Privacy Policy
This Privacy Policy explains what personal information Peel collects, how we use it, and the choices you have. We designed Peel to collect as little personal data as possible while still providing useful cloud cost intelligence.
1. Who we are
Peel is operated by Peel Pty Ltd, an Australian company. For the purposes of GDPR, we act as a data controller for account information and as a data processor for your cloud cost data.
2. What we collect
| Category | Examples | Purpose |
|---|---|---|
| Account | Email, company name, hashed password | Authentication, billing, support |
| Billing | Stripe customer ID, subscription status | Manage your subscription (card data stays with Stripe) |
| Cloud cost data | Service-level AWS cost figures retrieved via your IAM role | Dashboard, alerts, reports |
| Usage | Log in times, feature access, audit logs | Security, debugging, abuse prevention |
| Communications | Support emails, Telegram linking | Customer support, alerting |
3. What we do not collect
- We do not collect AWS long-term access keys — we assume a role using an External ID you generate.
- We do not read, store, or have access to your workloads, application data, databases, or infrastructure content.
- We do not collect card details — Stripe processes all payments.
4. How we use your data
We use the data listed above to provide the Service (dashboard, alerts, reports), secure your account, bill you, communicate with you about the Service, and comply with legal obligations. We do not sell your data. We do not use your cost data to train AI models.
5. Who we share with
- Stripe — payment processing (card data, billing address).
- Resend — transactional email delivery.
- Telegram — alert delivery, only if you opt in.
- Hostinger — VPS infrastructure (Australia-region).
- AWS — cost data retrieval via IAM role you authorise.
We share data only as needed to provide the Service. We do not sell personal data to third parties.
6. International transfers
Our primary infrastructure is in Australia. Some subprocessors (Stripe, Resend) may process data in the United States or European Union under appropriate safeguards (Standard Contractual Clauses where applicable).
7. Retention
- Account data — kept while your account is active, plus 90 days after cancellation for dispute resolution.
- Cloud cost data — 12 months by default (24 months with the retention add-on).
- Audit logs — 12 months.
- Deleted account data is purged from production and from backups within 35 days.
8. Security
- Data encrypted in transit (TLS 1.2+) and at rest.
- AWS access uses IAM Role + External ID, never long-term keys.
- Secrets stored in environment variables with restricted file permissions.
- Rate limiting and bot protection on all public endpoints.
- All sensitive actions recorded in an append-only audit log.
9. Your rights
Depending on where you live, you may have the right to access, correct, export, or delete your personal data, restrict or object to certain processing, and withdraw consent. To exercise any of these rights, email privacy@peel.cloud. We will respond within 30 days.
10. Cookies
We use only essential cookies required for authentication and session management (HttpOnly, SameSite=Strict). We do not use advertising or tracking cookies.
11. Children
Peel is not directed at children under 18 and we do not knowingly collect personal information from them.
12. Changes
We may update this Privacy Policy from time to time. Material changes will be notified by email at least 14 days before taking effect.
13. Contact
Privacy questions, data requests, or concerns: privacy@peel.cloud.