Privacy Policy

Last updated: 12 May 2026

This Privacy Policy explains how Eclipt UG (haftungsbeschränkt) (“we”, “us”, “CostCanary”) collects, uses, and protects personal data when you use the CostCanary service available at costcanary.com and app.costcanary.com (the “Service”). It is written to comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The data controller responsible for processing your personal data is:

Eclipt UG (haftungsbeschränkt) Kolonnenstr. 8 10827 Berlin Germany

Email: [email protected]

We are not required to appoint a Data Protection Officer under § 38 BDSG or Art. 37 GDPR at this time. Data-protection inquiries should be sent to the email address above.

2. What Data We Collect

We collect and process the following categories of personal data:

a) Slack workspace and account data. When you install CostCanary or sign in via Slack, Slack provides us with: your Slack user ID, name, email address, workspace (team) ID, workspace name, locale, and OAuth access tokens scoped to the permissions you authorized. We use these to identify you, scope your access within your workspace, and post reports to the channels you select.

a.1) Data about other members of your Slack workspace. When CostCanary is installed in a Slack workspace, we retrieve and store basic profile data for every member of that workspace, not only the installing user. This section is the notice required by Art. 14 GDPR for those members.

• Categories of data: Slack user ID, team (workspace) ID, display name, real name, email address, account-status flags (deleted, restricted, bot/system, time-zone, locale).
• Source: the Slack Web API, called by CostCanary using the OAuth bot scopes users:read and users:read.email that were granted by the workspace administrator at install time. We do not obtain this data from third-party data brokers or public sources.
• Purposes: (i) enabling workspace administrators to assign CostCanary roles (e.g. admin, report owner) to specific people from a searchable directory, (ii) displaying meaningful names instead of opaque Slack IDs in the application, (iii) keeping the directory in sync as members join, leave, or change names.
• Legal basis: legitimate interests under Art. 6(1)(f) GDPR — our and the installing workspace’s interest in operating access controls and a usable interface. We have weighed this against the interests of individual members and consider the impact limited (no profiling, no outbound communications, no decision-making about the individual).
• Recipients: the same processors listed in Section 4. We do not share workspace-member data with third parties beyond those processors.
• International transfers: none beyond Slack itself (the source) and our hosting in AWS Frankfurt. See Section 5.
• Retention: while the workspace has CostCanary installed and the member is active. We delete the record within 90 days after the member leaves the workspace, after the workspace uninstalls CostCanary, or after the subscription is terminated.
• Your rights: you have all the rights listed in Section 7, including in particular the right to object under Art. 21 GDPR to processing based on legitimate interests. Contact [email protected] to exercise them.

Installer’s responsibilities. The Slack workspace administrator who installs CostCanary acts as a controller in respect of their workforce’s personal data. They are responsible for informing workspace members that CostCanary has been installed and for ensuring there is a valid legal basis (typically performance of the employment contract or legitimate interest) for granting CostCanary access to their data. Where appropriate, the installer should make this Privacy Policy available to workspace members.

b) AWS integration data. When you connect an AWS account, you create an IAM role in your AWS account and provide us its ARN. We assume this role to read cost and usage data via the AWS Cost Explorer and Organizations APIs. The data we receive includes AWS account IDs, account names, linked-account relationships, service-level cost figures, and resource-level breakdowns. We do not access workloads, application data, or non-billing telemetry.

c) Billing data. Subscription and payment processing is handled by Stripe, Inc. (“Stripe”). When you subscribe, Stripe collects your billing name, billing address, VAT ID (if applicable), and payment instrument details directly. We receive customer and subscription identifiers, invoice metadata, and payment status events from Stripe via webhook — we do not store or process your full payment card details.

d) Communications. If you email us or contact support, we process your email address, the contents of your message, and any context you include.

e) Technical and usage data. When you use the Service, we automatically collect server logs containing IP address, user agent, request paths, response codes, timestamps, and error traces. We use this data to operate, secure, and debug the Service.

3. Legal Basis for Processing

We process personal data on the following legal bases under Art. 6(1) GDPR:

• Performance of a contract (Art. 6(1)(b)): to provide the Service to you and your organization, including authentication, AWS data retrieval, report generation, delivery to Slack, and billing.
• Legitimate interests (Art. 6(1)(f)): to secure the Service against abuse, debug errors, prevent fraud, and improve product quality. Our legitimate interest is operating a reliable B2B SaaS product; we have weighed this against the limited and expected nature of the processing.
• Legal obligation (Art. 6(1)(c)): to comply with retention requirements under German commercial and tax law (e.g. §§ 147 AO, 257 HGB) for invoicing and accounting records.
• Consent (Art. 6(1)(a)): where you have given specific consent, e.g. for optional product communications. You may withdraw consent at any time, without affecting the lawfulness of prior processing.

4. Recipients and Processors

Where CostCanary itself acts as a processor on behalf of a customer (for example, when processing Slack workspace-member data or AWS cost data for a paying customer), the customer–CostCanary relationship is governed by our Data Processing Agreement, which is automatically incorporated into the Terms of Service.

We share personal data only with service providers that act as processors on our behalf under Art. 28 GDPR, or with third parties where strictly necessary to provide the Service:

• Amazon Web Services, Inc. (AWS) — cloud infrastructure hosting. The Service runs in the AWS Frankfurt region (eu-central-1).
• Slack Technologies, LLC (a subsidiary of Salesforce, Inc.) — required to deliver reports to your Slack workspace and authenticate users.
• Stripe, Inc. — payment processing and subscription management.
• Cloudflare, Inc. — CDN, DNS, and DDoS protection for our websites.

We do not sell personal data to anyone, and we do not share it for third-party advertising.

5. International Data Transfers

Some of our processors are based in the United States (Slack, Stripe, Cloudflare, and AWS as a U.S. parent company). Where personal data is transferred outside the European Economic Area, we rely on:

• the EU–U.S. Data Privacy Framework, where the recipient is certified; or
• Standard Contractual Clauses approved by the European Commission under Art. 46(2)(c) GDPR; together with
• additional safeguards where necessary following the recommendations of the EDPB.

You may request a copy of the safeguards in place by emailing [email protected].

6. Retention

We retain personal data only as long as necessary for the purposes set out above:

• Account and Slack data: while your workspace is active. Deleted within 90 days of uninstall or account closure, except where longer retention is required by law.
• AWS cost data and reports: while your subscription is active. Deleted within 90 days of subscription termination.
• Billing records (invoices, tax records): 10 years, as required by §§ 147 AO and 257 HGB.
• Server logs: typically 30 days, longer where needed to investigate a security incident.
• Support communications: up to 3 years after the last interaction.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Access (Art. 15) — request confirmation of whether we process your data, and a copy of it.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your data, subject to legal retention requirements.
• Restriction (Art. 18) — request that we limit processing of your data.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Withdrawal of consent — where processing is based on consent, withdraw it at any time.

To exercise these rights, contact us at [email protected]. We respond within one month under Art. 12(3) GDPR.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219, 10969 Berlin, Germany www.datenschutz-berlin.de

8. Cookies and Similar Storage

We use cookies, local storage, and session storage only where strictly necessary to provide the service you have requested. The legal basis for these is § 25(2) Nr. 2 TDDDG (Digitale-Dienste-Datenschutz-Gesetz). No consent is required for strictly necessary storage. We do not use tracking cookies, advertising pixels, fingerprinting, or third-party analytics that profile visitors.

The specific items we set are:

Website (costcanary.com):

• cc_signed_in (cookie, scope: .costcanary.com) — set by the application after sign-in so the website can redirect signed-in users straight to the application. Strictly necessary for the routing the user requested.
• cc_no_auto_redirect (sessionStorage) — prevents an auto-redirect loop when a user has explicitly chosen to view the public website. Strictly necessary.
• Cloudflare may set __cf_bm (a short-lived bot-management cookie) to protect the website from automated abuse. Strictly necessary under § 25(2) Nr. 2 TDDDG.

Application (app.costcanary.com):

• Amazon Cognito authentication tokens (localStorage, managed by AWS Amplify) — required to keep you signed in. Strictly necessary.
• cc_sidebar_state (cookie, ~7 days) — remembers whether you collapsed the navigation sidebar. We consider this strictly necessary to render the interface you last configured; if you disagree you may delete it at any time without affecting functionality.

You can clear these at any time using your browser controls; doing so will sign you out and reset UI preferences.

9. Security

We take appropriate technical and organizational measures to protect personal data, including TLS encryption in transit, encryption at rest, least-privilege IAM, scoped OAuth tokens, audit logging, and limited employee access on a need-to-know basis. No system is perfectly secure; if a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours under Art. 33 GDPR and, where required, inform you directly.

10. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Art. 22 GDPR.

11. Children

The Service is intended for business use. We do not knowingly collect personal data from individuals under 16, the digital-services consent threshold under Art. 8 GDPR in Germany. If you believe a child has provided us with personal data, contact [email protected] so we can delete it. Contract capacity to use the Service is governed separately by Section 3 of our Terms of Service and requires an age of 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above. Material changes will be communicated through the Service or by email to active customers before they take effect.

13. Contact

Questions about this Privacy Policy or how we handle your data? Email [email protected] or write to the address in Section 1.