Legal

Privacy Policy

Last updated: March 1, 2026

1. Introduction

Xplorr ("we", "us", "our") operates the Xplorr platform accessible at xplorr.io and console.xplorr.io (collectively, the "Service"). This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights in relation to it.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Company name
  • Password (stored as a bcrypt hash — never in plaintext)
  • Role and team membership

2.2 Cloud Credentials

To connect your cloud accounts, we collect and store cloud credentials (AWS IAM role ARNs, Azure service principal IDs, GCP service account keys). These are encrypted at rest with AES-256-GCM and stored in a separate secrets vault. We use these credentials solely to retrieve billing and usage data on your behalf.

2.3 Cloud Billing Data

We pull billing records, cost allocation data, and resource metadata from your connected cloud accounts. This data is stored in our database and used to power the dashboard, anomaly detection, recommendations, and reports. We do not access your application data, databases, or any workloads running in your cloud environment.

2.4 Usage Data

We collect anonymised usage analytics about how you interact with the Service, including:

  • Pages visited and features used
  • Session duration
  • Browser type and operating system
  • IP address (anonymised)

2.5 Communications

If you contact us via email or submit a form, we retain that correspondence to respond to you and improve the Service.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and improve the Service
  • Sync your cloud billing data and surface cost insights
  • Send anomaly alerts, budget notifications, and scheduled reports you have configured
  • Respond to support requests
  • Send product updates and beta announcements (you can unsubscribe at any time)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

4. Data Sharing and Third Parties

We do not sell your data. We share data with third parties only in these circumstances:

  • Infrastructure providers: AWS (hosting, database) — data is encrypted.
  • OpenAI: When you use AI Recommendations, we send anonymised cost summaries to OpenAI for analysis. We do not send identifiable personal data or raw credentials.
  • Slack: If you configure Slack alerts, we send alert payloads to your configured webhook URL.
  • Legal requirements: If required by law, court order, or government authority.

5. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account closure on request.
  • Cloud billing data: Retained per your plan (3 months for Starter, 12 months for Growth, unlimited for Enterprise). Deleted on account closure.
  • Credentials: Deleted immediately when you disconnect a cloud account or close your account.
  • Usage analytics: Retained for 24 months in anonymised form.

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing of your data for specific purposes.
  • Restriction: Request restriction of processing in certain circumstances.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Cookies

We use the following cookies:

  • Essential cookies: Session management, authentication. Required for the Service to function.
  • Analytics cookies: Anonymised product usage tracking. You can opt out via your account settings.

We do not use advertising or tracking cookies.

8. Security

We implement industry-standard security measures including AES-256-GCM encryption at rest, TLS 1.2+ in transit, bcrypt password hashing, and separate secrets vaulting for credentials. See our Security page for full details.

No method of transmission over the internet is 100% secure. We will notify you within 72 hours of becoming aware of a security breach that affects your data.

9. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email at least 14 days before the new policy takes effect. Continued use of the Service after changes constitutes acceptance.

11. Contact

For privacy questions or to exercise your rights, contact us at:

Xplorr Privacy Team

Email: [email protected]