Privacy Policy
1. Controller
Tilman Krauß
Tillitworks - IT Dienstleistungen
Telleringstraße 17
40597 Düsseldorf
Germany
Email: me@till-it-works.de
2. Overview
This privacy policy applies to the mobile app "CostPulse" (hereinafter "App") and the associated website costpulse.cloud.
3. Data We Collect
3.1 Account Data
When you register, we collect:
- Email address
Legal basis: Performance of contract, Art. 6(1)(b) GDPR.
3.2 AWS Integration Data
To provide the core functionality of the App, the user sets up AWS Cross-Account IAM Roles via a guided setup process (wizard) that grant our backend access to cost data (read-only), budget management (read/write), anomaly detection management (read/write), and stack cleanup (for offboarding) in the user's AWS account. The following data is processed:
- AWS Account ID
- ARN of the configured IAM Role
- Retrieved cost data, budgets, and alarms from the user's AWS account
We do not store any AWS credentials (Access Keys or Secret Keys). Access is exclusively through the IAM Role configured by the user with minimal permissions (Least Privilege).
Legal basis: Performance of contract, Art. 6(1)(b) GDPR.
3.3 Subscription Data
Subscription management is handled entirely by Apple (App Store / StoreKit). We receive from Apple:
- Transaction IDs
- Subscription status (active, expired, trial period)
Payment details (credit card numbers, etc.) are never transmitted to us.
Legal basis: Performance of contract, Art. 6(1)(b) GDPR.
3.4 Push Notifications
For cost alerts and budget warnings, we use the Apple Push Notification Service (APNs). A device-based push token is processed for this purpose. Push notifications can be disabled at any time in your device settings.
Legal basis: Performance of contract, Art. 6(1)(b) GDPR. Push notifications for budget alerts and anomaly warnings are a core feature of the service. If you disable push notifications in your device settings, this data processing ceases.
3.5 Technical Usage Data
When accessing our services, the following data is automatically collected:
- IP address (temporarily processed for rate limiting and security; not stored long-term)
- Device type, operating system version
- Time of access
- App version
Legal basis: Legitimate interest, Art. 6(1)(f) GDPR (ensuring operation and security).
4. Processors and Third-Party Services
| Service | Provider | Purpose | Location | Transfer Basis |
|---|---|---|---|---|
| Backend infrastructure (incl. authentication via Amazon Cognito and email delivery via Amazon SES) | Amazon Web Services, Inc. | Hosting, data processing, authentication, email delivery, retrieval of AWS cost data | EU (Frankfurt, Germany) and USA | EU-US Data Privacy Framework |
| Push notifications | Apple Inc. | Delivery of cost alerts | USA | EU-US Data Privacy Framework |
| Subscription management | Apple Inc. | Management of subscriptions | USA | EU-US Data Privacy Framework |
Data processing is governed by the respective provider's data protection terms: the AWS Data Processing Addendum (Art. 28 GDPR) for Amazon Web Services, and the Apple Developer Program License Agreement (including its data protection provisions) for Apple Inc.
5. Cookies and Tracking
The CostPulse website and the App do not use cookies, tracking pixels, or third-party analytics tools. No consent banner is required.
6. Data Transfers to Third Countries
The primary data processing takes place in the EU (AWS region eu-central-1, Frankfurt, Germany). Certain AWS services (Cost Explorer API) require data processing in the USA (us-east-1). During the AWS account setup, users may choose to deploy the CloudFormation stack in an AWS region of their choice, including regions outside the EU. Alert data originating from the user's selected region is forwarded to our management infrastructure in the EU (eu-central-1). All transfers are based on the EU-US Data Privacy Framework (adequacy decision by the European Commission pursuant to Art. 45 GDPR) and, where applicable, AWS's standard contractual clauses and data processing addendum. The service providers used are certified under the Data Privacy Framework.
7. Retention Periods
- Account data: Until the user deletes their account.
- AWS integration data: AWS Account ID and Role ARN until account deletion. Retrieved cost data is cached temporarily (up to 24 hours) to reduce API calls and is automatically deleted thereafter. Alert records (budget and anomaly notifications) are retained for 90 days.
- Push tokens: Until push notifications are disabled or the account is deleted.
- Technical usage data: Maximum 30 days.
- Subscription data: In accordance with statutory retention obligations (up to 10 years for tax-relevant data).
8. Your Rights
You have the right to:
- Access (Art. 15 GDPR) your stored data
- Rectification (Art. 16 GDPR) of inaccurate data
- Erasure (Art. 17 GDPR) of your data
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object (Art. 21 GDPR) to processing
- Withdraw consent at any time with future effect
To exercise your rights, please contact: me@till-it-works.de
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
Germany
https://www.ldi.nrw.de
10. Contract Language
This privacy policy is available in German and English. In case of any discrepancy, the German version shall prevail.
11. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.
Categories of personal information we collect: Identifiers (email address), commercial information (subscription status, transaction IDs), internet or electronic network activity information (IP address, device type, app version), and professional or employment-related information (AWS Account ID, IAM Role ARN, cost data from linked AWS accounts).
We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use your personal information for cross-context behavioral advertising. No "Do Not Sell or Share My Personal Information" opt-out is required because no sale or sharing occurs.
Your rights under the CCPA/CPRA: You have the right to (1) know what personal information we collect and how it is used, (2) request deletion of your personal information, (3) request correction of inaccurate personal information, (4) not be discriminated against for exercising your rights. To exercise these rights, contact us at me@till-it-works.de. We will verify your identity before processing your request.
Do Not Track: We do not track users across third-party websites and therefore do not respond to Do Not Track (DNT) browser signals, as no tracking occurs.
12. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in legal requirements or modifications to our service. We will notify you of material changes by email or in-app notification. The current version is always available at costpulse.cloud/privacy.
Effective date: February 25, 2026