Privacy Policy

1. Data Fiduciary Information

CloudAIPilot is a product of Vibhaga Group, the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Data Controller under the General Data Protection Regulation (GDPR) for users in the European Economic Area.

Registered business: Vibhaga Group
Registered address: Desk ID HD-525, WeWork Krishe Emerald, Kondapur Main Road, Laxmi Cyber City, Kondapur, Telangana 500081, India
Privacy contact: legal@cloudaipilot.com

By creating an account or using the CloudAIPilot platform, you consent to the collection and use of your personal data as described in this Privacy Policy, in accordance with the Indian Contract Act, 1872, the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the DPDP Act, 2023.

2. Information We Collect

2.1 Account and Identity Data

When you register, we collect: full name, email address, hashed password, profile information, organization name, and role within the organization. We also record account creation timestamp, login history, and IP addresses used for authentication.

2.2 Billing and Payment Data

We collect billing address, plan type, and subscription history. Payment card details are handled directly by our payment processor (Stripe, Inc.) and are never stored on CloudAIPilot servers. We receive only a tokenized reference and last-four-digit summary from the payment processor.

2.3 Server and Infrastructure Credentials

To manage your servers on your behalf, we store: server IP addresses, SSH private keys (encrypted at rest using AES-256), server hostnames, operating system details, and connection parameters. These are Sensitive Personal Data or Information (SPDI) under Indian IT Rules 2011 and are treated accordingly.

2.4 Cloud Provider Credentials and API Keys

When you connect cloud accounts (AWS, DigitalOcean, Hetzner, Vultr, or others), we store the access credentials or API keys you provide, encrypted at rest. These are used solely to provision and manage resources on your behalf. If you use the Bring Your Own AI Key (BYOAK) feature, your AI provider API keys are stored under the same encryption standard.

2.5 Git Provider Data

When you connect GitHub, GitLab, or Bitbucket accounts, we receive and store OAuth access tokens (encrypted), repository metadata (names, branches, webhook URLs), and deployment trigger events. We access repository contents only to the extent necessary to execute deployments you authorize.

2.6 AI Interaction Data

When you use AI Pilot, we log conversation messages, AI-generated responses, tool calls and their results, token usage counts (for billing purposes), and the AI model selected. Conversation history is retained to provide context across sessions and to generate your usage reports.

2.7 Server Metrics and Logs

We collect server performance metrics (CPU, RAM, disk, network), application logs, deployment logs, backup logs, and alert events from servers you connect to CloudAIPilot. This data is stored and used to power monitoring dashboards, alerts, and AI diagnostics.

2.8 Usage and Product Analytics

We collect clickstream data, feature usage events, page views, session durations, and error reports within the CloudAIPilot application. This data helps us improve the product. It is associated with your account but is processed in aggregate for product decisions.

2.9 Communications Data

When you contact support or submit feedback, we store the contents of that communication, your email address, and the timestamp. If you subscribe to product announcements or newsletters, we record that preference and your email address.

2.10 Device and Browser Data

We automatically collect browser type and version, operating system, device type, referring URL, and time zone for security and compatibility purposes. This data is used for fraud detection and ensuring the platform displays correctly.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• Service delivery: Provisioning, operating, and maintaining the CloudAIPilot platform and the infrastructure you manage through it.
• AI automation: Enabling the AI Pilot to execute infrastructure tasks, diagnostics, and recommendations on your behalf.
• Billing: Processing subscription payments, calculating AI token and cloud wallet usage, generating invoices, and preventing fraud.
• Security: Authenticating your identity, detecting unauthorized access, enforcing session limits, and auditing actions in your organization's activity log.
• Notifications: Sending alerts, deployment status updates, billing notifications, and security advisories through channels you configure (email, SMS, push, Slack, etc.).
• Product improvement: Analyzing usage patterns to prioritize features, fix bugs, and improve the user experience. This analysis is performed in aggregate and does not involve selling data to third parties.
• Support: Responding to support requests and troubleshooting issues you report.
• Legal compliance: Meeting obligations under applicable Indian and international law, including responding to lawful government requests.

3.1 What We Do Not Do

• We do not sell or rent your personal data to any third party.
• We do not use your data to train AI models without your explicit opt-in consent.
• We do not access the contents of your servers, files, or databases except when you initiate an action through the platform (e.g., a file manager session or AI diagnostic).
• We do not use your infrastructure credentials for any purpose other than the operations you authorize.

4. Legal Basis for Processing

4.1 Under the DPDP Act, 2023 (India)

We process your personal data on the following grounds under the DPDP Act:

• Consent: You provide consent at registration for account creation, communications, and marketing. You may withdraw consent at any time (see Section 9).
• Legitimate use: Processing necessary for the performance of the service contract you have entered into when creating your account.
• Legal obligation: Processing required to comply with applicable Indian law, including tax, financial, and law enforcement obligations.

4.2 Under the GDPR (EU/EEA Users)

For users in the European Economic Area, we process personal data under the following GDPR lawful bases:

• Article 6(1)(b) — Contract performance: Account management, service delivery, billing, and infrastructure operations.
• Article 6(1)(a) — Consent: Marketing communications, cookies beyond strictly necessary, and analytics. You may withdraw consent at any time.
• Article 6(1)(c) — Legal obligation: Tax, fraud prevention, and law enforcement compliance.
• Article 6(1)(f) — Legitimate interests: Product improvement, security, and fraud prevention, where our interests do not override your rights.

5. Third-Party Sub-Processors

We share personal data with the following sub-processors to operate the platform. All sub-processors are bound by data processing agreements and are required to protect your data to a standard equivalent to this Policy.

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure, database hosting, object storage	Multiple regions including ap-south-1
Anthropic, PBC	AI language model processing when using AI Pilot with Anthropic models	United States
OpenAI, LLC	AI language model processing when using AI Pilot with OpenAI models	United States
Google LLC	AI language model processing (Gemini), Google Analytics (website analytics)	United States
Meta Platforms, Inc.	Marketing analytics via Meta Pixel (website only)	United States
Stripe, Inc.	Payment processing and subscription management	United States / Ireland (EU)
GitHub, Inc.	Git repository integration for deployments (when connected by user)	United States
GitLab B.V.	Git repository integration for deployments (when connected by user)	Netherlands / United States
Atlassian Pty Ltd (Bitbucket)	Git repository integration for deployments (when connected by user)	Australia / United States
Slack Technologies, LLC	Alert and notification delivery to Slack channels (when configured by user)	United States
Microsoft Corporation (Teams)	Alert and notification delivery to Teams channels (when configured by user)	United States / EU
Telegram Messenger Inc.	Alert delivery to Telegram channels (when configured by user)	United Arab Emirates
PagerDuty, Inc.	Critical incident alert routing (when configured by user)	United States
Third-party SMS provider	SMS alert and notification delivery (when configured by user)	United States
Third-party messaging provider	WhatsApp notification delivery (when configured by user)	United States
Internet Security Research Group (Let's Encrypt)	SSL/TLS certificate issuance for managed sites	United States
DigitalOcean, LLC	Cloud server provisioning (when user selects DigitalOcean)	Multiple regions
Hetzner Online GmbH	Cloud server provisioning (when user selects Hetzner)	Germany / Finland
Vultr Holdings LLC	Cloud server provisioning (when user selects Vultr)	Multiple regions

Sub-processors marked "when connected/configured by user" only receive data if you explicitly connect that integration. Connecting a third-party service is optional and governed by that service's own privacy policy in addition to ours.

6. Data Storage and Security

CloudAIPilot takes the following security measures to protect your personal data:

• Encryption in transit: All data transmitted between your browser, the CloudAIPilot API, and third-party services is encrypted using TLS 1.2 or higher.
• Encryption at rest: SSH keys, cloud provider API keys, git tokens, and AI provider keys are encrypted at rest using AES-256 before storage in our database.
• Hashed passwords: User passwords are never stored in plain text. We use bcrypt with a cost factor of 12 or higher.
• Access controls: Internal access to production systems and databases is restricted to authorized personnel using role-based access controls and multi-factor authentication.
• Audit logging: All administrative access to production infrastructure is logged and audited.
• Vulnerability management: We conduct periodic security reviews and apply security patches promptly.

7. Data Retention

We retain personal data for as long as necessary to provide the service and meet our legal obligations:

• Account data: Retained for the duration of your active subscription, plus 90 days after account closure to allow for reactivation. After 90 days, account data is permanently deleted unless retention is required by law.
• Infrastructure credentials: Deleted within 7 days after a server or cloud account is disconnected from CloudAIPilot.
• Server metrics and logs: Retained for up to 12 months from collection; older data is automatically purged.
• AI conversation history: Retained for the duration of your active subscription. You may delete individual conversations at any time from within the platform.
• Billing records: Retained for 7 years in accordance with Indian tax and accounting laws.
• Audit logs: Retained for up to 2 years for security and compliance purposes.
• Support communications: Retained for 3 years from the date of the last interaction.

8. Your Rights Under the DPDP Act, 2023

As a Data Principal under the DPDP Act, 2023, you have the following rights with respect to your personal data processed by CloudAIPilot:

• Right to access information: You may request a summary of the personal data we process about you and the purpose of such processing.
• Right to correction and erasure: You may request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer necessary for the purpose for which it was collected.
• Right to grievance redressal: You may raise concerns with our Grievance Officer (see Section 13). If your grievance is not resolved within 30 days, you may escalate to the Data Protection Board of India.
• Right to nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal, but may impact your ability to use features that depend on that processing.

To exercise any of these rights, contact us at legal@cloudaipilot.com. We will respond within 30 days as required by the DPDP Act.

9. Additional Rights for EU/EEA Users (GDPR)

If you are located in the European Economic Area, you have additional rights under the GDPR:

• Right to access (Article 15): Obtain a copy of all personal data we hold about you.
• Right to rectification (Article 16): Request correction of inaccurate personal data.
• Right to erasure (Article 17): Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restriction (Article 18): Request that we limit processing of your data in certain circumstances.
• Right to data portability (Article 20): Receive your personal data in a structured, machine-readable format and transmit it to another controller.
• Right to object (Article 21): Object to processing based on legitimate interests, including profiling for direct marketing.
• Rights related to automated decision-making (Article 22): Not to be subject to solely automated decisions that produce significant effects, unless you have given explicit consent.

To exercise GDPR rights, email legal@cloudaipilot.com. We will respond within 30 days (extendable to 60 days for complex requests with notice). You also have the right to lodge a complaint with your national supervisory authority.

10. Cookies and Analytics

We use cookies and similar tracking technologies on our website (cloudaipilot.com). The CloudAIPilot application (app.cloudaipilot.com) uses strictly necessary session cookies only.

10.1 Cookie Categories

• Strictly necessary: Session authentication, CSRF protection, and preference persistence. These cannot be disabled as they are required for the platform to function.
• Analytics: We use Google Analytics to understand aggregate website traffic, page performance, and user journeys. Google Analytics data is anonymized and processed under Google's data processing terms.
• Marketing: We use Meta Pixel to measure the effectiveness of our advertising campaigns. This involves sharing pseudonymous identifiers with Meta Platforms. You can opt out via Meta's ad preference tools.

10.2 Managing Cookies

You can control non-essential cookies by adjusting your browser settings. Disabling analytics cookies will not affect your ability to use CloudAIPilot. To opt out of Google Analytics across all websites, use the Google Analytics Opt-Out Browser Add-on.

11. International Data Transfers

CloudAIPilot is operated from India, but our sub-processors are located in various countries including the United States, European Union, and other jurisdictions. When we transfer personal data outside India, we take steps to ensure adequate protection through:

• Standard contractual clauses with sub-processors in countries without an adequacy determination.
• Data processing agreements that require sub-processors to maintain equivalent privacy and security standards.
• Selecting sub-processors that operate under privacy frameworks such as the EU-US Data Privacy Framework where applicable.

By using CloudAIPilot, you acknowledge that your data may be transferred to and processed in countries outside India. We will always comply with applicable rules on cross-border data transfers.

12. Children's Privacy

CloudAIPilot is designed for professional and business use and is not directed at children. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that a user under 18 has created an account, we will delete their data promptly. If you believe a child has provided us with personal data, please contact legal@cloudaipilot.com.

13. Grievance Officer

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, Vibhaga Group has appointed a Grievance Officer to address concerns related to the processing of personal data.

If your grievance is not resolved to your satisfaction within 30 days of submission, you may escalate the matter to the Data Protection Board of India once it is constituted under the DPDP Act, 2023, or to the appropriate court of law in accordance with Section 14 below.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered users by email at least 14 days before material changes take effect.
• Where required by law, seek fresh consent before processing your data under a new purpose.

Your continued use of CloudAIPilot after changes become effective constitutes acceptance of the updated Policy, except where fresh consent is required by law.

15. Contact Us

For any privacy-related questions, data requests, or concerns not addressed in this Policy, please contact: