Privacy Policy

This policy explains what 1cost collects, how we use it, and the choices you have. 1cost is operated by CuliOps, a small team based in Vietnam. We write this policy to respect the privacy rights of customers everywhere, including under the GDPR and CCPA where they apply. See also our Terms of Service.

What we collect

• Account and identity: your email address and basic profile from the GitHub or Google account you sign in with.
• Cloud connection metadata: identifiers for the account, project, or subscription you connect, the read-only role or credential reference we use (for AWS, the role ARN and an external ID), and the list of regions you enable.
• Cost and resource findings: resource identifiers, regions, utilization metrics, spend figures from your cloud provider's cost API, and the savings estimates we calculate.
• Delivery: the notification channel you link, such as a Telegram chat identifier.
• Operational: an audit log of actions and usage counters needed to run and protect the service.

What we do not collect

We use read-only, least-privilege access and never read the contents of your data. We do not access object storage contents, secrets, decrypted keys, database rows, or log message bodies. We request only the permissions needed to describe resources and read cost and utilization metrics.

How we use it

We use this data to generate findings and plain-language explanations, to deliver notifications to the channel you choose, and to operate, secure, and improve the service.

Third parties we share data with

We rely on a small set of service providers to operate 1cost:

• Our hosting and storage provider stores your data on our behalf.
• GitHub and Google handle sign-in.
• Third-party AI providers generate the explanations attached to findings. To do this, we send them resource identifiers, regions, and utilization metrics related to a finding. These providers may process this data outside your country.
• Your notification channel (for example, Telegram) receives the finding summaries you choose to have delivered.

Your cloud provider account is your own. We do not sell your data or share it for advertising.

Where your data is processed

Your data is stored on our hosting provider's global edge infrastructure. As noted above, AI providers that generate explanations may process certain finding data outside your country.

Retention

We keep only what the service needs. We retain your account data while your account and connection are active, and we delete account-scoped data within 30 days of account deletion or a request to revoke access. Cached explanation text contains no customer identifiers and may be retained to serve future findings efficiently.

Your rights

You can access, export, or delete your data. You can revoke our access at any time by removing the read-only role (for AWS, by deleting the CloudFormation stack), and you can ask us to delete your stored data. Where the GDPR or CCPA applies, you also have the rights they grant, including objecting to or restricting certain processing. To exercise any of these, contact us below.

Security

We apply least-privilege access, isolate each customer's data from others, and protect credentials and secrets. No system is perfectly secure, but we design the service to minimize what we hold and what we can reach in your account.

Children

The service is for businesses and is not directed to children under 16.

Changes to this policy

We may update this policy. When we make a material change, we will update the date above and notify active users by a reasonable means.

Contact

Questions or requests about your data: support@1cost.dev.