Privacy

Your data, clearly scoped.

How trueno handles your data, the AWS account you connect, and the operational metadata generated by scans.

01 · What we collect

What we collect

Account info

Email, display name, and the workspaces you belong to. Required to authenticate and route you to the right tenant.

Workspace data

Findings, resource snapshots, scan history, recommendations, comments, and assignments. Anything written through the app, scoped to your workspace.

AWS metadata

Read-only configuration metadata returned by authorized AWS APIs: instance types, regions, tags, attached policies, security group rules, IAM principals, and similar resource descriptors.

Cost and billing metadata

Cost and billing metadata returned by authorized read-only APIs, including Cost Explorer, Budgets, Savings Plans, Reserved Instances, and Cost Optimization Hub where enabled.

Operational telemetry

Error rates, scan latencies, retry counts, product-usage events, and timing of admin actions — processed by our analytics and error-monitoring subprocessors (listed below) to operate and improve the service. Telemetry never includes the contents of your findings or AWS resources.
02 · What we don't collect

What we don't collect

AWS access keys

We never see them. trueno authenticates to AWS via AssumeRole + external ID, not long-lived credentials.

AWS billing console data

We read what your scans surface: estimated savings per finding, daily cost snapshots. We don't pull your AWS billing console directly.

Resource contents

We read metadata only. We don't read S3 object contents, RDS row contents, or any application-level workload data.
03 · Subprocessors

Subprocessors & where data lives

Supabase

Hosts the Postgres database and authentication. Workspace data lives here. Row-level security is enforced at the database layer.

Vercel

Hosts the Next.js application and drives scheduled jobs via Vercel Cron. Serverless function execution, plus privacy-friendly aggregate web analytics and Core Web Vitals (Vercel Analytics / Speed Insights), happen here.

AWS (your accounts)

trueno calls AWS APIs as a read-only client against the role you authorize. Data flows in only. We don't write back to AWS.

Stripe

Processes payments and subscription billing for paid plans. Stores your billing contact and payment details. trueno never receives full card numbers; Stripe is the payment processor.

Resend

Sends transactional email: welcome, scan-failed, critical-finding digests, and team invitations.

PostHog

Product analytics. Captures pageviews and a small set of product events, tied to your user and workspace id, to measure activation and funnel. No findings or AWS resource data. Hosted in the EU.

Sentry

Error and performance monitoring. Receives sanitized exception and trace data (auth and cookie headers stripped, AWS account ids redacted) so we can diagnose issues.

Upstash

Serverless Redis backing rate limiting for sign-in, MFA, and the public API. Stores short-lived counters only, never workspace content.
04 · How long we keep data

How long we keep data

Active workspaces

We retain workspace data as long as the workspace is active and connected. Findings and cost snapshots are kept for the retention window defined by your plan: 7 days on Free, 90 days on Command, unlimited on Control, and custom on Enterprise.

Deleted workspaces

When you delete a workspace, all associated data is removed from our primary database within 30 days. Encrypted backups roll off within 60 days.

Operational telemetry

Retained for 90 days for incident triage, then aggregated. Aggregate metrics are kept indefinitely.
05 · Security

Security

Encryption in transit

All traffic between you, trueno, and AWS uses TLS 1.2 or higher.

Encryption at rest

Supabase encrypts the underlying Postgres volumes at rest. Backups inherit the same encryption.

Tenant isolation

Every read and write is scoped to your workspace via row-level security policies. Cross-workspace access is impossible at the database layer, not just the application layer.

Vulnerability disclosure

Report issues to security@trueno.io. We respond within two business days and credit confirmed reports.
06 · Your rights

Your rights

Delete your workspace

Request deletion via support@trueno.io. We remove the workspace and all associated data within 30 days.

Export your data

Per-workspace export is available on request. Format is JSON snapshots of the tables you care about.

Revoke AWS access

Delete the IAM role in your AWS account. AssumeRole calls then fail and no further data flows in.

Access and correction

Email privacy@trueno.io to request a copy of the data we hold about you, or to correct inaccuracies.
Questions

Reach a real engineer.

Privacy and data-handling questions go to privacy@trueno.io. We respond from a real engineer.

Effective 2026-05-23