tovin.io
PricingSign in Start free
CloudsAWS · GCP · DigitalOceanMappingTags, accounts, regexCadenceWeekly reviewOpen
Privacy Policy

What we collect, where it lives, and how to make us delete it.

Last updated

Tovin.io is a cloud cost monitor operated by Ryabinski Labs (“we”, “us”). This policy describes what we collect when you use tovin.io and app.tovin.io, why we collect it, where it is stored, and the choices you have. It is written to be read, not skimmed past — if anything here is unclear, email hello@tovin.io and a human will answer.

What we collect

  • Account data: your email address (we are passwordless — sign-in links are sent to it), organization names, and team membership.
  • Cloud billing metadata: cost rows, service names, resource identifiers, and tags pulled from AWS Cost Explorer, your GCP BigQuery billing export, and the DigitalOcean billing API — via the read-only credentials you connect. We never see your workloads, file contents, databases, or application data; only billing metadata.
  • Cloud credentials: the AWS role ARN/external ID or access keys, GCP service-account key, or DigitalOcean token you provide. Each credential blob is envelope-encrypted with a per-blob AES-256-GCM data key wrapped by AWS KMS and bound to your organization — it is never logged, never returned by the API, and cannot be decrypted for a different organization.
  • Billing data: if you upgrade to a paid plan, payment is processed by Stripe. We store your Stripe customer and subscription identifiers; your card number never touches our servers.
  • Newsletter email: if you subscribe to the Friday note, your email is processed by EMCognito, our newsletter delivery provider.
  • Usage analytics: we use Google Analytics (gtag.js) on the marketing site to understand which pages are read. Standard server logs (IP address, user agent, request path) are kept for security and debugging.

What we do not collect

  • No passwords — authentication is magic-link only; sign-in tokens are single-use, HMAC-hashed at rest, and expire after 15 minutes.
  • No workload or application data — every cloud integration uses read-only billing scopes, validated with a no-op call on connect.
  • No selling of personal data — we do not sell, rent, or trade your data to anyone, full stop.

How we use your data

  • To run the product: ingest and aggregate your billing data into project ledgers, budgets, forecasts, and anomaly alerts.
  • To send email you control: sign-in links and team invites (transactional), plus alert emails and the weekly digest — both toggleable in Settings.
  • To bill paid plans through Stripe.
  • To improve the product, using aggregate usage patterns.
  • We may publish aggregated, anonymized statistics (for example, the share of untagged spend by cloud) only from organizations that explicitly opt in, and never in a form that could identify a customer.

Where your data lives

All customer data at rest is stored in Amazon Web Services, US East (N. Virginia, us-east-1): DynamoDB for application data, KMS for credential encryption keys, and S3 for static assets. The API runs on DigitalOcean Kubernetes and holds no data at rest. Transactional email is sent through Amazon SES. If you need a different residency arrangement, talk to us before connecting production accounts.

Subprocessors

  • Amazon Web Services — hosting, storage, encryption, email delivery (US).
  • DigitalOcean — API compute (US).
  • Stripe — payment processing.
  • EMCognito — newsletter delivery (only if you subscribe).
  • Google Analytics — marketing-site usage analytics.

Retention and deletion

  • Deleting a cloud connection permanently deletes its encrypted credential blob.
  • Deleting a project removes its mapped cost aggregates.
  • Deleting your organization cascades: connections, credentials, rules, projects, cost rows, alerts, and memberships are removed.
  • Magic-link tokens self-expire after 15 minutes; refresh sessions expire after 7 days.
  • Operational logs and backups age out on a rolling window (point-in-time recovery retains 35 days).
  • To delete your account entirely or to export your data, email hello@tovin.io — we will confirm completion.

Cookies

The app sets one httpOnly refresh cookie to keep you signed in (7-day lifetime, scoped to authentication). The marketing site sets Google Analytics cookies. We do not run advertising or cross-site tracking cookies.

Your rights

You can access, correct, export, or delete your personal data at any time — most of it directly in the product, and anything else by emailing hello@tovin.io. If you are in the EU/EEA, UK, or a jurisdiction with similar data-protection law, these rights (access, rectification, erasure, portability, objection) apply to you as written, and we will honor them within 30 days.

Security

Read-only credential scopes, KMS envelope encryption with tenant-bound context, rate-limited authentication, sanitized provider errors, and a public vulnerability-disclosure channel — the full posture is documented on our Security page and kept current.

Changes and contact

If this policy changes materially, we will note it in the changelog and update the date at the top of this page before the change takes effect. Questions, requests, or complaints: hello@tovin.io.