privacy@kloudlytics.com.

We collect the following categories of information:

Account data — your name, work email address, and hashed password when you register.

AWS scan data — read-only metadata from your AWS environment collected via the STS AssumeRole API. This includes resource configurations, IAM policy summaries, and service status flags. We never collect secrets, credentials, object contents (e.g. S3 object bodies), or application data.

Usage data — pages visited, features used, scan frequency, and error events, collected via server-side logs and optional analytics. No third-party tracking pixels are used.

Communications — any emails or support messages you send us.

We use collected data solely to:

- Provide, operate, and improve the KloudLytics platform - Generate security reports and posture scores for your AWS accounts - Send transactional emails (scan completion, invitation acceptance, password reset) - Respond to support requests - Detect abuse or policy violations - Comply with legal obligations

We do not sell your data. We do not use your data to train machine-learning models for third parties.

AWS scan data collected from your account is stored in S3 buckets scoped to your organisation ID. It is never shared with other customers or used to benchmark your environment against others. Scan artefacts are retained for 90 days after a collection is deleted, then permanently purged. You can request early deletion at any time by contacting support@kloudlytics.com.

We share data only with:

Sub-processors — cloud infrastructure providers (AWS for compute, storage, and queuing) and transactional email providers. A full sub-processor list is available on request.

Legal requirements — when compelled by a valid court order, subpoena, or applicable law. We will notify you of such requests unless legally prohibited from doing so.

We never share your data with advertisers.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). AWS credentials used for scanning are short-lived STS tokens that expire automatically and are never stored. Access to production systems is restricted to authorised personnel and protected by MFA.

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. To exercise any of these rights, email privacy@kloudlytics.com. We will respond within 30 days. Users in the EU / EEA are covered by GDPR; users in California are covered by CCPA.

We use only strictly necessary cookies — a session cookie for authentication and a theme preference cookie. We do not use advertising or tracking cookies. You can disable cookies in your browser, but doing so will prevent you from staying signed in.

Account data is retained for the lifetime of your account and for up to 30 days after account deletion. AWS scan data is retained for 90 days after deletion. Anonymised aggregate usage statistics may be retained indefinitely.

We will notify you by email at least 14 days before any material change to this policy takes effect. Continued use of the service after that date constitutes acceptance of the updated terms.