Privacy policy
This policy explains what personal data CloudProof by BuriCloud ("we", "us") collects, why, who we share it with, and your rights. It applies to our website and the CloudProof application.
Last updated: 24 June 2026
1. Who is responsible
The data controller is Balázs Buri, trading as CloudProof by BuriCloud, Switzerland — full contact details are in our legal notice. Privacy questions: privacy@buri.cloud.
We process personal data under the Swiss Federal Act on Data Protection (revFADP, in force 1 Sep 2023) and, because we host in the EU and serve EU/EEA customers, the EU GDPR. UK GDPR applies to any UK customers.
2. What we collect
- Account & sign-in: your email address (we sign you in with a magic link — no password).
- AWS audit data: read-only configuration metadata and compliance findings from the AWS accounts you connect (e.g. account id, account name/alias, resource settings). We assume a read-only role; we never get write access and never read your application data.
- Product usage: logged-in, privacy-friendly analytics about how you use the app, stored in the EU. We do not use advertising or cross-site tracking cookies.
- Support & feedback: messages you send us in-app or by email.
- Consent records: when you accept our Terms, we record the terms version, the time, and your IP address as proof of agreement (legitimate interest / legal-defence basis).
- Billing: handled by Paddle as merchant of record (see §4). We never see or store your full card details.
3. Why we use it & our legal basis
- To provide the service (run scans, show reports, manage your account) — performance of our contract with you.
- To keep the service secure and working (operational notifications, abuse prevention, debugging) — our legitimate interest.
- To handle billing via Paddle — performance of contract.
- To meet legal obligations where they apply.
4. Who we share it with (sub-processors)
We use a small number of vetted providers to run CloudProof. We do not sell your data.
- Amazon Web Services (AWS) — application hosting & data storage, in the EU (Frankfurt,
eu-central-1). AWS GDPR / DPA. - Paddle — payments & merchant of record (billing, invoicing, sales tax/VAT). Paddle privacy.
- Slack (Salesforce) — internal operational notifications to our team. Slack privacy.
- Amazon SES — sending transactional email (sign-in links, alerts), EU region.
5. Countries your data may be processed in
The revFADP (Art. 19) requires us to name these — this goes beyond what the GDPR asks for.
Switzerland and the EU/EEA (primarily Germany, where we host). Depending on the provider above, limited processing may also occur in the United Kingdom and the United States (Paddle and Slack).
6. International transfers & safeguards
Transfers to the EU/EEA rely on Switzerland's and the EU's mutual adequacy recognition. Transfers to the United States rely on the Swiss–U.S. Data Privacy Framework (and EU–U.S. DPF) for certified recipients, or on EU/Swiss Standard Contractual Clauses where a provider isn't certified.
7. How long we keep it
We keep account and audit data while your account is active. When you cancel and return to Free, stored reports are retained for a short grace period and then purged in line with our data-minimization policy; signed reports you already downloaded or shared remain valid. See Security & trust for storage details.
8. Your rights
Under the revFADP and GDPR you can access, correct, delete, export, restrict, or object to the processing of your personal data, and withdraw consent where processing relies on it. Email privacy@buri.cloud and we'll respond within the legal time limits.
You may also complain to a supervisory authority: in Switzerland the FDPIC; in the EU, your local data-protection authority.
9. EU / UK representative
We currently rely on the exemption in Art. 27(2) GDPR, as our processing is occasional, low-risk, and does not involve large-scale special-category data. If a representative becomes required, we will appoint one and name them here.
10. Changes & contact
We'll update this page as the product evolves and note the date above. Questions or requests: privacy@buri.cloud.