C
CARTIEAI
PricingTry free
Back to home

Privacy Policy

Last updated: May 7, 2026

1. Introduction

CARTIE AI ("we," "our," or "us") provides a cloud financial intelligence platform that helps engineering and finance teams understand, attribute and reduce their cloud spend. This Privacy Policy describes — in plain language — what information we collect, why we collect it, who we share it with and the rights you have over it. If anything here is unclear, please email us at hello@cartieai.com and we'll happily explain.

This Policy applies to: (a) the authenticated CARTIE AI application, (b) the public marketing site at cartieai.com, and (c) free public tools we publish — including the PR-Time Cost Prediction calculator, the Trust page security checks and the cornerstone-blog lead-magnet downloads.

2. Information We Collect

2.1 Account information

  • Name and email address
  • Company name and role (optional)
  • Password — stored only as a one-way bcrypt hash; we cannot read it back
  • Multi-factor authentication tokens, if you enable MFA
  • Billing information — collected and processed by Stripe; we never see or store full card numbers

2.2 Cloud cost data you connect

When you connect a cloud account (AWS, Azure, GCP, Snowflake, Databricks, DigitalOcean, MongoDB Atlas) we ingest your billing and usage data through read-only API connections. We use the minimum permissions required to read costs and never modify your infrastructure.

  • Resource-level usage and cost line items
  • Service configurations and tags (used for cost allocation)
  • Billing reports, invoices and committed-spend records

Stateless cloud credentials: Cloud-provider keys you paste into a one-shot audit tool are held in memory only for the duration of the scan and immediately discarded — never written to our database, disk or logs. Persistent integrations (e.g. AWS Cost & Usage Reports, Snowflake) are stored encrypted at rest with strict tenant isolation.

2.3 Stripe data (Customer P&L feature)

If you enable our Cost-per-Customer P&L feature, you authorise CARTIE AI to read — via your Stripe restricted key — the following from your Stripe account:

  • Customer list (id, email, name, metadata)
  • Subscriptions (active and recently cancelled)
  • Invoices for the trailing 90 days

We never request write permissions and we never see card numbers. Your Stripe key is stored encrypted at rest and you can revoke it from your Stripe dashboard at any time. Each tenant's Stripe data lives in a physically separated Mongo collection scoped to their organisation id.

2.4 Data you submit to free public tools

  • PR-Time Cost Predictor: the Terraform plan JSON you paste is processed in memory to compute a cost delta and is not persisted. Plans should not contain credentials — Terraform plans are configuration only.
  • Trust page checks: the live security probes run server-side against our own infrastructure and do not collect data about you.
  • Lead-magnet downloads / Vendor Due-Diligence pack: if you provide an email to download a checklist or DD pack, we store your email, name, company, magnet slug, IP address, user-agent and referrer for sales follow-up. See Section 6 (Retention) and Section 7 (Your Rights).
  • Design-partner sign-ups: the email and company you submit on the PR-Cost page are stored in the same lead-capture system above and used solely to schedule a co-build conversation.

2.5 Usage and device information

  • Pages visited, features used, click events on our marketing pages
  • IP address, browser, device type, time-zone (used for security and abuse-prevention)
  • Email-engagement signals — when our founder follow-up emails contain a tracking pixel, we record opens and approximate location to prioritise replies. You can request pixel-free emails at any time by replying with "no tracking please".

3. How We Use Your Information

  • Operate, maintain and secure our services
  • Generate cost insights, anomaly alerts and AI-assisted recommendations
  • Send transactional emails (login codes, invoices, security alerts) — these cannot be opted out of while your account is active
  • Send occasional founder-led product updates — you can opt out from any email's footer
  • Process payments and prevent fraud
  • Improve our pricing models using aggregated, de-identified resource-type signals (e.g. "X% of plans include a NAT gateway"). We never train AI models on your raw cost data, customer lists or Stripe payloads.
  • Respond to support requests and comply with legal obligations

4. Subprocessors

We rely on a small, vetted set of third-party vendors to operate the service (for payment processing, transactional email, hosting, optional Slack alerting and AI-assisted features). For procurement and InfoSec reviewers we publish the current list — including each vendor's role and the categories of data shared — at cartieai.com/subprocessors.

Access to that page requires a quick email confirmation so we can notify reviewers when the list changes. We will publish updates at least 14 days before adding a new subprocessor that handles personal data.

5. Data Security

We follow industry-standard security practices that map to SOC 2 controls:

  • AES-256 encryption at rest, TLS 1.3 in transit
  • Bcrypt password hashing, JWT-based session tokens, optional TOTP & email MFA
  • Strict per-tenant data isolation enforced at the database-collection level (verified by automated tests on every release)
  • Audit logging of every privileged action, retained for 12 months
  • Role-based access control with least-privilege defaults
  • Quarterly internal security audits and dependency scans

Honest framing on certifications: we operate SOC 2-aligned controls today. Formal SOC 2 Type II audit and ISO 27001 certification are scheduled to begin around customer #25, when we qualify for compliance-platform startup programmes (Drata / Vanta) and engage an external CPA auditor. Our Trust page publishes the live status, the planned timeline and the source policies (derived from the open-source strongdm/comply bundle).

6. Data Retention

  • Account data — kept while your account is active; deleted within 30 days of cancellation.
  • Cloud cost data — kept for the lesser of (a) your subscription term + 90 days or (b) any retention period you configure in account settings.
  • Stripe customer cache — refreshed on each sync; deleted on disconnect.
  • Audit logs — 12 months, then anonymised.
  • Lead-magnet subscribers / design-partner sign-ups — retained until you ask to be removed; we honour all requests within 30 days.
  • Backups — encrypted snapshots are retained for 35 days then permanently destroyed.

7. Your Rights

Whether or not you live in the EU/UK or California, we extend the following rights to every user:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct anything that is inaccurate
  • Erasure — delete your account and associated data ("right to be forgotten")
  • Portability — export your data in machine-readable JSON or CSV
  • Restriction / objection — opt out of marketing emails, AI processing, or analytics tracking
  • Withdraw consent — disconnect any cloud provider or Stripe at any time

To exercise any of these rights, email hello@cartieai.com from the address on file. We respond within 30 days. There is no charge.

California residents (CCPA): we do not sell your personal information. We have not sold or shared personal information for the purposes defined under CCPA in the past 12 months.

8. International Transfers

Our primary data hosting is in the United States (MongoDB Atlas, US-East region). If you access CARTIE AI from outside the US, your data is transferred to and processed in the US under Standard Contractual Clauses. We're happy to sign a Data Processing Agreement for EU/UK customers — email hello@cartieai.com with subject "DPA request".

9. Cookies and Similar Technologies

We use a small number of cookies and similar technologies:

  • Essential — session cookies, CSRF tokens. Always on; required for the app to function.
  • Analytics — first-party page-view counters and click-tracking on our marketing pages. You can decline these via the cookie banner.
  • Email-open tracking pixel — used in some founder follow-up emails (Section 2.5). Reply with "no tracking please" to opt out.

10. Children's Privacy

CARTIE AI is a B2B product not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has submitted information to us, contact us and we will delete it.

11. Changes to This Policy

When we make material changes we will email account holders at least 14 days before the new version takes effect. The "Last updated" date at the top will always reflect the effective version.

12. Contact Us

For any privacy question, request, or concern:

Privacy lead: Lakshmi (founder)

Email: hello@cartieai.com

Postal: CARTIE AI · Austin, Texas, United States

EU/UK residents may also contact their local data-protection authority. We are committed to resolving concerns directly first.

CARTIE AICARTIEAI

© 2026 CARTIEAI. All rights reserved.

We value your privacy. Cookies help us improve your experience. Learn more

Install CARTIE AI

Add to your home screen for quick access and offline support