Privacy Policy

Last updated: May 2025

1. Introduction

Servyx ("Servyx," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal data and infrastructure data when you use the Servyx platform and related services (the "Service").

Servyx is operated from Brazil and serves customers globally. We comply with applicable data protection laws including the Brazilian General Data Protection Law (LGPD - Lei Geral de Proteção de Dados, Law No. 13,709/2018), the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable to our users.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

Servyx is the data controller (under GDPR) and the data processing agent (under LGPD) for personal data collected through the Service. For questions about data processing, contact us at privacy@servyx.ai.

3. Data We Collect

3.1 Account Data

When you sign up via a third-party identity provider (currently Google OAuth), we receive and store:

  • Name and email address
  • Profile picture URL
  • Unique identifier from the identity provider

We do not store passwords. Authentication is handled entirely by the third-party identity provider.

3.2 Cloud Provider Credentials

To connect your AWS account, you provide IAM access keys (access key ID and secret access key). These credentials are:

  • Encrypted at rest using AES-256-GCM, an industry-standard authenticated encryption algorithm
  • Never stored in plaintext
  • Used exclusively for read-only API calls to your AWS account
  • Deletable by you at any time through the Service interface

3.3 Infrastructure Data

When you connect a cloud account or Kubernetes cluster, we collect infrastructure metadata and metrics, including:

  • Resource configurations (instance types, states, regions, availability zones)
  • Resource tags and identifiers
  • Performance metrics (CPU utilization, memory usage, network I/O, disk I/O)
  • Cost and billing data from AWS Cost Explorer
  • Kubernetes cluster metrics (pod, node, and workload resource allocations and usage)

What We Do NOT Collect

Servyx is designed to access only infrastructure metadata and metrics. We do not access, collect, or store:

  • Application data or business content
  • File or object storage contents (e.g., S3 bucket contents)
  • Database contents, records, or queries
  • Secrets, API keys, or passwords (beyond the credentials you explicitly provide)
  • Source code, build artifacts, or container images
  • Application logs or log streams
  • Network traffic, packets, or payloads

3.4 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, operating system, and IP address. This data helps us improve the Service and diagnose technical issues.

4. Legal Basis for Processing

We process your data under the following legal bases:

  • Contract performance (GDPR Art. 6(1)(b) / LGPD Art. 7, V): Processing is necessary to provide the Service you requested.
  • Legitimate interests (GDPR Art. 6(1)(f) / LGPD Art. 7, IX): We process data for security, fraud prevention, Service improvement, and analytics, where our interests do not override your fundamental rights.
  • Consent (GDPR Art. 6(1)(a) / LGPD Art. 7, I): Where required, such as for marketing communications or optional analytics.
  • Legal obligation (GDPR Art. 6(1)(c) / LGPD Art. 7, II): Where we are required to process data by law.

5. How We Use Your Data

We use the data we collect to:

  • Provide, maintain, and improve the Service
  • Analyze your infrastructure and generate cost optimization recommendations
  • Authenticate your identity and manage your account
  • Communicate with you about the Service, including updates and support
  • Monitor and improve Service security and performance
  • Generate aggregated, anonymized insights for benchmarking and analytics
  • Comply with legal obligations

We do not sell your personal data or infrastructure data to third parties. We do not use your infrastructure data for advertising purposes.

6. Data Sharing and Third Parties

We may share your data with third parties only in the following circumstances:

  • Service providers: We use trusted third-party services for hosting, database management, authentication, and analytics. These providers are contractually bound to protect your data and process it only on our behalf.
  • Legal requirements: We may disclose data if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change.
  • With your consent: We may share data when you have given explicit consent.

We do not share your cloud provider credentials with any third party.

7. Data Security

We implement technical and organizational security measures to protect your data, including:

  • AES-256-GCM encryption for cloud credentials at rest
  • TLS encryption for all data in transit
  • Logical isolation of customer data per workspace
  • Access controls based on the principle of least privilege
  • Regular security reviews and updates

Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents. If we become aware of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

8. Data Retention

We retain your data as follows:

  • Account data (name, email): Retained while your account is active and for up to 30 days after account deletion, unless a longer period is required by law.
  • Cloud credentials: Deleted immediately when you remove them from the Service or when your account is terminated.
  • Infrastructure data (metrics, configurations, cost data): Retained while your account is active and deleted within 30 days of account termination.
  • Usage data: Retained for up to 12 months for analytics and security purposes.
  • Aggregated data: Anonymized, aggregated data that cannot identify you may be retained indefinitely.

9. International Data Transfers

Servyx is operated from Brazil and uses infrastructure hosted in various regions. Your data may be transferred to and processed in countries outside your country of residence, including Brazil and the United States.

For transfers of data from the European Economic Area (EEA) or the United Kingdom, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers from Brazil, we comply with the international transfer requirements under the LGPD.

By using the Service, you consent to the transfer of your data to these jurisdictions, subject to the protections described in this Privacy Policy.

10. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

10.1 Rights Under LGPD (Brazil)

  • Confirmation of the existence of data processing
  • Access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary or excessive data
  • Portability of data to another service provider
  • Deletion of data processed with your consent
  • Information about entities with which your data is shared
  • Information about the possibility of denying consent and the consequences
  • Revocation of consent

10.2 Rights Under GDPR (EU/EEA)

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority

10.3 Rights Under CCPA (California)

  • Right to know what personal information is collected and how it is used
  • Right to request deletion of your personal information
  • Right to opt out of the sale of personal information (note: we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@servyx.ai. We will respond to your request within the timeframes required by applicable law (generally within 15 days under LGPD, 30 days under GDPR, and 45 days under CCPA).

11. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Maintain your authentication session
  • Remember your preferences
  • Understand how the Service is used

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service (for example, you may need to re-authenticate more frequently).

12. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@servyx.ai.

13. Open-Source Kubernetes Collector

Our Kubernetes collector agent is open source and can be reviewed before installation. The collector:

  • Runs as a read-only CronJob within your Kubernetes cluster
  • Collects only infrastructure metrics (pod, node, and workload resource usage)
  • Does not access application data, secrets, ConfigMaps contents, or container images
  • Transmits data to Servyx over encrypted connections (TLS)
  • Can be uninstalled at any time via Helm, which stops all data collection

You are responsible for reviewing the collector source code and understanding what data it collects before deploying it in your environment.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. For significant changes, we will provide additional notice (such as via email). We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

15. Data Protection Officer

In accordance with the LGPD, Servyx has designated a Data Protection Officer (Encarregado) who can be contacted for any questions regarding our data processing practices. You may reach the DPO at dpo@servyx.ai.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: