RemediGenius
Legal

Privacy Policy

Last updated: February 19, 2026

1. Introduction

Welcome to RemediGenius. We are committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our cloud security assessment platform.

RemediGenius is a SaaS platform that aggregates security findings from your cloud provider's native security tools (AWS Security Hub, Config, GuardDuty, etc.) and provides AI-powered remediation guidance. We take your privacy seriously and have designed our service with security and data minimization at its core.

By using RemediGenius, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Data Controller

The data controller responsible for your personal data is:

IACGENIUS OÜ

Registration Number: 16533342

VAT ID: EE102574120

Address: Tallinn, Estonia (European Union)

Privacy Contact: privacy@iacgenius.com

Support Contact: support@remedigenius.com

RemediGenius is a product of IACGENIUS OÜ, which also operates iacgenius.com.

For all privacy-related inquiries, data access requests, or to exercise your GDPR rights, please contact us at privacy@iacgenius.com.

3. Information We Collect

We collect different types of information to provide and improve our service:

3.1 Personal Information You Provide

  • Account Information: Email address, company name, password (hashed via Supabase Auth)
  • Payment Information: Billing details processed and stored by Stripe (we do not store credit card numbers)
  • Profile Information: Optional details like notification preferences, timezone, multi-factor authentication settings
  • Communications: Support requests, feedback, and correspondence with our team

3.2 Cloud Security Data

When you connect your cloud accounts to RemediGenius, we collect security findings and metadata from your cloud provider's native security tools:

  • AWS: Security Hub findings, AWS Config compliance data, GuardDuty threat detections, IAM Access Analyzer findings, Inspector vulnerability scans
  • Azure (coming soon): Microsoft Defender for Cloud recommendations
  • GCP (coming soon): Security Command Center findings

Important: We collect only metadata about security findings — not the underlying resource data itself. For example, we store "S3 bucket is publicly accessible" but not the contents of your S3 bucket. Sensitive identifiers like account IDs and resource names are masked in our database.

3.3 Cloud Account Access Information

  • AWS IAM Role ARN (Amazon Resource Name) for cross-account read-only access
  • External ID for secure role assumption
  • Cloud account identifiers (AWS account ID, Azure subscription ID, GCP project ID)
  • Region information and service availability

We never store your AWS access keys or cloud credentials. Access is granted via time-limited IAM role assumption with read-only permissions.

3.4 Automatically Collected Information

  • Usage Data: Pages visited, features used, scan history, time spent on platform
  • Device Information: Browser type, operating system, IP address (anonymized)
  • Log Data: API calls, error logs, performance metrics
  • Analytics: Vercel Analytics (cookieless) for aggregate traffic insights

Cookies: We use only essential session cookies for authentication via Supabase. We do not use advertising or tracking cookies. Vercel Analytics operates without cookies.

4. How We Use Your Information

We use the collected information for the following purposes:

4.1 Service Delivery

  • Authenticate and manage your account
  • Scan your cloud accounts for security findings
  • Display security posture scores, findings, and compliance reports
  • Send email notifications for critical findings and scan completions
  • Process payments and manage subscriptions

4.2 AI-Powered Features

  • Generate plain-English explanations of security findings
  • Provide impact analysis and root cause interpretations
  • Create Infrastructure as Code (IaC) remediation snippets (Terraform, CloudFormation, Bicep)
  • Improve AI model accuracy through aggregate, anonymized feedback

AI Processing: AI features are powered by Azure OpenAI. Finding data sent to Azure OpenAI is minimized to only the necessary context (finding description, severity, resource type). We do not send full resource configurations or sensitive data. Azure OpenAI processes data in EU data centers and does not use customer data for model training.

4.3 Platform Improvement

  • Analyze aggregate usage patterns to improve features
  • Monitor platform performance and reliability
  • Debug errors and resolve technical issues
  • Conduct security audits and threat detection

4.4 Communication

  • Send transactional emails (scan results, critical alerts, billing updates)
  • Respond to support requests and inquiries
  • Provide product updates and security advisories (you can opt out of non-essential emails)

4.5 Legal Compliance

  • Comply with legal obligations and regulatory requirements
  • Enforce our Terms of Service and prevent abuse
  • Protect our rights, privacy, safety, or property

Legal Basis for Processing (GDPR): We process your data based on:

  • Contract Performance: Processing necessary to provide our service (Article 6(1)(b))
  • Legitimate Interests: Platform improvement, security, fraud prevention (Article 6(1)(f))
  • Consent: Optional marketing communications (Article 6(1)(a))
  • Legal Obligation: Compliance with EU/Estonian law (Article 6(1)(c))
5. AI and Data Processing

5.1 Azure OpenAI Integration

RemediGenius uses Azure OpenAI to provide AI-powered remediation suggestions and finding interpretations. When you use AI features:

  • Only the finding description, severity, and resource type are sent to Azure OpenAI
  • We do not send sensitive data like account IDs, credentials, or full resource configurations
  • Azure OpenAI processes data in EU data centers (compliant with GDPR)
  • Azure OpenAI does not use customer data for model training (per our enterprise agreement)
  • Data is transmitted over encrypted channels (TLS 1.3)
  • AI responses are cached temporarily to improve performance but are not permanently stored

5.2 Data Minimization

We follow the principle of data minimization. We collect and process only the data necessary to provide our service. For example:

  • Account IDs are masked (e.g., "aws:123456******")
  • Resource names are truncated or hashed where possible
  • Raw API responses from cloud providers are not stored — only normalized findings
  • AI features receive only the minimum context needed to generate recommendations

5.3 Human Review

Our team may manually review findings and AI-generated content in the following limited cases:

  • You explicitly request support or expert guidance (e.g., Security Audit tier)
  • Quality assurance for AI model accuracy (using anonymized, aggregated data)
  • Debugging platform issues when you submit a support ticket

All team members with access to customer data sign confidentiality agreements and undergo security training.

6. Cloud Account Access

6.1 Read-Only Access Model

RemediGenius operates on a read-only access model. We never create, modify, or delete resources in your cloud accounts.

Access is granted via AWS IAM cross-account roles with the following AWS managed policies:

  • SecurityAudit (read-only access to security findings)
  • ViewOnlyAccess (read-only access to resource metadata)

You deploy our CloudFormation template in your AWS account, which creates an IAM role with these permissions. You can revoke access at any time by deleting the IAM role.

6.2 What We Access

When you connect a cloud account, RemediGenius accesses:

  • Security Hub findings: Active security and compliance issues
  • AWS Config: Compliance evaluation results and resource configuration history
  • GuardDuty findings: Threat intelligence and anomaly detections
  • IAM Access Analyzer findings: Overly permissive resource policies
  • Inspector findings: Software vulnerabilities in EC2/Lambda
  • Resource metadata: Tags, region, resource type (not contents)

We do not access: Your application data, database contents, file storage contents, or secrets/credentials.

6.3 How Data Flows

  1. RemediGenius backend (AWS Lambda in eu-central-1) assumes your IAM role
  2. Fetches security findings from AWS APIs
  3. Normalizes and masks findings
  4. Stores masked findings in AWS DynamoDB (eu-central-1, encrypted at rest)
  5. Displays findings in your dashboard (hosted on Vercel)

All data remains in the EU (Frankfurt, Germany) region.

6.4 Connection Security

  • Role assumption uses External ID for added security (prevents confused deputy attacks)
  • Role sessions are time-limited (15 minutes max)
  • All API calls are logged and auditable
  • TLS 1.3 encryption for all data in transit
  • You can monitor RemediGenius's access via AWS CloudTrail in your own account
7. Data Sharing and Third-Party Services

We share your information with trusted third-party service providers to operate our platform. All providers are GDPR-compliant and have data processing agreements in place.

Supabase (Authentication & Database)

Purpose: User authentication, session management, database hosting

Data Shared: Email, hashed passwords, user metadata

Location: EU region

Privacy Policy: supabase.com/privacy

Stripe (Payment Processing)

Purpose: Subscription billing, payment processing

Data Shared: Billing details, payment methods, transaction history

Location: Global (GDPR-compliant)

Privacy Policy: stripe.com/privacy

Azure OpenAI (AI Processing)

Purpose: AI-powered finding explanations and remediation suggestions

Data Shared: Finding descriptions, severity, resource types (minimal context)

Location: EU data centers

Privacy Policy: Azure OpenAI Privacy

AWS (Infrastructure & Data Storage)

Purpose: Serverless compute (Lambda), database (DynamoDB), storage (S3)

Data Shared: All platform data (findings, scans, metadata)

Location: eu-central-1 (Frankfurt, Germany)

Privacy Policy: aws.amazon.com/privacy

Vercel (Hosting & Analytics)

Purpose: Web application hosting, edge CDN, cookieless analytics

Data Shared: Anonymized usage metrics, page views

Location: Global edge network

Privacy Policy: vercel.com/legal/privacy-policy

Resend (Transactional Emails)

Purpose: Send notification emails (scan results, alerts, welcome emails)

Data Shared: Email addresses, notification content

Location: EU region

Privacy Policy: resend.com/legal/privacy-policy

We do not sell or rent your data to third parties. The above service providers are used solely to deliver our platform functionality.

8. Data Retention

We retain your data only as long as necessary to provide our service and comply with legal obligations.

8.1 Retention Periods by Plan

  • Free Tier: Security findings and scan data retained for 7 days, then automatically deleted
  • Pro Tier: Security findings and scan data retained for 1 year, then automatically deleted
  • Security Audit: All data deleted immediately after report delivery (you retain the PDF report)

8.2 Account Data

  • Active Accounts: User profile, email, and preferences retained while account is active
  • Cancelled Accounts: Account data retained for 30 days after cancellation (for reactivation), then deleted
  • Deleted Accounts: All data permanently deleted within 7 days of account deletion request

8.3 Legal and Compliance Data

  • Billing Records: Retained for 7 years (Estonian accounting law requirement)
  • Audit Logs: Retained for 1 year for security and compliance purposes
  • Support Tickets: Retained for 2 years or until resolved

8.4 Automated Deletion

We use automated processes to ensure timely data deletion:

  • DynamoDB Time-to-Live (TTL) for automatic finding expiration
  • S3 lifecycle policies for automated backup deletion
  • Scheduled Lambda functions for account data cleanup
9. Your Rights Under GDPR

If you are in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

9.1 Right to Access (Article 15)

You can request a copy of all personal data we hold about you.

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data. You can update your profile information directly in the dashboard settings.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your data. Use the "Delete Account" option in your dashboard, or contact us at privacy@iacgenius.com.

9.4 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data while a dispute is resolved.

9.5 Right to Data Portability (Article 20)

You can request your data in a machine-readable format (JSON export) to transfer to another service.

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests. For example, you can opt out of marketing emails.

9.7 Right to Withdraw Consent (Article 7)

If we process data based on consent (e.g., marketing emails), you can withdraw consent at any time.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Estonia, this is the Estonian Data Protection Inspectorate (EDPI).

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@iacgenius.com with the subject line "GDPR Request". We will respond within 30 days (as required by GDPR).

Please include:

  • Your registered email address
  • The specific right you wish to exercise
  • Any relevant details (e.g., specific data you want deleted)
10. Security Measures

We implement industry-standard security measures to protect your data:

10.1 Data Encryption

  • In Transit: All data transmitted over TLS 1.3 (HTTPS)
  • At Rest: DynamoDB encryption, S3 server-side encryption with AWS KMS
  • Passwords: Hashed using bcrypt via Supabase Auth (never stored in plaintext)

10.2 Access Controls

  • Multi-factor authentication (MFA) available for all user accounts
  • Role-based access control (RBAC) for team members
  • Least-privilege principle for AWS IAM roles and policies
  • Regular access reviews and permission audits

10.3 Infrastructure Security

  • Serverless architecture (AWS Lambda) — no persistent servers to patch
  • Automated security patching for dependencies
  • Web Application Firewall (WAF) via Vercel
  • DDoS protection via Vercel and AWS CloudFront
  • Isolated execution environments for all customer workloads

10.4 Monitoring and Auditing

  • CloudWatch alarms for suspicious activity
  • GuardDuty enabled on our own AWS accounts (we practice what we preach)
  • Automated vulnerability scanning with AWS Inspector
  • Security event logging and retention

10.5 Incident Response

In the event of a data breach, we will:

  • Notify affected users within 72 hours (GDPR requirement)
  • Report to the Estonian Data Protection Inspectorate if required
  • Provide details about the breach, affected data, and remediation steps
  • Implement corrective measures to prevent recurrence

Note: While we implement strong security measures, no system is 100% secure. You are responsible for keeping your account credentials confidential and enabling MFA.

11. International Data Transfers

RemediGenius is operated by IACGENIUS OÜ, a company registered in Estonia (European Union). We process and store data primarily within the EU.

11.1 Data Locations

  • Primary Storage: AWS eu-central-1 (Frankfurt, Germany)
  • Authentication: Supabase EU region
  • AI Processing: Azure OpenAI EU data centers
  • Web Hosting: Vercel global edge network (nearest region served)
  • Payment Processing: Stripe (global, GDPR-compliant)

11.2 Transfers Outside the EU

Some of our service providers (Vercel, Stripe) may process data in the United States or other countries outside the EU. When data is transferred outside the EU, we ensure:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
  • Adequacy Decisions: Transfers to countries with EU-recognized data protection
  • Provider Compliance: All providers are GDPR-compliant and certified (e.g., Privacy Shield successor frameworks)

For a full list of our data processors and their locations, contact privacy@iacgenius.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

12.1 Notification of Changes

When we make material changes to this policy, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all active users
  • Display a prominent notice in the dashboard for 30 days

12.2 Your Acceptance

Continued use of RemediGenius after a policy update constitutes acceptance of the new policy. If you do not agree with the updated policy, you may:

  • Cancel your subscription and stop using the service
  • Request account deletion (we will comply within 7 days)

Version History: We maintain a version history of this Privacy Policy. To request previous versions, contact privacy@iacgenius.com.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

IACGENIUS OÜ

Registration Number: 16533342

VAT ID: EE102574120

Address: Tallinn, Estonia (European Union)

Privacy Inquiries: privacy@iacgenius.com

Support: support@remedigenius.com

Founder: Rajagopal Rengarajan

We aim to respond to all privacy inquiries within 5 business days. For GDPR data subject requests, we will respond within 30 days as required by law.

This Privacy Policy is part of our Terms of Service. By using RemediGenius, you agree to both documents.

RemediGenius is a product of IACGENIUS OÜ.