Cost ClarityCost Clarity

Privacy Policy

Last updated: 2026-03-30

1. Introduction

This Privacy Policy explains how System Crew (Switzerland) GmbH (“we”, “us”) processes personal data when you use Cost Clarity (the “Service”) at www.costclarity.com, including the marketing site, authenticated web application, APIs, and related email notifications.

We process personal data in line with applicable data protection laws, including the Swiss Federal Act on Data Protection (“FADP”) and, where applicable, the EU/EEA General Data Protection Regulation (“GDPR”). If provisions conflict, we apply the stricter standard where required by law.

2. Data controller

The controller responsible for processing personal data in connection with the Service is:

System Crew (Switzerland) GmbH
Grabenstrasse 25
6340 Baar, Switzerland
UID: CHE-362.405.991
Email: info@costclarity.com

For privacy-related requests (including rights requests under Section 9), please contact us at the email above and include “Privacy” in the subject line.

3. Scope of processing

The Service helps organizations connect cloud billing and usage sources (initially AWS-first), run retrieval and analysis workflows, generate human-readable interpretations (including AI-assisted summaries), and deliver optional notifications (for example email) according to your routing settings. Processing depends on how you use the Service and which integrations you enable.

4. Categories of personal data

Depending on your use of the Service, we may process:

  • Account and identity data — for example name, email address, authentication identifiers, organization/tenant identifiers, and role information associated with your account (processed via our authentication and database providers).
  • Service usage and technical data — for example device/browser type, IP address, timestamps, diagnostic logs, session identifiers, security signals, and similar metadata needed to operate, secure, and improve the Service.
  • Cloud integration metadata — information required to link your cloud accounts (for example account identifiers, connection status, configuration metadata, and least-privilege role references such as AWS IAM role ARNs) as described in our product documentation.
  • Billing and usage signals — data retrieved from connected cloud providers for analysis (for example cost and usage metrics), stored and processed to provide reports and interpretations in the Service.
  • Interpretation outputs — structured artifacts and AI-generated narratives derived from retrieved signals, stored for display in the product and (where enabled) for downstream notification delivery.
  • Notification data — destination addresses (for example email), routing preferences, delivery logs, and message metadata needed to send service-related notifications you configure.
  • Communications — content you send to us (for example support requests) and related correspondence metadata.

Generative AI. Summaries, interpretations, email digests, alerts, and similar outputs may be produced in whole or in part using generative artificial intelligence models operated within our service architecture (including inference and related processing through sub-processors such as cloud providers listed in this Policy). Such outputs are derived from billing, usage, and configuration data you connect to the Service. They are provided to help you understand patterns and changes; they are not a substitute for your own review of authoritative records in your cloud providers’ consoles, invoices, or contracts. The Service is not intended to perform solely automated decision-making that produces legal or similarly significant effects concerning individuals within the meaning of Article 22 GDPR. If you rely on any AI-generated content for operational or financial decisions, you should verify it against source data.

We do not intend to process special categories of personal data (for example health data) through the Service. Please do not submit such information unless strictly necessary and lawful.

5. Purposes and legal bases

We process personal data for the following purposes:

  • Providing the Service — account provisioning, authentication, tenancy isolation, dashboards, integrations, retrieval, analysis, storage, and notifications (contract performance; Art. 6(1)(b) GDPR / equivalent Swiss basis).
  • Security and abuse prevention — monitoring, fraud prevention, audit trails, and protecting the integrity of customer data (legitimate interests; Art. 6(1)(f) GDPR / Art. 6(1) FADP, balanced against your rights).
  • Product improvement — aggregated or de-identified analytics where feasible (legitimate interests; where required, consent).
  • Compliance — meeting legal obligations, responding to lawful requests, and enforcing our terms (legal obligation / legitimate interests as applicable).
  • Marketing communications — only where permitted by law and, where required, based on consent or soft opt-in rules applicable to your jurisdiction.

6. Cookies and similar technologies

We use cookies and similar technologies that are necessary to operate the Service (for example authentication/session continuity, security, load balancing, and theme preferences where implemented). Where non-essential cookies are used, we will seek consent as required by applicable law.

7. Recipients and sub-processors

We use carefully selected service providers (“sub-processors”) to host and operate the Service. Depending on configuration, this may include:

  • Supabase — authentication and managed Postgres storage, with tenant isolation enforced via row-level security and server-side access patterns as described in our security documentation.
  • Amazon Web Services (AWS) — cloud data retrieval (for example billing/usage APIs), secure processing, and AI inference (for example model services used to generate interpretations), in regions and configurations consistent with our architecture.
  • Email delivery providers — for example to send transactional or configured notifications (such as digest emails).
  • Hosting and infrastructure — deployment providers used to run the web application and APIs (for example serverless/edge hosting).

Sub-processors process data only on documented instructions and implement appropriate technical and organizational measures. A current list may be provided upon request for enterprise customers.

8. International transfers

Your data may be processed in Switzerland, the EEA, the United Kingdom, and other countries where our providers operate. Where personal data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where required.

9. Retention

We retain personal data only as long as necessary for the purposes described in this Policy, unless longer retention is required by law. Retention periods depend on account status, integration configuration, security needs, and backup/disaster recovery practices. Upon account deletion or expiry, we will delete or anonymize data within a reasonable period, subject to legal retention obligations.

10. Security

We implement technical and organizational measures appropriate to the risk, including access controls, encryption in transit (HTTPS/TLS), least-privilege service roles for cloud connections, separation of privileged server operations from direct client access, and database policies designed to enforce tenant isolation. No method of transmission or storage is 100% secure; you are responsible for safeguarding your credentials and access to your account.

11. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict processing, object to processing, data portability, and withdraw consent (where processing is consent-based). You may also lodge a complaint with a supervisory authority. In Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC). In the EEA, you may contact your local supervisory authority.

To exercise rights, email info@costclarity.com. We may need to verify your identity before fulfilling requests.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will take appropriate steps to delete it.

13. Changes to this Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. We will publish the updated version on this page and adjust the “Last updated” date. Where required by law, we will notify you separately (for example by email or in-app notice).

14. Contact

Questions about this Privacy Policy: info@costclarity.com