Privacy Policy

Last updated: 20 May 2026

Effective date: 20 May 2026

Who we are

ConvOps Technologies Pvt Ltd
A1207, R16, Life Republic Township, Pune, Maharashtra, India — 400033

ConvOps is an AWS operational intelligence product that investigates CloudWatch alarms, identifies root causes, and delivers diagnosis summaries to engineering teams via WhatsApp or Slack. The service also provides a free one-time CloudWatch observability audit for AWS accounts.

Data controller contact: [email protected]

What data we collect and why

Account data

What: Email address (collected at audit sign-up and portal registration). Name (collected during portal sign-up via Clerk). WhatsApp phone number (collected during account onboarding if you choose WhatsApp delivery). Slack user ID and team ID (collected during Slack OAuth if you choose Slack delivery).

Why: Email is used to send you audit results and, for portal accounts, to authenticate you via Clerk. Phone number and Slack ID are used solely to route alert notifications to you.

Legal basis: Contract — this data is necessary to provide the service you signed up for.

AWS connection metadata

What:AWS account ID, IAM role ARN, SNS topic ARN, AWS region, environment label (e.g. “production”). Optionally: GitHub PAT secret ARN (if you opt into deploy correlation — the ARN is stored, not the token).

Why: Required to assume the cross-account IAM role in order to read CloudWatch metrics and run incident diagnosis.

Legal basis: Contract.

Diagnostic and usage data

What: Counts of incidents investigated, diagnoses delivered, and actions taken (stored in a per-workspace usage table). Action log entries recording who confirmed or rejected a remediation and when.

Why: Usage metering for plan limits. Action log provides an audit trail of automated remediations.

Legal basis: Contract / Legitimate interests (operational audit trail).

Server access logs

What: IP addresses and request metadata captured in AWS API Gateway and Lambda invocation logs when you interact with ConvOps API endpoints.

Why: Security incident investigation and abuse prevention only. IP addresses are not linked to user accounts or used for analytics.

Retention: 30 days in CloudWatch Logs, then deleted automatically. ConvOps does not export or archive access log data beyond this period.

Legal basis: Legitimate interests (security operations).

Analytics data

What: Page URLs visited on convops.io and app.convops.io, link clicks. On the portal, your Clerk user ID, email, and name are associated with analytics events. All analytics data is sent to PostHog, hosted in the EU.

Why: Understanding how the product is used so we can improve it.

Legal basis: Consent — you can opt out via the cookie banner on convops.io, or by calling posthog.opt_out_capturing() in your browser console.

Service data we process on your behalf

When ConvOps investigates an alarm, it reads data from your AWS account using the read-only IAM role you create. This includes CloudWatch metric values, CloudTrail events, ECS/RDS/EC2 resource state, GuardDuty and Security Hub findings, and CloudWatch Logs errors. This data flows through ConvOps systems only for the purpose of generating a diagnosis summary for your team.

ConvOps is a data processor for this operational data — you are the data controller. ConvOps processes it only to provide the incident diagnosis service and does not use it for any other purpose. Retention periods for each data type are listed in the retention section below.

The raw operational data is passed to the Anthropic API (see who we share data with) to generate the diagnosis. No personally identifiable information about your end users is expected to be present in CloudWatch metrics or CloudTrail events; however, if your infrastructure metadata happens to contain personal data (e.g. a user ID in a dimension name), that data would be processed as part of the diagnostic flow.

What we do not do

We do not sell, licence, or share your data with third parties for advertising or marketing purposes.
We do not use your AWS data to train machine learning models. Diagnostic summaries are generated by the Anthropic API and not used to train Anthropic models under their API usage terms.
We do not use third-party analytics scripts on convops.io beyond PostHog (EU-hosted). There are no Meta Pixel, Google Ads, or LinkedIn Insight Tag scripts on the site.
We do not store AWS credentials. Authentication to your AWS account happens via STS AssumeRole — ConvOps stores only the Role ARN, not any access keys.
We do not use cross-site tracking cookies or device fingerprinting.
Aggregate, anonymised data (e.g. median resolution times across all workspaces) may be used internally to improve the product.

Who we share data with

ConvOps uses the following sub-processors. We do not share data with anyone else.

Provider	Purpose	Data shared	Location
PostHog (eu.i.posthog.com)	Product analytics	Page URLs visited, link clicks. On the portal: Clerk user ID, email address, full name.	EU (Frankfurt)
Clerk (clerk.com)	User authentication for app.convops.io	Email address, name, organisation membership, encrypted session tokens.	US (Clerk-managed)
Resend (resend.com)	Transactional email delivery	Recipient email address, audit report content.	US
Meta WhatsApp Business API (graph.facebook.com)	Delivering alert notifications via WhatsApp	Recipient WhatsApp phone number, alert summary text.	Meta infrastructure
Anthropic API (api.anthropic.com)	Generating AI-powered incident diagnosis	CloudWatch metric values, CloudTrail events, security findings, and resource tags from your AWS account — all operational data, no personal data beyond what appears in your AWS infrastructure metadata.	US
Slack (hooks.slack.com)	Delivering alert notifications to Slack (optional)	Alert summary text sent to the customer-configured Slack channel or webhook. Only used if you opt into Slack delivery.	Customer-configured
Amazon Web Services	Infrastructure (compute, databases, storage, messaging)	All customer and operational data is stored and processed on AWS. Relevant services: DynamoDB, Lambda, S3, SNS, SQS, Secrets Manager, CloudWatch, STS. Primary region: eu-central-1 (Frankfurt).	EU-central-1 (Frankfurt) primary

How long we keep your data

Retention periods are enforced automatically using DynamoDB TTL. When a TTL expires, DynamoDB deletes the record automatically — no manual deletion process is required.

Data type	Retention period	Source
Raw CloudWatch metric datapoints	30 days	metric_collector_lambda.py: METRIC_HISTORY_TTL
CloudTrail events and infrastructure state events	7 days	metric_collector_lambda.py: EVENTS_TTL
Security findings (GuardDuty, Security Hub, Inspector)	7 days	Security page / metric_collector_lambda.py
Anomaly detection records	90 days	anomaly_detection_lambda.py: ANOMALY_TTL_SECS
AI-generated diagnosis summaries	90 days	summarization_lambda.py: ttl = 90 × 24 × 3600
Action log (remediation audit trail)	90 days	customer_registry.py: log_action() TTL
Public audit scan results	30 days	public-audit-db.ts: expires_at
Registration tokens	24 hours	registration.py: ttl_ts = now + 86400
ML anomaly detection baselines	35 days	baseline_builder_lambda.py: BASELINE_TTL_DAYS
Server access logs (IP addresses)	30 days	CloudWatch Logs retention policy
Account metadata (workspace, users, alert routes)	Lifetime of account; deleted within 7 days of closure	Security page

International transfers

ConvOps's primary infrastructure runs in AWS eu-central-1 (Frankfurt, Germany). Your AWS operational data is stored and processed in the EU.

Some data is transferred outside the EU or EEA to the following providers:

Clerk (authentication) — US-based. Clerk processes user email, name, and session tokens.
Resend (email) — US-based. Processes recipient email and audit report content.
Anthropic API — US-based. Receives operational data from your AWS account for diagnosis generation.
Meta WhatsApp Business API — Meta infrastructure. Receives recipient phone number and alert text.

Transfers to the US providers listed above (Clerk, Resend, Anthropic, Meta) are made on the basis of Standard Contractual Clauses (SCCs) incorporated into those providers' data processing agreements. AWS data processing is governed by the AWS Customer Agreement and the AWS GDPR Data Processing Addendum, which can be accepted at AWS Console → Account → Agreements → AWS GDPR DPA.

Your rights

If you are located in the EU or UK, you have the following rights under the GDPR and UK GDPR:

Right of access — to know what personal data we hold about you.
Right to rectification — to correct inaccurate personal data.
Right to erasure — to request deletion of your personal data, subject to legal retention obligations.
Right to restrict processing — to ask us to limit how we use your data in certain circumstances.
Right to data portability — to receive your personal data in a structured, machine-readable format.
Right to object — to object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent (analytics), you can withdraw at any time via the cookie banner.

To exercise any of these rights, email [email protected]. We will respond within 30 days (GDPR Article 12). If you are unhappy with our response, you have the right to lodge a complaint with your local data protection authority.

Security

ConvOps connects to your AWS account through a read-only cross-account IAM role — no AWS credentials are stored. All data is encrypted at rest (AES-256, AWS KMS-managed keys) and in transit (TLS 1.3). See the full security page for technical detail on IAM permissions, credential handling, and incident response.

Cookies

ConvOps uses analytics cookies via PostHog (EU-hosted) on the marketing site, and authentication cookies via Clerk on the portal. See the Cookie Policy for a full list of every cookie set.

Children

ConvOps is designed for software engineers and DevOps practitioners managing AWS infrastructure. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has provided us with personal data, please email [email protected] and we will delete it promptly.

Changes to this policy

We will update this page when our data practices change. The “Last updated” date at the top reflects the most recent revision. For material changes that affect how we use personal data, we will notify you by email using the address on your account before the changes take effect.

Contact

For any privacy-related questions or to exercise your rights:

[email protected]

For security vulnerabilities: [email protected]

Cookie Policy · Security