Privacy Policy

Protocol Draft LLC ("we," "us," or "our") operates KostKube, a cloud-hosted Kubernetes cost monitoring and optimization platform. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use our website at kostkube.com and our SaaS platform at app.kostkube.com (collectively, the "Service"). It also describes your rights and choices with respect to your personal data.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Data We Collect

1.1 Account Data

When you create a KostKube account, we collect your name, email address, company name, and a password (stored as a bcrypt hash — we never store plaintext passwords). If you sign up via SSO (Google or GitHub), we receive your name, email address, and profile picture from that provider.

1.2 Billing Data

Billing and payment information is collected and processed by Paddle.com Market Ltd ("Paddle"), our Merchant of Record. We do not store your credit card number, CVV, or full payment details on our servers. We receive from Paddle: your billing name, billing address, country, subscription plan details, payment status, and a transaction reference number. For business customers, we may store a VAT or tax ID number you provide.

1.3 Infrastructure Metrics (via the Agent)

When you deploy the KostKube Agent to your Kubernetes cluster(s), the Agent collects and transmits the following categories of infrastructure metrics to our platform:

• CPU request and usage per pod, deployment, namespace, and node
• Memory request and usage per pod, deployment, namespace, and node
• Storage utilization for Persistent Volumes
• Network egress volume per namespace
• Kubernetes resource metadata: names, labels, annotations (of workloads, namespaces, nodes)
• Node specifications (instance type, region, availability zone)

This data is used solely to generate cost reports and optimization recommendations for your account. All metrics are transmitted using TLS 1.3 encryption.

1.4 Usage Data

We collect information about how you interact with the Service, including pages visited, features used, dashboard views accessed, actions taken (e.g., recommendations exported), and browser/device information (browser type, operating system, screen resolution, IP address). This data helps us understand how to improve the Service.

1.5 Cookies and Tracking Technologies

We use cookies and similar tracking technologies as described in Section 11 (Cookies) of this Privacy Policy.

2. What We Do NOT Collect

The KostKube Agent is designed with a minimal data collection principle. We explicitly do not collect, access, or store:

• Application source code or compiled binaries running in your cluster
• Kubernetes Secrets, ConfigMap values, or environment variable values
• Application logs or container stdout/stderr output
• Network traffic content or packet data
• Database query content or application-level data
• Personally identifiable information of your end users or customers
• API keys, tokens, or credentials of any kind

The Agent operates with read-only Kubernetes RBAC permissions scoped to resource metrics. It cannot read Secrets by design. You can inspect the complete Agent source code on GitHub to verify this.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Providing the Service: Processing infrastructure metrics to generate cost reports, waste detection alerts, and optimization recommendations.
• Account Management: Creating and managing your account, authenticating you, and communicating with you about your account.
• Billing and Payments: Coordinating with Paddle to manage your subscription, process payments, and send receipts.
• Customer Support: Responding to your support requests and diagnosing technical issues.
• Service Improvement: Analyzing usage patterns to improve existing features and develop new features.
• Security: Detecting, preventing, and investigating fraud, abuse, and security incidents.
• Legal Compliance: Meeting our legal obligations, including responding to lawful government requests.
• Communications: Sending you service-related notices (downtime, policy changes) and, where you have opted in, product updates and newsletters.

4. Payment Processing

All payments for paid KostKube plans are processed by Paddle.com Market Ltd ("Paddle"), who acts as our Merchant of Record. When you complete a purchase, you interact directly with Paddle's secure checkout. Paddle collects your payment details, issues your receipt, and handles applicable taxes.

Paddle's collection and use of your payment information is governed by Paddle's Privacy Policy. We recommend you review Paddle's privacy practices.

We receive from Paddle only the billing metadata necessary to manage your subscription (plan type, renewal date, payment status). We do not receive or store your full credit card number or CVV at any time.

5. Data Storage & Security

All Customer Data and account data is stored on infrastructure hosted on Amazon Web Services (AWS) in the US-East-1 (Northern Virginia) region. Business plan and Enterprise customers may request EU data residency, in which case data is stored in AWS EU-West-1 (Ireland).

We protect your data using industry-standard security measures:

• AES-256 encryption for all data at rest
• TLS 1.3 for all data in transit between the Agent and our servers, and between your browser and our servers
• Logical data isolation per customer — your data is never commingled with another customer's data in queries
• Access controls: only authorized KostKube personnel can access customer data, and only when necessary for support or operations
• Regular security assessments and penetration testing (planned annually)

While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Sharing

We do not sell, rent, or trade your personal data or Customer Data to third parties. We may share your data only in the following limited circumstances:

• Paddle.com Market Ltd: As our payment Merchant of Record, Paddle receives your billing information to process payments.
• Amazon Web Services (AWS): Our infrastructure provider that hosts your data.
• Email service provider: Used solely to send transactional emails (account verification, billing receipts, service notices) and, where opted in, product updates.
• Legal requirements: We may disclose your data if required to do so by law, court order, or government authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Protocol Draft LLC, our users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

7. Data Retention

Infrastructure metrics are retained according to your plan:

After account cancellation or termination, we retain your data for 30 days to allow you to export it, after which all Customer Data is deleted from our systems.

Billing records (transaction history, receipts) are retained for 7 years to comply with financial record-keeping requirements. Account data (name, email) is retained until you request deletion or 90 days after account termination, whichever comes first.

8. GDPR Compliance (European Economic Area)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply under the General Data Protection Regulation (GDPR) and applicable national data protection laws.

8.1 Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you have subscribed to.
• Legitimate interests: Service improvement, security monitoring, and fraud prevention.
• Legal obligation: Compliance with applicable laws and regulations.
• Consent: For optional communications such as newsletters and product updates (you may withdraw consent at any time).

8.2 Your GDPR Rights

You have the following rights under GDPR:

• Right of Access: Request a copy of the personal data we hold about you.
• Right of Rectification: Request correction of inaccurate or incomplete data.
• Right of Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to Data Portability: Request a machine-readable copy of your data to transfer to another service.
• Right to Restriction: Request that we restrict processing of your data in certain circumstances.
• Right to Object: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@kostkube.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection supervisory authority.

8.3 Data Processing Agreement

If you require a Data Processing Agreement (DPA) for GDPR compliance purposes, please contact us at support@kostkube.com. We will provide a DPA upon request.

9. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

We do not sell your personal information. We do not sell or share your personal information with third parties for their direct marketing purposes.

Under the CCPA, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of your personal information, subject to certain exceptions.
• Opt-Out: Opt out of the sale or sharing of your personal information (we do not sell your data, so this right is not applicable to us in the traditional sense).
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at support@kostkube.com. We will respond to verifiable requests within 45 days.

10. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal information from, children under the age of 16. If you are under 16, please do not use the Service or provide any personal information to us. If we learn that we have collected personal information from a child under 16, we will delete that information as quickly as possible. If you believe we may have collected information from a child under 16, please contact us at support@kostkube.com.

11. Cookies

We use the following categories of cookies and similar technologies:

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account at least 30 days before the changes take effect, and by posting the updated policy on our website with a new effective date.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related requests, we aim to respond within 30 days. For CCPA-related requests, we aim to respond within 45 days.