Privacy Policy

• The scanner reads usage and cost metrics from your cloud account. It does not read your application data, secrets, or resource contents.
• We store your account identity, your organisation/team, and the scan results needed to show you findings over time.
• We use a small number of trusted processors (hosting, AI insights, email, billing). We don’t sell your data.

FeckBills (“we”, “us”) operates the hosted console at feckbills.com and is the data controller for the personal data described here. Contact us any time at [email protected].

• Account & identity — your name and email, and the identifier from the OAuth provider you sign in with (GitHub or Google). If you use email/password locally, a hashed password.
• Organisation & team — your org, membership role, and invitations you send or accept.
• Scan data — the project/account identifiers you scan, the resource usage metrics and pricing read at scan time, and the resulting findings and £ estimates. This is operational metadata, not your application data.
• Billing — your plan and the membership/subscription identifiers from our payments provider. We do not store your card details.
• Usage — basic logs needed to run and secure the service.

The scanner authenticates with the read-only credentials you provide and reads only monitoring, cost, and recommendation APIs. It requests no write scopes and cannot change your infrastructure. Raw resource data and secrets never leave your account — what reaches our console is the aggregated metrics and the findings derived from them.

• To run the service: produce reports, track waste and realised savings over time, and show your team the console.
• To send the emails you’ve configured: team invitations, scan alerts, and the weekly digest.
• To operate billing for paid plans, and to keep the service secure and working.

Our lawful bases are performance of our contract with you, our legitimate interest in running and securing the service, and your consent where required (e.g. optional emails).

We use a small set of trusted sub-processors, each handling only what their function needs:

• Hosting (Railway / Postgres) — stores your account and scan data.
• OpenRouter — generates AI recommendation summaries; relevant finding data is sent to produce them. With no AI key configured, this is skipped and a rule-based fallback runs.
• MailJunky — sends transactional email (invites, alerts, digests).
• Whop — processes subscription payments and sends us plan/webhook events.
• GitHub / Google — only when you choose them to sign in, to verify your identity.

We use a single essential cookie to keep you signed in (your authentication session). We don’t use advertising or third-party tracking cookies.

We keep your account and scan data while your account is active so you can see trends over time. When you delete your account (or ask us to), we delete or anonymise your personal data within a reasonable period, except where we must retain limited records to meet legal or accounting obligations.

Depending on where you live (including under UK and EU GDPR), you have rights to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise any of these, email [email protected]. You also have the right to complain to your local data-protection authority (in the UK, the ICO).

We use read-only access, encrypted transport, hashed credentials, and access controls to protect your data. No system is perfectly secure, but minimising what we hold — no write access, no secrets, no raw resource data — is our first line of defence.

Some of our processors operate outside your country. Where personal data is transferred internationally, we rely on appropriate safeguards (such as standard contractual clauses) as required by law.

We’ll update this policy as the service evolves. Material changes will be reflected in the “last updated” date and, where appropriate, notified to you.

Privacy questions or requests: [email protected].