Legal

Privacy Policy

Last updated: 19 April 2026

Contents

1. Who we are

Cirrova is a cloud cost management platform for Microsoft Azure. This policy explains how we collect, use, and protect your personal data when you use our website (cirrova.io) or our application (app.cirrova.io).

References to "Cirrova", "we", "us", or "our" in this policy refer to Cirrova.

We are committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What we collect

We collect only what is necessary to operate the service:

  • Account data — your name, email address, and the organisation you belong to.
  • Authentication data — tokens issued during login via Microsoft SSO or email/password. We do not store your Microsoft credentials.
  • Usage data — page visits, feature interactions, and session metadata, used to improve the product.
  • Support data — information you provide when contacting us (email content, attachments).
  • Azure cost data — cost and usage data retrieved from your Azure subscriptions via the Azure Cost Management API, on your behalf, to power the platform's features.

We do not collect payment card data directly. Payments are handled by our payment processor.

3. How we use your data

We use your data to:

  • Provide and operate the Cirrova platform
  • Authenticate you and manage your access
  • Send transactional notifications (anomaly alerts, budget notifications, scheduled reports) that you have configured
  • Respond to support requests
  • Improve and develop the product
  • Meet legal obligations where applicable

We do not use your data for advertising, and we do not profile you for marketing purposes.

4. Data storage & security

By default, all Cirrova data is stored in Azure data centres located in Australia.

If you have entered into a custom hosting arrangement with us, your organisational and tenant data — including Azure cost data retrieved on your behalf — will be stored in the region or regions specified in that arrangement. Some account data (such as authentication and billing records) will continue to be stored in Australia regardless of your hosting arrangement.

We use industry-standard security controls including encryption at rest and in transit, role-based access control, and regular security reviews. Access to production data is restricted to authorised personnel only.

5. We don't sell your data

We do not sell, rent, or share your personal data with third parties for commercial purposes.

We share data only where necessary to operate the service — for example, with our infrastructure provider (Microsoft Azure) and transactional email provider. These providers are contractually bound to process data only on our instructions.

6. No AI

Cirrova does not use AI in the processing or interpretation of your data. Your organisation's data is not interpreted by, or used for the training of, any AI models.

All insights, anomaly detection, and analysis within Cirrova are carried out by purely algorithmic processes. There is no AI or machine learning involved in how your data is processed — by us or any third party.

7. Analytics

We use Google Analytics (GA4) on our marketing website to understand how visitors find and use the site. This collects anonymised usage data including pages visited, referral sources, and approximate geographic location.

We do not use analytics tools inside the application itself beyond our own internal usage logging.

8. Bot protection

We use Cloudflare Turnstile on certain forms across our website to distinguish human visitors from automated bots. Turnstile may collect signals including IP address, browser characteristics, and interaction patterns to make this determination. No persistent cookies are set and no data is used for advertising.

This processing is carried out by Cloudflare, Inc. and is subject to Cloudflare's Privacy Policy. The legal basis for this processing is our legitimate interest in protecting the service from abuse.

9. Your rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (subject to legal retention obligations)
  • Object to or restrict certain processing
  • Portability — receive your data in a machine-readable format

To exercise any of these rights, email us at hello@cirrova.io. We will respond within 30 days.

10. Data retention

We retain your data for as long as your account is active, and for a reasonable period afterwards to meet legal and support obligations. When you close your account, we will delete your personal data within 90 days, except where retention is required by law.

Azure cost data retrieved on your behalf is retained for the duration of your subscription. You may request earlier deletion at any time.

11. Contact

If you have any questions about this policy, or wish to exercise your rights, contact us at:

Cirrova
hello@cirrova.io

We may update this policy from time to time. Changes will be posted on this page with an updated date.