Privacy Policy
Last updated: April 12, 2026 · Effective: April 12, 2026
1. Who We Are
FixMyCloud ("we," "us," or "our") is a company incorporated in the United Arab Emirates with operational presence in India. We operate the FixMyCloud platform at fixmycloud.ai and app.fixmycloud.ai (the "Services").
For GDPR purposes, FixMyCloud acts as data controller for account-related personal data and as data processor for Customer infrastructure data. For questions about this Policy, contact: privacy@fixmycloud.ai
2. Data We Collect
2.1 Account and Contact Data
When you register: name, email address, company name, job title, and password (hashed and salted — never stored in plaintext). Used to create and manage your Account, communicate with you, and enforce our Terms.
2.2 Infrastructure and Scan Data
When you connect infrastructure, the Services perform read-only API calls to access configuration metadata — for example, IAM policy definitions, security group rules, and storage bucket settings. We do not access your application data, database contents, or end-user records. This data is processed solely to generate security findings and compliance reports for you.
2.3 Credentials and Secrets
Connection credentials (API keys, SSH keys, service account JSON) are encrypted at rest using AES-256 before storage and are never logged or transmitted in plaintext. We use envelope encryption per-connection. Credentials are used only to perform Scans and are never shared with third parties.
2.4 Usage and Log Data
We automatically collect: IP addresses, browser type and version, pages visited, timestamps, and error logs. Used for security monitoring, troubleshooting, and service improvement.
2.5 Payment Data
Payment processing is handled entirely by Stripe, Inc. We do not store full card numbers or CVV codes. Stripe provides us with a tokenised reference and limited metadata (last 4 digits, expiry, card type). Stripe's privacy policy governs their handling of your payment data.
2.6 AI Feature Data
When you use AI-powered features, anonymised scan metadata (finding types, severity counts, rule codes) may be sent to OpenAI to generate remediation guidance and rule suggestions. We do not send raw credentials, full infrastructure configurations, personal data, or identifiable resource names to OpenAI. OpenAI is contractually restricted from using this data for general model training.
2.7 Cookies
We use essential cookies for authentication and preferences, and analytics cookies with your consent. See our Cookie Policy for full details.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Services, running Scans, generating findings | Contract performance |
| Authentication and account management | Contract performance |
| Billing and payment processing | Contract performance / Legal obligation |
| Security monitoring and fraud prevention | Legitimate interests |
| Customer support and communications | Contract performance / Legitimate interests |
| Product improvement (aggregated, anonymised only) | Legitimate interests |
| Marketing emails — with unsubscribe on every email | Consent / Legitimate interests |
| Compliance with UAE, Indian, or other applicable law | Legal obligation |
4. Data Sharing and Subprocessors
We do not sell your data. We share data only with the following subprocessors, each under data processing agreements that require them to protect your data:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, database hosting, and storage | US / EU / Asia Pacific |
| Stripe, Inc. | Payment processing and subscription billing | United States |
| OpenAI, LLC | AI-powered features — anonymised scan metadata only, never credentials or personal data | United States |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, and SSL termination | Global |
We may share data with law enforcement or regulators when required by UAE, Indian, or other applicable law, or to protect FixMyCloud's legal rights. We will notify you of such demands unless prohibited by law.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of Subscription + 30 days after deletion request |
| Scan results and findings | Duration of Subscription + 30 days after cancellation |
| Connection credentials | Deleted immediately upon connection removal or account deletion |
| Billing records and invoices | 7 years (legal and tax obligation) |
| Security and access logs | 90 days rolling |
| Aggregated, anonymised analytics | Indefinite (non-identifiable) |
| Support communications | 3 years |
6. Security
We implement the following measures to protect your data:
- AES-256 encryption at rest for all Customer Data including credentials;
- TLS 1.2+ in transit for all API and web communications;
- Envelope encryption with per-connection key hierarchy;
- Access controls limiting internal staff access to Customer Data on a need-to-know basis;
- Audit logging of all internal access to Customer Data;
- Regular penetration testing and vulnerability assessments;
- Multi-factor authentication required for all FixMyCloud staff systems;
- Incident response procedures with notification to affected customers within 72 hours of confirmed breach.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access:Request a copy of personal data we hold about you.
- Rectification:Request correction of inaccurate data.
- Erasure:Request deletion ("right to be forgotten"), subject to legal retention requirements.
- Portability:Receive your data in a structured, machine-readable format.
- Restriction:Request we limit processing in certain circumstances.
- Objection:Object to processing based on legitimate interests, including direct marketing.
- Withdraw Consent:Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- GDPR Rights (EU/EEA/UK):All above rights apply. You may also lodge a complaint with your local data protection authority.
- Indian Residents:Rights under the Digital Personal Data Protection Act 2023 (DPDPA) apply, including the right to correct, erase, and nominate.
Submit requests to privacy@fixmycloud.ai. We respond within 30 days. Identity verification may be required.
8. International Data Transfers
FixMyCloud is incorporated in the UAE with operations in India. Customer data is hosted on AWS infrastructure which may span multiple regions. When we transfer personal data of EU, EEA, or UK residents to countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- UK International Data Transfer Agreements (IDTAs) for UK transfers;
- Appropriate safeguards under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection.
Enterprise customers requiring a signed Data Processing Agreement with SCCs should contact legal@fixmycloud.ai.
9. Children
The Services are not directed to individuals under 16. We do not knowingly collect personal data from children. Contact privacy@fixmycloud.ai if you believe a child has provided data to us.
10. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated via email or in-product notice at least 30 days before taking effect. The "Last updated" date reflects the most recent revision. Continued use after the effective date constitutes acceptance.
11. Contact
FixMyCloud — United Arab Emirates & India
Privacy enquiries: privacy@fixmycloud.ai
Data Protection / DPO: dpo@fixmycloud.ai
Legal: legal@fixmycloud.ai
EU/EEA Representative enquiries: contact legal@fixmycloud.ai