Privacy Policy

FinOps Maturity Assessment Platform — Effective date: 23/04/2026 — Version 1.0

1. Introduction

FinOpsAlly ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store and share personal data when you use the FinOps Maturity Assessment platform ("Service"), and describes your rights under the General Data Protection Regulation (GDPR) and applicable Portuguese law.

Please read this policy carefully. If you have any questions, contact us using the details in Section 11.

2. Data Controller

The data controller responsible for your personal data is:

FinOpsAlly
Portugal
Email: support@finopsally.com

3. What Personal Data We Collect and Why

We collect only the personal data necessary to provide the Service. The table below sets out the categories of data we process, the purpose, and our lawful basis under GDPR Article 6.

Data Category	Purpose	Lawful Basis
Email address	Authentication and account management	Legitimate interests (Art. 6(1)(f)) / Contract (Art. 6(1)(b))
Authentication tokens / session identifiers	Maintaining your authenticated session	Legitimate interests (Art. 6(1)(f))
Organisation/tenant identifier	Multi-tenant data isolation	Contract (Art. 6(1)(b))
Assessment inputs and evaluation notes	Providing core Service functionality	Contract (Art. 6(1)(b))
Assessment results and maturity scores	Generating reports and comparisons	Contract (Art. 6(1)(b))
AI copilot inputs (if enabled)	Processing your query via AI provider	Consent (Art. 6(1)(a))
Technical logs (IP address, browser type, timestamps)	Security, abuse prevention, error diagnosis	Legitimate interests (Art. 6(1)(f))

We do not collect any special categories of personal data (e.g. health data, political opinions, biometric data).

Anonymous users: If you use the Service without authenticating, we do not associate any data with an identifiable individual. Session data may be processed temporarily and is not retained after your session ends.

4. International Data Transfers

The Service is hosted on Microsoft Azure infrastructure in the European Economic Area (EEA). Two optional features transfer data outside the EEA:

AI copilot — when enabled, relevant assessment context is transmitted to a third-party AI language model provider located in the United States.
Google Analytics — when you grant analytics consent, aggregated measurement data is transmitted to Google LLC in the United States.

Both transfers are made subject to appropriate safeguards in accordance with GDPR Chapter V, specifically Standard Contractual Clauses (SCCs) as approved by the European Commission. The AI copilot transfer additionally requires your explicit consent (Art. 6(1)(a)); the Google Analytics transfer is gated on your analytics cookie consent.

You may withdraw consent for either at any time — disable the AI copilot feature to stop further AI transfers, or revoke the Analytics category via "Cookie Settings" in the footer to stop further Google Analytics transfers.

5. Cookies and Similar Technologies

The Service uses four categories of cookies. Strictly necessary cookies are always on; functional and analytics cookies are opt-in via the consent banner. We do not use marketing cookies.

Strictly necessary

Required to sign you in, protect against CSRF, and record your cookie choices. Includes:

sessionid — authenticated session, HttpOnly, browser-session lifetime.
csrftoken — CSRF protection, 1 year.
cookie_consent — stores your category choices (the consent record itself), 1 year, SameSite=Lax, Secure on HTTPS. Cleared when you delete it or when we publish a material change to the cookie schema (you will see the banner again).

Functional (opt-in)

Remember your assessment view preferences (expanded capabilities, sort order, status filter) via the assessment_view cookie (1 year, first-party).

Analytics (opt-in)

Help us understand product usage and improve the assessment flow. Two layers, both gated on your consent:

Self-hosted: _fa_visitor (13 months) and _fa_session (30 minutes, sliding) cookies issued by FinOpsAlly and stored on our own infrastructure. They identify a browser pseudonymously — no email, no name. Linked to in-app events such as sign-in, assessment start/complete, and AI interactions. Data is retained for up to 14 months, then automatically purged. You can delete your record at any time via "Delete my analytics data" in Cookie Settings (footer link).
Google Analytics: aggregated traffic measurement. We run Google Consent Mode v2 — when you decline analytics, Google sends only consent signals (no personalisation, no advertising IDs). When you accept, Google sets its own cookies for measurement: _ga (2 years), _ga_<property-id> (2 years), _gid (24 hours), _gat (1 minute). Ad-related Consent Mode signals (ad_storage, ad_user_data, ad_personalization) are never granted because we do not run advertising.

Withdrawing analytics consent stops new events, expires self-hosted cookies, and downgrades Google Analytics back to consent-denied mode.

We honour the Do Not Track browser signal (DNT: 1): when set, we suppress all analytics collection regardless of the consent cookie — both client-side tracking and server-emitted events.

Marketing

We do not run advertising or third-party ad networks. The marketing category is reserved in the consent banner but currently inactive.

You can review or change your choices at any time via "Cookie Settings" in the footer.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We may share your data with the following categories of trusted third-party processors, strictly as necessary to operate the Service:

Processor	Role	Location
Microsoft Azure	Cloud hosting, storage and infrastructure	EEA
Microsoft Entra ID	Authentication (for organisational tenants)	EEA / Global
AI language model provider	AI copilot processing (if enabled, with consent)	United States
Google Analytics	Aggregated traffic measurement (only on analytics consent)	United States

All third-party processors are bound by data processing agreements that require them to process your data only on our documented instructions and in compliance with GDPR.

We may also disclose your data where required by law, court order or regulatory authority.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy.

Data Type	Retention Period
Account data (email, assessments, reports)	For the duration of your account. Data is deleted immediately upon account deletion, or after 730 days of inactivity.
`sessionid` cookie (authenticated session)	Deleted when your browser session ends.
`csrftoken` cookie	Up to 1 year.
`cookie_consent` cookie (consent record)	Up to 1 year, or until you delete it or we publish a material change to the cookie schema.
`assessment_view` cookie (functional, opt-in)	Up to 1 year, or until you revoke functional consent.
`_fa_visitor` cookie + linked self-hosted analytics events	Up to 14 months, then automatically purged. Earlier on DSAR request.
`_fa_session` cookie	30 minutes, sliding; deleted when analytics consent is revoked.
Google Analytics cookies (`_ga`, `_ga_*`, `_gid`, `_gat`)	As set by Google: `_ga` and `_ga_*` up to 2 years, `_gid` 24 hours, `_gat` 1 minute.
Technical/security logs	Up to 90 days.
AI copilot inputs	As per the AI provider's retention policy; we do not retain a copy beyond the session.

After the applicable retention period, data is securely deleted or anonymised.

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at the address in Section 11.

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): You may request deletion of your personal data, subject to any legal obligations we may have to retain it.
Right to restriction of processing (Art. 18): You may request that we limit the processing of your data in certain circumstances.
Right to data portability (Art. 20): You may request a copy of your data in a structured, machine-readable format where processing is based on consent or contract.
Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. the AI copilot), you may withdraw consent at any time without affecting the lawfulness of prior processing.

We will respond to all requests within 30 days. We reserve the right to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the Portuguese data protection authority:
Comissão Nacional de Proteção de Dados (CNPD)
Website: www.cnpd.pt — Email: geral@cnpd.pt

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These measures include:

Logical tenant isolation in a multi-tenant architecture
Encrypted data transmission (TLS)
Authentication controls (one-time codes, OIDC)
Access controls limiting FinOpsAlly staff access to operational necessity

No method of transmission or storage is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to authenticated users via a notice within the Service. The effective date at the top of this document will always reflect the latest version.

We encourage you to review this policy periodically.

11. Contact

For any questions, requests or concerns regarding this Privacy Policy or how we handle your personal data, please contact:

FinOpsAlly
Portugal
Email: support@finopsally.com