Privacy Policy

1. Scope and Applicability

This Privacy Policy applies to:

• Visitors to our marketing websites;
• Individuals who register for an account or subscribe to the Services;
• Authorized users within a customer organization ("End Users"); and
• Individuals whose data may be referenced within infrastructure metadata processed on behalf of our customers.

This policy covers three distinct data domains. Understanding these domains is essential to understanding what we collect, and — equally important — what we do not.

Data Domain	Where	Our Role	What We Collect
Marketing Website Data	configview.com, getconfigview.com, and *.configview.com marketing properties	Data Controller	Standard website analytics, contact form submissions, cookies, and visitor behavior — as described in Section 3.1.
Application Usage Data	The Configview product (dashboard, APIs)	Data Controller	Aggregate metadata only. We collect usage analytics about how the application is used (e.g., number of users, number of records returned, feature usage, custom field names) — but we do not collect or store the underlying personal data that flows through the application. See Section 3.2.
Service Data	Customer's connected third-party platforms	Data Processor	Infrastructure metadata ingested from platforms you connect (e.g., AWS, Azure, Okta, Google Cloud, Slack). Processed solely on your behalf and according to your instructions. See Section 3.3.

For self-hosted deployments, Configview does not have access to your Service Data or Application Usage Data. All data remains entirely on your infrastructure.

2. Definitions

• "Marketing Website(s)" — The public-facing websites operated by Configview, including configview.com, getconfigview.com, and any subdomain of configview.com used for marketing, documentation, or informational purposes.
• "Application" or "Product" — The Configview software platform, including the dashboard, APIs, scheduled jobs, and related tooling used by Customers to query and manage their infrastructure.
• "Account Data" — Information you provide when you register, subscribe, or contact us, including name, email, company, and billing details.
• "Application Usage Data" — Aggregate, non-personal metadata about how the Application is used, such as the number of active users, record counts returned by queries, feature utilization rates, custom field names, and table schemas. This data describes the shape and volume of activity — not the underlying personal data.
• "Service Data" — Infrastructure metadata ingested by the Application from third-party platforms you connect (e.g., IAM roles, user directories, device inventories, resource configurations). Service Data is processed on your behalf.
• "Infrastructure Metadata" — Configuration and identity data about your cloud resources, SaaS accounts, and endpoints — distinct from the content stored within those systems.
• "Subprocessor" — A third-party vendor engaged by Configview to assist in providing the Services, who may process data on our behalf.
• "Personal Data" — Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• "Customer" — The entity that has entered into a subscription agreement with Configview for the use of the Services.

3. Information We Collect

3.1 Marketing Website Data

When you visit our Marketing Websites (configview.com, getconfigview.com, and associated subdomains), we collect the following information:

Information You Provide

• Account Registration: Name, business email address, and password (stored as a one-way cryptographic hash). [FILL: Add company name, job title if collected.]
• Billing & Payments: [FILL: e.g., "We use Stripe as our payment processor. We do not store full credit card numbers. Stripe collects and processes payment details in accordance with PCI-DSS Level 1. We retain only the last four digits of your card, card brand, and billing address."]
• Contact Forms & Communications: Information you provide when contacting sales, requesting a demo, submitting feedback, or participating in surveys, including your name, email, and the content of your communications.

Information Collected Automatically

• Log Data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and request duration.
• Device Information: Screen resolution, device type, and language preference.
• Cookies & Local Storage: As described in Section 6, including preferences such as theme selection and dismissed announcements.
• Analytics: [FILL: e.g., "We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal data." OR "We use Google Analytics with IP anonymization enabled."]

Marketing Website Data is collected and processed under standard website privacy practices. We are the Data Controller for this information.

3.2 Application Usage Data (The Configview Product)

When you use the Configview application, we collect the following aggregate, non-personal metadata to operate, improve, and support the product:

What We Collect	Example	What We Do NOT Collect
Number of active users	"12 users in this workspace"	Individual user names, emails, or identities
Record counts from queries	"Query returned 1,482 rows"	The actual row data or field values
Custom field names and table schemas	"Table has columns: name, email, role"	The data within those fields
Feature utilization	"Saved queries feature used 34 times"	The content of those queries or their results
Integration connection status	"Okta integration: connected, last sync 2h ago"	The data synced from Okta
Error rates and performance metrics	"API latency p95: 240ms"	Request payloads or response bodies
Scheduled job metadata	"15 jobs configured, 3 failed last run"	The data those jobs process

Additionally, the application requires the following account-level data to function:

• Authentication Credentials: Login email and password (stored as a one-way cryptographic hash) for dashboard access.
• API Credentials: API keys, OAuth tokens, or service account credentials you provide to connect third-party platforms. These are encrypted at rest using a dedicated secret management service and used solely to authenticate with the connected platform on your behalf.

3.3 Service Data (Third-Party Integrations)

Configview operates as an infrastructure search engine. When you connect a third-party platform, the application ingests infrastructure metadata only into your deployment. The specific data depends on the integration and the API scopes you authorize.

Examples of Service Data processed by the application:

• Identity and access management records (e.g., user names, email addresses, group memberships, roles, last login timestamps);
• Resource inventories (e.g., compute instances, storage buckets, DNS records, security policies);
• Device and endpoint metadata (e.g., device names, OS versions, serial numbers, compliance status); and
• Communication platform metadata (e.g., Slack channel names, user group names — not message content).

What the application does NOT collect or access:

• The contents of your emails, Slack messages, documents, or files;
• Customer data stored within your databases or applications;
• Source code, application secrets, or proprietary business logic;
• Financial records, health data, or payment card data of your end customers; or
• Any data beyond the specific API scopes you have explicitly authorized.

Self-Hosted Deployments: If you deploy Configview on your own infrastructure, all Service Data and Application Usage Data remain within your environment. Configview has no access to, and does not host, any of your data.

4. How We Use Your Information

4.1 Marketing Website Data

Purpose	Legal Basis
Operating and improving our Marketing Websites	Legitimate interest
Analyzing website traffic and visitor behavior	Legitimate interest / Consent
Responding to contact form submissions and demo requests	Performance of contract / Consent
Sending product updates or marketing communications (with opt-out)	Consent / Legitimate interest
Detecting, preventing, and investigating fraud or abuse	Legitimate interest / Legal obligation

4.2 Application Usage Data

Purpose	Legal Basis
Providing, maintaining, and improving the Application	Performance of contract
Authenticating users and managing access controls	Performance of contract
Processing payments and managing subscriptions	Performance of contract
Sending transactional communications (e.g., security alerts, billing notices, service updates)	Performance of contract / Legitimate interest
Understanding aggregate feature usage to prioritize product improvements	Legitimate interest
Monitoring application health, error rates, and performance	Legitimate interest
Responding to support requests and troubleshooting	Performance of contract

4.3 Service Data

Service Data is processed solely to provide the Services to the Customer that authorized it. We do not use Service Data for analytics, marketing, profiling, or any purpose beyond delivering the contracted functionality. The application queries and displays infrastructure metadata as directed by the Customer's configuration.

Complying with applicable laws, regulations, and legal processes may also require limited processing. Legal basis: Legal obligation.

5. How We Share and Disclose Information

We do not sell, rent, or trade your personal information to third parties. We may share information only in the following limited circumstances:

5.1 Subprocessors and Service Providers

We engage trusted third-party vendors to help operate and deliver the Services. These vendors are contractually obligated to use data only as directed by us and to maintain appropriate security measures.

Category	Provider(s)	Purpose
Cloud Infrastructure	[FILL: e.g., Google Cloud Platform]	Hosting, compute, storage, networking
Payment Processing	[FILL: e.g., Stripe]	Subscription billing and payment handling
Transactional Email	[FILL: e.g., SendGrid]	Account verification, password resets, alerts
Analytics	[FILL: e.g., Plausible Analytics]	Website usage analytics
Secret Management	[FILL: e.g., Google Cloud Secret Manager]	Encrypted storage of API credentials

[FILL: If you maintain a public subprocessor list page, link it here: "A current list of subprocessors is available at [URL]."]

5.2 Legal Requirements

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request;
• Enforce our Terms of Service, including investigation of potential violations;
• Detect, prevent, or address fraud, security, or technical issues; or
• Protect against harm to the rights, property, or safety of Configview, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Website of any change in ownership or uses of your personal information, as well as any choices you may have.

5.4 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

6. Cookies and Tracking Technologies

6.1 Types of Cookies

Category	Purpose	Examples
Strictly Necessary	Required for the Website to function. Cannot be disabled.	[FILL: e.g., Session authentication tokens, CSRF protection]
Functional	Remember your preferences and settings.	[FILL: e.g., Theme preference, language selection, dismissed announcements]
Analytics	Help us understand how visitors interact with the Website.	[FILL: e.g., Plausible (cookie-free) OR Google Analytics (_ga, _gid)]
Marketing	Used to deliver relevant advertisements and measure campaign effectiveness.	[FILL: e.g., "We do not currently use marketing cookies." OR list them]

6.2 Managing Cookies

[FILL: e.g., "We do not use non-essential cookies. Our analytics provider (Plausible) is cookie-free and does not track individual users." OR "You can manage your cookie preferences using our cookie consent banner. You may also configure your browser to reject cookies, though some features of the Website may not function properly."]

6.3 Do Not Track

[FILL: e.g., "We honor Do Not Track (DNT) browser signals. When DNT is enabled, we do not collect analytics data from your session." OR "There is currently no industry-standard technology for recognizing DNT signals. We do not currently respond to DNT signals."]

7. Data Retention and Deletion

We retain data only as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

Data Type	Retention Period
Account Data	[FILL: e.g., "Retained for the duration of your active account plus 30 days after deletion request."]
Billing Records	[FILL: e.g., "Retained for 7 years to comply with tax and financial reporting obligations."]
Service Data	[FILL: e.g., "Refreshed on each sync cycle. Historical snapshots are retained for 90 days. Upon subscription termination, all Service Data is purged within 30 days."]
Server Logs	[FILL: e.g., "Retained for 90 days for security and debugging purposes, then automatically deleted."]
Support Tickets	[FILL: e.g., "Retained for 2 years after resolution, then archived or deleted."]

7.1 Account Deletion

[FILL: e.g., "You may request deletion of your account by contacting us at [email protected]. Upon receiving a verified request, we will delete your Account Data and any associated Service Data within 30 days, except where retention is required by law. We will confirm deletion via email."]

8. Security

We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your information.

8.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: [FILL: e.g., "All data at rest is encrypted using AES-256. API credentials and secrets are stored in Google Cloud Secret Manager with envelope encryption."]
• Access Controls: [FILL: e.g., "Access to production systems is restricted to authorized personnel via role-based access controls (RBAC), multi-factor authentication (MFA), and audit-logged SSH sessions."]
• Secret Management: Customer API keys and OAuth tokens are encrypted and managed via a dedicated secret management service. They are never stored in plain text, application logs, or source code.

8.2 Organizational Measures

• [FILL: e.g., "All employees undergo security awareness training upon hire and annually thereafter."]
• [FILL: e.g., "We conduct periodic internal security reviews and vulnerability assessments."]
• [FILL: e.g., "Third-party vendors are evaluated for security posture before engagement."]

8.3 Incident Response

[FILL: e.g., "In the event of a data breach that affects your personal information, we will notify affected individuals and relevant supervisory authorities within 72 hours of becoming aware of the breach, in accordance with applicable law. Notification will include the nature of the breach, data affected, and remedial actions taken."]

8.4 Certifications and Compliance

[FILL: e.g., "We are currently pursuing SOC 2 Type II certification." OR "We maintain SOC 2 Type II compliance. Audit reports are available to customers under NDA upon request." OR remove this section if not applicable yet.]

9. International Data Transfers

Configview is based in the United States. If you access the Website or Services from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs): As approved by the European Commission, incorporated into our customer agreements and subprocessor contracts.
• [FILL: e.g., "EU-U.S. Data Privacy Framework: We self-certify under the EU-U.S. Data Privacy Framework." OR remove if not applicable.]

[FILL: e.g., "Copies of our Standard Contractual Clauses are available upon request by contacting [email protected]."]

10. Your Privacy Rights

Depending on your location, you may have certain statutory rights regarding your personal data. We will not discriminate against you for exercising any of these rights.

10.1 Rights Available to All Users

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Data Portability: Receive your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
• Opt-Out of Marketing: Unsubscribe from promotional emails at any time using the link provided in each email.

10.2 Additional Rights Under GDPR (EEA/UK Residents)

• Restriction of Processing: Request that we limit how we use your data in certain circumstances.
• Objection to Processing: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
• Lodge a Complaint: File a complaint with your local data protection supervisory authority.

10.3 How to Exercise Your Rights

To submit a privacy request, contact us at [email protected]. We will verify your identity before processing your request and respond within 30 days (or as required by applicable law). If we need additional time, we will notify you of the extension and the reason.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

11.1 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

Category (per Cal. Civ. Code 1798.140)	Collected	Disclosed for Business Purpose	Sold or Shared
Identifiers (name, email, IP address)	Yes	Yes (to service providers)	No
Commercial information (billing, subscription history)	Yes	Yes (to payment processor)	No
Internet/network activity (log data, usage data)	Yes	[FILL: Yes/No]	No
Professional/employment information	[FILL: e.g., "Yes (job title, company name)" or "No"]	No	No
Geolocation data	[FILL: e.g., "Approximate, derived from IP address" or "No"]	No	No

11.2 Your California Rights

• Right to Know: Request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we have collected.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information as defined by the CCPA/CPRA.
• Right to Non-Discrimination: We will not deny you services, charge different prices, or provide a different quality of service for exercising your rights.

To exercise your rights, contact us at [email protected] or submit a request through [FILL: e.g., "our privacy request form at configview.com/privacy-request" OR remove this clause].

12. Children's Privacy

The Website and Services are intended for use by businesses and professionals. We do not knowingly collect personal information from children under the age of 16 (or such lower age as may be applicable in certain jurisdictions). If we become aware that we have inadvertently collected personal information from a child under the applicable age, we will take reasonable steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Effective Date" at the top of this page.
• For material changes, we will provide notice via email to the address associated with your account and/or by placing a prominent notice on the Website at least 30 days before the changes take effect.
• Your continued use of the Website or Services after the effective date of the revised policy constitutes your acceptance of the changes.

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: