NEW🎉 Cloudshot Added to FOCUS Tooling Landscape — See how we're transforming FinOpsRead More
Cloudshot logo

Privacy Notice

Version 1.0  ·  Last updated: 15 May 2026  ·  Effective: 15 May 2026

Cloudshot publishes this notice in English, Hindi, and Marathi. English is the authoritative version; in case of any conflict between translations, the English text prevails.

Need this notice in another language? It is also available in any language listed in the Eighth Schedule to the Constitution of India on request — email dpo@cloudshot.io and we will provide a professionally translated copy within 14 working days.

1. About This Notice

This is the standalone Privacy Notice issued by Cloudshot.io, a product operated by Bereej Technologies Pvt. Ltd. ("Cloudshot", "we", "us", "our"), under Rule 3 of the Digital Personal Data Protection Rules, 2025, made under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act").

It is presented to you, the Data Principal, before or at the time we collect any personal data from you. It is provided as a separate document - it is not embedded in our Terms of Service or any other agreement - so that you can read and review it on its own merits before deciding whether to consent.

This notice is written in plain language. If anything is unclear, please contact our Grievance Officer at dpo@cloudshot.io.

2. Who We Are (Data Fiduciary)

Bereej Technologies Pvt. Ltd.

Operating the Cloudshot platform at cloudshot.io

Email: hi@cloudshot.io

Under the DPDP Act, Cloudshot is the Data Fiduciary - the entity that decides why and how your personal data is processed.

3. What Personal Data We Collect & Why

The table below lists every category of personal data Cloudshot collects, the specific purpose for which it is used, and the legal basis under the DPDP Act on which we process it.

CategoryData ItemsPurposeLegal Basis
Account InformationName, email address, phone number, organisation name, billing address.To create and manage your Cloudshot account, authenticate you, send transactional emails (login alerts, billing receipts), and provide customer support.Performance of contract; your consent obtained at signup.
Payment InformationCard metadata (last 4 digits, brand, expiry), billing GSTIN, invoice history. Full card numbers are never stored by Cloudshot.To process your subscription payments, generate GST-compliant invoices, and handle refunds. Full card data is handled solely by our PCI-DSS compliant payment processor.Performance of contract; legal obligation (tax records).
Cloud API CredentialsRead-only IAM role ARNs, service principal IDs, OAuth tokens, or API keys you provide for AWS, Azure, GCP, OCI, and other supported providers.Used solely to fetch infrastructure metadata and cost data on your behalf for visualization and optimization. We never use these credentials to modify, create, or delete resources unless you explicitly trigger such an action from within the platform.Your explicit consent at the time of cloud account connection.
Infrastructure MetadataResource IDs, instance types, tags, regions, network topology, security group rules, cost line items, and other read-only metadata fetched from your cloud provider.To render cloud architecture diagrams, detect cost-optimization opportunities, surface security misconfigurations, and produce compliance reports inside your Cloudshot workspace.Your consent and performance of contract.
Usage TelemetryPages visited within the app, features used, click events, error logs, browser type, IP address, and approximate location.To improve product reliability and user experience, debug issues, and prioritise the product roadmap. Aggregated and anonymised wherever possible.Your consent (analytics cookies) and our legitimate interest in maintaining a secure, reliable service.
Support CommunicationsChat transcripts, support tickets, screen-recordings you voluntarily share, attachments, and email correspondence.To respond to your queries, resolve issues, and maintain a record of support history for continuity.Your consent; performance of contract.

Special note on cloud credentials: Your cloud API credentials are used solely to fetch infrastructure data on your behalf. They are never used for any other purpose, never shared with third parties, never used for training machine-learning models, and never used to make changes to your infrastructure unless you explicitly trigger an action from within the platform.

4. How We Use Your Data

We process your personal data only for the specific purposes listed in Section 3 above. In particular, we do not:

  • Sell, rent, or lease your personal data to anyone.
  • Use your data for advertising, profiling, or behavioural targeting.
  • Use your cloud infrastructure data to train AI or ML models.
  • Share your data with any party not listed in Section 6 of this notice.

5. Your Consent & How to Withdraw It

Where we rely on your consent to process your personal data, that consent is requested separately and unambiguously - typically at signup, when you connect a cloud account, or when you opt in to a specific feature.

You can withdraw your consent at any time, just as easily as you gave it. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

From within the Cloudshot app

Visit Account Settings  →  Privacy & Consent. You can toggle off analytics, marketing communications, and individual cloud-account connections. You can disconnect any cloud account with a single click; all credentials are revoked and purged immediately.

By email

Email dpo@cloudshot.io stating which consent you wish to withdraw. We will action your request within 7 working days and confirm by email.

Full account deletion

Withdrawing all consent is equivalent to closing your Cloudshot account. On request, we will delete your account and all associated personal data within 30 days, subject to legal retention requirements (e.g., tax invoices kept for 7 years under Indian law).

6. Who We Share Your Data With (Data Processors)

We share limited personal data with the following categories of trusted service providers, each bound by a written data-processing agreement that requires them to handle your data only for the purposes we specify:

  • Cloud infrastructure providers - Microsoft Azure (North Europe region, Dublin, Ireland) for hosting the Cloudshot platform, databases, and storage.
  • Payment processors - Stripe, for processing your subscription payments (PCI-DSS compliant).
  • Analytics providers - Google Analytics, only with your consent.
  • Email delivery providers - for transactional email (login alerts, invoices) and, with your separate consent, product updates.

A current list of named sub-processors is maintained at cloudshot.io/sub-processors and is updated whenever sub-processors change.

7. Cross-Border Data Transfers

Your personal data is primarily stored and processed in the Microsoft Azure North Europe region (Dublin, Republic of Ireland, European Union). This means that, by default, your personal data is processed outside India.

Additional sub-processors process limited data in the following jurisdictions:

  • European Union (Ireland) - Microsoft Azure (primary hosting, databases, and application infrastructure).
  • United States - Stripe (payment processing) and Google Analytics (only when you consent to analytics cookies).

Transfers are made only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act. Where transfers occur, we ensure equivalent contractual protections (standard contractual clauses or equivalent safeguards) are in place. If the Central Government issues a notification restricting any of these countries, we will update this notice and migrate the data accordingly.

8. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights. You can exercise any of them by contacting our Grievance Officer (see Section 9). We will respond within 7 working days and resolve the request within 30 days.

Right to Access

Request a copy of all personal data Cloudshot holds about you, in a structured, machine-readable format.

Right to Correction

Ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of your personal data when it is no longer necessary for the purposes it was collected for, subject to legal retention requirements.

Right to Withdraw Consent

Withdraw any consent you have given, at any time, as easily as it was given. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Nominate

Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.

Right to Grievance Redressal

Raise a complaint with our Grievance Officer if you believe your rights have been violated. If unresolved, you may escalate to the Data Protection Board of India.

9. Grievance Officer

If you have any questions, concerns, or complaints about how Cloudshot handles your personal data, or if you wish to exercise any of your rights under Section 8, please contact our Grievance Officer:

Grievance Officer

Cloudshot.io · Bereej Technologies Pvt. Ltd.

Email: dpo@cloudshot.io

Response time: within 7 working days of receipt.

If you are not satisfied with the resolution provided by our Grievance Officer, you may escalate your complaint to the Data Protection Board of India, the statutory authority established under the DPDP Act.

10. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Account & cloud metadata: for the duration of your active subscription, plus 30 days after closure (to allow for re-activation), then permanently deleted.
  • Cloud API credentials: immediately purged on disconnection of the cloud account or account closure, whichever is earlier.
  • Invoices & tax records: retained for 7 years as required by Indian tax law.
  • Support transcripts: retained for 2 years for service improvement, then anonymised.
  • Analytics & telemetry: retained in aggregated, anonymised form indefinitely; raw identifiable telemetry is purged after 14 months.

11. Children's Data

Cloudshot is a B2B SaaS platform intended for use by IT, DevOps, and infrastructure teams. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently done so, we will delete that data without delay.

12. How We Protect Your Data

We implement reasonable security safeguards in line with industry best practice, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls and least-privilege principles for all employee access.
  • Multi-factor authentication on administrative accounts.
  • Regular vulnerability assessments and third-party security audits.
  • An incident-response plan with a Data Protection Board notification window of 72 hours from confirmation of a personal data breach.

13. Updates to This Notice

This notice is version-controlled. When we make changes:

  • The version number and "Last updated" date at the top are revised.
  • The previous version is archived and remains accessible on request.
  • Where changes are material (for example, a new category of data, a new purpose, or a new sub-processor in a new jurisdiction), we notify all existing users by email and in-app banner at least 14 days before the change takes effect.
  • Where required by law, we will request fresh consent before relying on the updated terms.
VersionDateSummary of Changes
1.015 May 2026Initial publication of standalone Privacy Notice under DPDP Rule 3.