The Foreman (“we”, “our”, “us”) provides an automated AWS cloud cost optimization service at theforeman.app. This policy explains what data we collect, how we use it, and your rights.
1. Information We Collect
Account information
Name, email address, and organization details collected at signup via Clerk. We do not store passwords — authentication is handled entirely by Clerk.
AWS resource metadata
When you connect an AWS account, we collect read-only resource metadata (instance IDs, resource names, sizes, utilization metrics from CloudWatch). We never access the contents of S3 objects, databases, or application data — only infrastructure configuration and cost signals.
Billing information
Subscription and payment data is handled by Stripe. We store your Stripe customer ID and subscription status, but never your card number or full payment details.
Usage data
Anonymous event data (page views, button clicks, feature usage) to understand how the product is used. This data is not linked to individuals for advertising purposes.
Notification settings
Email addresses and Slack webhook URLs you configure for scan alert delivery.
2. How We Use Your Information
- Delivering the service — scanning your AWS infrastructure, generating findings, and sending alerts
- Billing and subscription management via Stripe
- Sending transactional emails (welcome, billing confirmations, scan digests)
- Improving the product using aggregated, anonymized usage signals
- Responding to support requests and communicating about your account
We do not sell your data. We do not use your AWS resource data for any purpose other than delivering findings to you.
3. AWS Access
Access to your AWS account is read-only, credential-free, and temporary. We use IAM role assumption with an External ID — we never store long-lived AWS access keys. See our Security page for full details on how this works and the exact permissions requested.
You can revoke access at any time by deleting the IAM role in your AWS account.
4. Third-Party Services
| Service | Purpose | What they receive |
|---|---|---|
| Clerk | Authentication & user management | Email, name, organization |
| Stripe | Subscription billing | Email, billing details |
| SMTP provider | Transactional email delivery | Recipient email, message content |
| AWS (your account) | Infrastructure scanning | Read-only API calls, no data sent to AWS on your behalf |
5. Data Retention
Scan findings are retained for as long as your account is active. Resolved findings (resources that are no longer flagged) are kept for historical reference.
When you delete your account, your data — including all findings, AWS account configurations, and notification settings — is deleted within 30 days.
6. Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to personnel who need it. We use read-only AWS credentials that expire automatically after each scan.
If you discover a security issue, please report it to hello@theforeman.app.
7. Your Rights
Depending on your location, you may have rights to:
- Access the personal data we hold about you
- Request correction or deletion of your data
- Object to or restrict certain processing
- Data portability
To exercise any of these rights, email hello@theforeman.app.
8. Changes to This Policy
We may update this policy as the product evolves. We’ll notify you of material changes via email or an in-app notice. The effective date at the top of this page reflects the most recent revision.
9. Contact
Questions about this policy? Email us at hello@theforeman.app.