Flareo← Back to home

Legal

Privacy Policy

Last updated: March 17, 2026

1. Information we collect

When you create a Flareo account, we collect your name, email address, and organization name. When you connect cloud accounts, we collect and store the credentials you provide (AWS access keys, GCP service account keys, Azure client secrets, DigitalOcean API tokens) encrypted at rest using AES-256.

We also collect usage data such as pages visited, features used, and session duration to improve the product.

2. How we use your information

  • To provide and operate the Flareo platform
  • To sync cost data from your connected cloud providers
  • To send budget alerts and anomaly notifications
  • To generate reports and analytics you request
  • To improve and develop new features
  • To communicate product updates and billing information

3. Data storage and security

Your data is stored on Supabase-managed PostgreSQL databases hosted in the AWS ap-southeast-1 region. Cloud provider credentials are encrypted with AES-256-GCM authenticated encryption before storage — the algorithm provides both confidentiality and integrity verification, protecting against tampering. Encryption keys are never stored alongside the data.

We use TLS 1.3 for all data in transit. Session tokens are stored exclusively in httpOnly, Secure, SameSite cookies — they are never accessible to JavaScript, eliminating the risk of token theft via XSS. Access tokens expire after 1 hour and refresh tokens after 7 days.

All authentication attempts are logged. Accounts are locked after 10 consecutive failed login attempts. Passwords must meet a minimum complexity requirement (uppercase, lowercase, number, and special character). All sessions can be viewed and revoked from your account settings.

4. Data sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We may share data with:

  • Supabase — database hosting
  • Upstash — Redis caching and job queues
  • SendGrid — transactional email delivery
  • Razorpay — payment processing (billing data only)

Each sub-processor is bound by data processing agreements consistent with applicable privacy laws.

5. Data retention

We retain your account data for as long as your account is active. Cost records and analytics data are retained based on your plan tier (30 days on Starter, 12 months on Professional, unlimited on Enterprise). You may request deletion of your account and all associated data at any time.

6. Your rights

You have the right to access, correct, export, or delete your personal data. To exercise any of these rights, contact us at privacy@flareo.in. We will respond within 30 days.

7. Cookies

We use only essential cookies necessary to maintain your session. We do not use tracking or advertising cookies. You can disable cookies in your browser but this will prevent you from staying logged in.

8. Changes to this policy

We may update this policy from time to time. We will notify you by email of any material changes at least 14 days before they take effect.

9. Contact

Questions about this policy? Email us at privacy@flareo.in.