1. Introduction and Scope

GreyOrbit ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our IT spend optimization platform and related services ("Services").

This policy applies to all users of our Services, including visitors to our website, registered users, and enterprise customers. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes through appropriate channels.

2. Information We Collect

We collect various types of information to provide and improve our Services. The categories of information we collect include:

Personal Information

When you create an account or interact with our Services, we collect personal information such as your name, email address, phone number, job title, company name, and billing information. This information is necessary to provide our Services and communicate with you.

Usage and Analytics Data

We automatically collect information about how you use our Services, including cloud resource usage data, SaaS license utilization patterns, invoice data you upload for analysis, feature usage statistics, and performance metrics. This data helps us optimize our platform and provide better recommendations.

Technical Information

We collect technical information such as IP addresses, browser type and version, device information, operating system, referring URLs, and usage patterns. This information helps us maintain security, troubleshoot issues, and improve user experience.

Financial and Billing Data

For enterprise customers, we collect and process financial data including cloud bills, SaaS invoices, contract information, and spending patterns. This data is essential for our cost optimization analysis and recommendations.

Communications Data

We may collect information from your communications with us, including support requests, feedback, and other correspondence. This helps us provide better customer service and improve our Services.

3. How We Use Your Information

We use the collected information for various legitimate business purposes, including:

• Service Provision: To provide, maintain, and improve our IT spend optimization Services, including analyzing your cloud and SaaS usage patterns
• Cost Analysis: To identify zombie resources, duplicate subscriptions, and optimization opportunities within your IT infrastructure
• Recommendations: To generate personalized cost savings scenarios and impact assessments based on your specific usage patterns
• Alerts and Notifications: To send renewal calendar alerts, cost anomaly notifications, and other important updates
• Customer Support: To provide technical assistance, respond to inquiries, and resolve issues
• Platform Improvement: To analyze usage patterns, develop new features, and enhance our algorithms
• Security: To detect, prevent, and respond to security threats, fraud, and other harmful activities
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Business Operations: To manage our business relationships, process payments, and conduct internal analytics

4. Legal Basis for Processing

We process your personal information based on the following legal grounds:

• Contractual Necessity: Processing necessary to perform our contract with you or to take steps at your request prior to entering into a contract
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, ensuring security, and conducting analytics
• Legal Compliance: Processing necessary to comply with legal obligations, such as tax requirements and regulatory compliance
• Consent: Where you have provided explicit consent for specific processing activities, such as marketing communications

5. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except in the following circumstances:

Service Providers and Partners

We may share information with trusted third-party service providers who assist us in operating our platform, conducting business, or serving our users. These providers are contractually obligated to protect your information and use it only for the specified purposes.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, user information may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal information.

Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, property, or safety, or that of our users or others.

Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, or other business purposes.

6. Data Security and Protection

We implement comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access Controls: Strict role-based access controls and multi-factor authentication for all system access
• Security Monitoring: Continuous monitoring for security threats and anomalous activities
• Regular Audits: Regular security audits and penetration testing by independent third parties
• SOC 2 Compliance: We maintain SOC 2 Type II certification for security and availability
• Employee Training: Regular security training for all employees handling personal data
• Incident Response: Comprehensive incident response procedures for security breaches
• Data Minimization: We collect and retain only the minimum amount of data necessary for our Services

7. Data Retention and Deletion

We retain your personal information for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy. Our retention practices include:

• Account Data: Retained for the duration of your account plus 3 years for legal and business purposes
• Usage Data: Retained for up to 7 years to support analytics and service improvement
• Financial Data: Retained for up to 10 years to comply with tax and regulatory requirements
• Support Communications: Retained for up to 5 years for quality assurance and legal purposes

When we no longer need your information, we will securely delete or anonymize it in accordance with our data retention schedule and applicable legal requirements.

8. Your Privacy Rights

Depending on your location and applicable laws, you may have the following rights regarding your personal information:

• Access: Request access to your personal information and details about our processing activities
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your personal information, subject to certain exceptions
• Portability: Request transfer of your personal information to another service provider
• Objection: Object to processing of your personal information for certain purposes
• Restriction: Request restriction of processing under certain circumstances
• Withdrawal of Consent: Withdraw consent for processing based on consent
• Non-Discrimination: Not be discriminated against for exercising your privacy rights

To exercise these rights, please contact us at privacy@greyorbit.com. We will respond to your request within the timeframes required by applicable law.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform and analyze usage patterns. For detailed information about our use of cookies, including how to manage your preferences, please refer to our Cookie Policy.

You can control cookies through your browser settings, but please note that disabling certain cookies may affect the functionality of our Services.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and other countries where we or our service providers operate. We ensure appropriate safeguards are in place to protect your information during such transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant data protection authorities
• Other legally recognized transfer mechanisms

11. Children's Privacy

Our Services are not intended for individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by us. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notifications to registered users for significant changes
• Providing in-app notifications for material changes affecting your rights

Your continued use of our Services after such changes constitutes acceptance of the updated Privacy Policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiries within 30 days or as required by applicable law.