Legal Document
Privacy Policy
This Privacy Policy describes how SAMSOFT AI TECHNOLOGIES PRIVATE LIMITED collects, uses, and protects your information when you use FinOpsAI — our GCP cost intelligence platform.
DPDP Act 2023
GDPR Ready
RBI IT Framework
asia-south1
Key Summary: FinOpsAI is a B2B enterprise tool. We process your GCP billing data solely to provide cost intelligence services. All billing data stays in asia-south1 (Mumbai) and is never used to train AI models. We never sell your data.
01Information We Collect
When you use FinOpsAI, we collect the following categories of information:
- Account Information: Email address, name, and authentication credentials via Google Firebase Authentication
- GCP Credentials: Service account JSON keys you upload to connect your GCP project — encrypted at rest in Firestore
- Billing Data: GCP billing export data from your BigQuery datasets — queried in real-time, never copied to our servers
- Usage Data: Agent analysis requests, action cards created, and Fix Now approvals — stored for audit trail
- Technical Data: IP address, browser type, and access logs for security monitoring
02How We Use Your Information
We use the information we collect exclusively to provide and improve the FinOpsAI service:
- Detecting GCP cost anomalies in your billing data using statistical analysis
- Running AI analysis via Google Vertex AI (Gemini 2.5 Flash, asia-south1) on anonymised cost summaries
- Generating remediation recommendations and action cards
- Maintaining audit trails for regulatory compliance (RBI IT Framework)
- Sending email notifications for anomaly alerts and Fix Now confirmations
- Improving our anomaly detection algorithms using aggregated, anonymised data
We never: sell your data, use your billing data to train AI models, share your data with third parties for marketing, or process your data outside India without explicit consent.
03Data Residency and Sovereignty
Sovereign-First Architecture: All customer data including GCP credentials, billing summaries, action cards, and audit logs are stored exclusively in Google Cloud asia-south1 (Mumbai, India) in compliance with the Digital Personal Data Protection Act 2023.
- Firestore database: asia-south1 (Mumbai)
- Cloud Run API: asia-south1 (Mumbai)
- BigQuery queries: executed in your project's region
- AI inference: Google Vertex AI (Gemini 2.5 Flash) in asia-south1 (Mumbai) — prompts processed in-region, not stored
- Firebase Hosting: Global CDN for static assets only (no personal data)
04AI and Machine Learning
FinOpsAI uses the following AI services to provide cost intelligence:
- Gemini 2.5 Flash — Brain (Google Vertex AI): Analyses compressed, anonymised cost summaries in asia-south1 (Mumbai). Prompts are processed in-region and not stored. No training on your data.
- Gemini 2.5 Flash — Scout (Google Vertex AI): Filters anomaly noise before deeper analysis by the Brain. Stateless processing — no data retained.
- Human-in-the-Loop: No AI system executes remediation actions automatically. All Fix Now actions require explicit human approval.
05Data Security
We implement enterprise-grade security controls to protect your data:
- GCP service account credentials encrypted at rest in Firestore
- All API secrets stored in GCP Secret Manager — never hardcoded
- Zero-Trust IAM — service accounts with minimal required permissions
- Firebase JWT authentication for all API endpoints
- HTTPS/TLS encryption for all data in transit
- GitHub Actions CI/CD with encrypted secrets
- Complete audit trail of all agent actions and human approvals
06Data Retention
- Billing cache: Refreshed every 2 hours — not permanently stored
- Action cards: Retained for 12 months for audit trail
- Audit logs: Retained for 7 years (RBI IT Framework requirement)
- Account data: Retained until account deletion request
- GCP credentials: Deleted immediately upon account deletion request
07Your Rights (DPDP Act 2023)
Under the Digital Personal Data Protection Act 2023, you have the following rights:
- Right to Access: Request a copy of all personal data we hold about you
- Right to Correction: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Grievance: File a complaint with our Data Protection Officer
- Right to Nominate: Nominate a person to exercise rights on your behalf
To exercise any of these rights, email us at privacy@samsofttechnologies.com
08Third-Party Services
FinOpsAI integrates with the following third-party services:
- Google Firebase: Authentication and Firestore database — Google Privacy Policy applies
- Google Cloud: Cloud Run, BigQuery, Secret Manager — Google Cloud DPA applies
- Google Cloud (Vertex AI): Gemini 2.5 Flash in asia-south1 — Google Cloud Data Processing Addendum applies
- Stripe: Payment processing — Stripe Privacy Policy applies
09Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email at least 30 days before the changes take effect. Continued use of FinOpsAI after the effective date constitutes acceptance of the updated policy.