← Back to home

Privacy Policy

Effective date: April 6, 2026

1. Who We Are

Unsave Inc. (“Unsave,” “we,” “us”) operates the Unsave platform at unsave.io. We provide agentless Azure governance covering security posture, compliance, cost optimization, and identity lifecycle management. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

2.1 Account Data

When you sign in through Microsoft Entra ID, we receive and store:

  • Name and email address from your Microsoft profile
  • Microsoft Entra ID user object ID
  • Azure tenant ID
  • Organization name and subscription IDs you select during onboarding

2.2 Azure Tenant Metadata

To provide governance assessments, we collect and store metadata from your Azure environment including:

  • Resource inventory (names, types, regions, tags, SKUs) across your selected subscriptions
  • Identity objects (users, groups, service principals, app registrations, role assignments, credential expiry dates)
  • Security configuration (NSG rules, diagnostic settings, key vault policies, encryption status)
  • Cost and billing data (resource costs, consumption meters, reservation utilization)
  • Compliance assessment results derived from resource configurations
  • Azure Advisor recommendations

Important: We never access the contents of your resources — no blob storage files, no database records, no virtual machine disks, no application code, no Key Vault secrets. We read configuration metadata only.

2.3 Usage and Analytics Data

We collect data about how you interact with the platform:

  • Pages visited and features used (via PostHog)
  • Session recordings for product improvement (anonymized, no passwords or sensitive fields captured)
  • Browser type, screen resolution, and operating system
  • IP address (used for geolocation and abuse prevention)
  • Error reports and performance data (via Sentry) to diagnose and fix issues

2.4 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive from Stripe: plan type, billing period, payment status, and Stripe customer ID.

2.5 Communication Data

If you contact us via email or in-app feedback, we retain the content of those communications to provide support. We also send transactional emails (onboarding reminders, alert notifications, billing receipts) and may send product updates. You can unsubscribe from non-transactional emails at any time.

3. How We Use Your Data

  • Provide the Service: Run security assessments, compliance checks, cost analysis, and identity audits against your Azure environment
  • Generate scores and reports: Calculate security posture scores, FinOps scores, and compliance percentages from your metadata
  • Send alerts: Notify you when security scores drop, credentials expire, costs spike, or compliance drifts
  • Improve the product: Analyze usage patterns to prioritize features and fix bugs
  • Billing: Process subscriptions, enforce plan limits, and send receipts
  • Security: Detect unauthorized access, enforce rate limits, and maintain audit logs
  • Legal compliance: Respond to lawful requests and enforce our Terms of Service

4. Data We Never Collect or Sell

  • We never access the contents of your Azure resources
  • We never sell, rent, or trade your personal data or Azure metadata to third parties
  • We never use your Azure data to train machine learning models
  • We never share your data with advertisers or data brokers
  • We never access Azure Key Vault secrets, storage account contents, or database records

5. Data Storage and Security

Your data is stored in MongoDB databases with encryption at rest. Sensitive credentials (Azure tokens, API keys) are encrypted using AES-256-GCM with unique initialization vectors before storage.

Data is logically isolated per organization — no tenant can access another tenant’s data. Access to production systems is restricted to authorized personnel with role-based access controls and audit logging.

All data in transit is encrypted using TLS 1.2+. The platform enforces HSTS, prevents clickjacking, and implements CSRF protection on all authenticated endpoints.

6. Data Retention

  • Azure metadata: Retained and refreshed on each sync cycle. Historical snapshots are retained for trend analysis (security score history, cost trends) for the duration of your subscription.
  • Audit logs: Platform activity logs are retained for 90 days and automatically deleted thereafter.
  • Account data: Retained for the lifetime of your account. Deleted within 30 days of account termination.
  • Analytics data:PostHog and Sentry data is subject to those providers’ retention policies (typically 90 days for free plans).
  • Payment records: Retained as required by tax and accounting regulations (typically 7 years).

7. Third-Party Services

We use the following third-party services that may process your data:

ServicePurposeData Shared
Microsoft Entra IDAuthenticationOAuth tokens, profile info
Azure Resource ManagerResource metadata collectionRead-only API calls to your tenant
StripePayment processingEmail, plan selection, payment method
PostHogProduct analyticsPage views, clicks, anonymized session recordings
SentryError monitoringError stack traces, browser info, user ID
MongoDB AtlasDatabase hostingAll application data (encrypted at rest)

Each provider is subject to their own privacy policies and data processing agreements.

8. Cookies and Tracking

We use the following cookies:

  • Session cookie: Required for authentication (NextAuth session token). Expires when you close the browser or after 30 days.
  • Tenant cookie: Stores your selected Azure tenant ID for navigation. Session-scoped.
  • PostHog cookie: Anonymous analytics identifier for tracking product usage across sessions.

We do not use advertising cookies or share cookie data with ad networks.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your account and associated data
  • Export: Request a machine-readable export of your data
  • Restriction: Request that we stop processing your data while a complaint is resolved
  • Objection: Object to processing of your data for analytics purposes
  • Withdraw consent: Revoke Azure permissions at any time through the Azure portal

To exercise any of these rights, contact us at privacy@unsave.io. We will respond within 30 days.

10. International Data Transfers

Unsave is based in Canada. Your data may be processed in Canada and the United States (where our infrastructure providers operate). By using the Service, you consent to the transfer of your data to these jurisdictions. We ensure that appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

11. Children’s Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Data Breach Notification

In the event of a data breach affecting your personal data or Azure metadata, we will notify affected users via email within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, data affected, steps we are taking, and recommended actions for you.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The “Effective date” at the top reflects the latest revision.

14. Contact

For privacy-related questions, data requests, or complaints:

Unsave Inc.

Email: privacy@unsave.io

Website: unsave.io