ANGUARDIA

Privacy Policy

Last updated: April 14, 2026

1. Introduction

Anguardia ("we", "us", "our") provides a cloud infrastructure scanning platform that helps engineering teams identify and resolve AWS security findings. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service at app.anguardia.com (the "Service").

2. Information We Collect

Account Information

When you create an account, we collect your email address, full name, and company name. This information is used to identify your account and personalise your experience.

Multi-factor authentication (MFA)

If you enroll in MFA or are prompted to set it up, we store MFA factor metadata (such as TOTP enrollment status) in Supabase Auth and, where applicable, an MFA grace deadline on your profile to enforce our security requirements.

AWS Account Metadata

When you connect an AWS account, we store the IAM Role ARN, an external ID (UUID), a friendly account name you provide, and metadata generated from security scanning (findings, severity levels, resource identifiers, remediation guidance). Cost optimisation recommendations are fetched live from the AWS Cost Optimization Hub API and are not stored in our database. We do not store AWS access keys, secret keys, or session tokens beyond the duration of a scan session.

Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID, subscription plan, and subscription status. We do not store credit card numbers, bank account details, or other payment instruments. See Stripe's Privacy Policy for how they handle your payment data.

Usage Data

We collect standard server logs (IP address, browser type, pages visited, timestamps) to maintain and improve the Service. We do not use third-party analytics or tracking scripts.

3. How We Access Your AWS Environment

Anguardia accesses your AWS account exclusively through IAM AssumeRole with an external ID for confused-deputy protection. Our access is strictly read-only. We use temporary credentials that expire after each scan session.

The CloudFormation template we provide creates a single read-only IAM role that attaches two AWS-managed policies: SecurityAudit and ViewOnlyAccess. Together, these grant broad read-only access across many AWS services (see AWS documentation for each policy's scope).

The template also includes a custom inline policy that grants additional read-only permissions for the Cost & Waste feature — specifically cost-optimization-hub:ListRecommendations, cost-optimization-hub:GetRecommendation, cost-optimization-hub:ListRecommendationSummaries, cost-optimization-hub:ListEnrollmentStatuses, and cost-optimization-hub:GetPreferences. These are used to surface cost optimisation recommendations directly from the AWS Cost Optimization Hub. All access is read-only; no recommendations are stored by Anguardia.

We also call compute-optimizer:GetEnrollmentStatus to check whether AWS Compute Optimizer is opted in on the connected account. This is a read-only status check used to surface setup guidance in the product. No data from this call is stored by Anguardia.

We never create, modify, or delete any resources in your AWS account.

4. How We Use Your Information

  • To provide the Service — scanning your AWS environment, generating findings, and displaying your security backlog.
  • To manage your account — authentication, profile settings, and subscription billing.
  • To communicate with you — transactional emails related to your account (e.g., password reset). We do not send marketing emails.
  • To improve the Service — aggregated, anonymised usage patterns to improve scanning accuracy and user experience.

5. Data Storage and Security

Your data is stored in a Supabase-hosted PostgreSQL database with Row Level Security (RLS) enforced at the database level. Each user's data is isolated — you can only access your own accounts, findings, and scans.

All data is encrypted in transit (TLS) and at rest. Authentication is handled by Supabase Auth with secure, httpOnly session cookies.

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with:

  • Supabase — as our database and authentication provider.
  • Stripe — as our payment processor, only for billing purposes.
  • Loops — for transactional email (e.g. account-related notifications) and waitlist subscriptions.
  • AWS — temporary read-only API calls to your account using credentials you explicitly provision.

We may disclose information if required by law or to protect our rights, but we will notify you where legally permitted.

7. Data Retention and Deletion

Your data is retained for as long as your account is active. When you delete an AWS account from Anguardia, all associated findings, scans, and metadata are permanently deleted from our database.

To delete your entire Anguardia account and all associated data, contact us at the email below. We will process deletion requests within 30 days.

8. Cookies

We use a single authentication cookie managed by Supabase to maintain your session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate information in your profile.
  • Delete your account and all associated data.
  • Withdraw consent for data processing (by closing your account).

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.