Legal

Privacy Policy

Effective date: May 25, 2026  ·  Last updated: May 25, 2026

LEEKi reads AWS metadata and cost signals. We never read what is inside your workloads — not your code, your databases, your S3 objects, or your application logs. This policy explains exactly what we do and do not collect.

Table of Contents
  1. Who We Are
  2. What Data We Collect
  3. What We Do Not Collect
  4. How We Use Your Data
  5. Legal Basis for Processing (GDPR)
  6. Data Retention
  7. Data Sharing & Third Parties
  8. Security
  9. Your Rights
  10. California Residents (CCPA)
  11. International Transfers
  12. Children
  13. Changes to This Policy
  14. Contact & DPO

01Who We Are

LEEKi ("LEEKi," "we," "us," or "our") is an autonomous cloud cost optimization service accessible at leeki.io. For the purposes of applicable data protection law, LEEKi is the data controller for personal data collected in connection with account management and billing, and a data processor for AWS resource metadata processed on behalf of Customers.

This Privacy Policy applies to all data collected through the LEEKi Service, our website at leeki.io, and any related communications.

02What Data We Collect

We collect the minimum data necessary to operate the Service. The categories below describe everything we collect and why.

2.1 Account & Contact Data

Data Purpose Required
Name, email address Account creation, Savings Report delivery, billing communications Yes
Company name Customer identification, onboarding Yes
Billing information Subscription payment processing (handled by payment processor; we do not store card numbers) Yes

2.2 AWS Integration Data

Data Purpose Required
AWS Account ID(s) Identifies which accounts to scan Yes
IAM Role ARN Cross-account access credential (never stored in plaintext logs) Yes
ExternalId AWS IAM security condition preventing confused deputy attacks Yes
Configured regions Scoping scan to authorized regions Yes

2.3 AWS Resource Metadata (Read During Scans)

Data Purpose Stored?
EC2 instance IDs, types, states, tags Identifying idle or oversized instances In reports
EBS volume IDs, sizes, attachment state, tags Identifying unattached volumes In reports
RDS instance IDs, classes, tags Identifying idle database instances In reports
ElastiCache cluster IDs, tags Identifying idle cache clusters In reports
CloudWatch metrics (CPU utilization, connection counts — 7-day averages only) Determining whether resources are actively in use Not stored
AWS Cost Explorer data (cost by service, Savings Plan coverage) Estimating monthly waste and savings opportunity In reports
Resource tags (Environment, Env, Name) Production protection — ensuring prod resources are excluded from autonomous actions Not stored

2.4 Remediation & Approval Records

We maintain records of actions taken or queued by the Service, including resource IDs, action type, confidence score, timestamp, and outcome. These records constitute the audit trail of LEEKi's activity in your account and are available to Customer on request.

2.5 Website & Service Usage Data

We may collect standard web analytics data from leeki.io (page views, referrer, browser type) using privacy-respecting analytics. We do not use third-party advertising trackers. No personal identifiers are included in analytics data.

03What We Do Not Collect

The following categories of data are never accessed, transmitted, or stored by LEEKi under any circumstances:

  • Contents of EC2 instance memory, storage, or running processes
  • S3 object contents (files, data, documents)
  • RDS or other database contents (records, schemas, queries)
  • Application source code or configuration files stored in AWS
  • CloudWatch Logs content (log messages, application output)
  • Secrets Manager or Parameter Store values
  • Network traffic, VPC flow logs, or packet contents
  • Any personally identifiable information belonging to Customer's end users

LEEKi operates entirely on resource metadata and aggregate utilization signals. We have no architectural access to workload data and do not seek it.

04How We Use Your Data

We use the data we collect solely for the following purposes:

  • Service delivery. Scanning Customer's AWS Accounts, identifying waste, executing Autonomous Actions, generating Savings Reports, and sending approval notifications.
  • Account management. Creating and maintaining Customer accounts, processing Subscription Fees, and sending billing communications.
  • Audit trail. Maintaining records of actions taken by the Service for Customer review, dispute resolution, and compliance purposes.
  • Support. Diagnosing and resolving technical issues when Customer contacts us.
  • Service improvement. Using anonymized, aggregated usage patterns to improve the Service. No individual Customer's data is used for this purpose without express consent.
  • Legal compliance. Meeting applicable legal obligations, responding to lawful process, and enforcing these Terms.

We do not use Customer data for advertising, marketing to third parties, training machine learning models, or any purpose not listed above.

05Legal Basis for Processing (GDPR)

For Customers in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation:

  • Contract performance (Art. 6(1)(b)). Processing necessary to deliver the Service under our Terms of Service — account management, Service execution, billing, and audit trail.
  • Legitimate interests (Art. 6(1)(f)). Anonymized service improvement and security monitoring, where these interests are not overridden by Customer's rights.
  • Legal obligation (Art. 6(1)(c)). Where processing is required to comply with applicable law.
  • Consent (Art. 6(1)(a)). Where we request specific consent, such as for optional communications. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

06Data Retention

6.1 Active Customers

Account data, Configuration, and Savings Reports are retained for the duration of the active Subscription and for 90 days following termination, to support off-boarding and dispute resolution.

6.2 Remediation Records

Records of autonomous and approved actions are retained for 12 months from the date of action. These records constitute the audit trail of LEEKi's activity in Customer's account and support regulatory or internal compliance inquiries.

6.3 Billing Records

Financial transaction records are retained for 7 years as required by applicable accounting and tax law.

6.4 Deletion on Request

Customers may request deletion of their data at any time by contacting hello@leeki.io. Deletion will be completed within 30 days, subject to retention obligations under applicable law. Deletion of account data terminates access to the Service.

6.5 CloudWatch Metrics

Aggregate CloudWatch metric data (CPU, connection counts) used during scans is processed in memory and is not persisted to disk or transmitted to LEEKi infrastructure. It is discarded after each scan cycle.

07Data Sharing & Third Parties

We do not sell your data. We do not share your data with advertising networks, data brokers, or any third party for commercial purposes.

We share data only in the following limited circumstances:

  • Amazon Web Services. The Service operates entirely on AWS infrastructure. LEEKi's scanning activity originates from AWS API calls within your cross-account role's permission scope. AWS's own privacy practices govern their infrastructure layer.
  • Payment processor. Billing data is handled by our payment processor (e.g., Stripe). We do not store or transmit raw card numbers. Payment processor data handling is governed by their privacy policy and PCI DSS compliance.
  • Legal process. We may disclose data if required by court order, subpoena, or other lawful government request. We will notify Customer of such requests unless legally prohibited from doing so.
  • Business transfers. In connection with a merger, acquisition, or sale of assets, Customer data may be transferred to a successor entity. We will provide notice before such a transfer and honor existing commitments in this Policy.
  • Safety. We may disclose data to prevent fraud, protect the security of the Service, or protect the rights and safety of LEEKi, its customers, or the public.

08Security

We implement and maintain technical and organizational security measures appropriate to the nature and sensitivity of the data we process, including:

  • IAM ExternalId. All cross-account role assumptions require a per-customer ExternalId condition, preventing confused deputy attacks from unauthorized assumers.
  • Least-privilege IAM. The LEEKiRole deployed in Customer accounts is scoped to the minimum permissions required for scanning and remediation. The role includes an explicit Deny policy on production-tagged resources for autonomous actions.
  • Approval token security. Approval tokens are UUID-based, single-use, and stored with scoped file permissions. Tokens are not embedded in URLs that would be logged by web infrastructure other than the approval server.
  • Encryption in transit. All communication between LEEKi components and AWS APIs uses TLS 1.2 or higher.
  • Secrets management. Credentials including ExternalIds and Role ARNs are stored with restricted filesystem permissions (600) and are not logged in plaintext.
  • Access control. Access to Customer data is restricted to authorized personnel on a need-to-know basis.

No method of transmission or storage is 100% secure. In the event of a data breach that materially affects Customer, we will notify Customer as required by applicable law and without undue delay.

09Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Rectification. Request correction of inaccurate or incomplete data.
  • Erasure. Request deletion of your data, subject to legal retention obligations.
  • Restriction. Request that we restrict processing of your data in certain circumstances.
  • Portability. Request your data in a structured, machine-readable format.
  • Objection. Object to processing based on legitimate interests.
  • Withdrawal of consent. Where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Complaint. Lodge a complaint with your local supervisory authority (e.g., a data protection authority in the EEA or the UK ICO).

To exercise any of these rights, contact us at hello@leeki.io. We will respond within 30 days. We may request identity verification before processing requests.

10California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights in addition to those in Section 9:

10.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the categories of personal information described in Section 2. We do not collect sensitive personal information as defined under the CPRA.

10.2 Business or Commercial Purpose

We collect personal information for the business purposes described in Section 4. We do not sell or share personal information for cross-context behavioral advertising.

10.3 Your CCPA Rights

  • Right to Know. Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purpose, and any third parties with whom we share it.
  • Right to Delete. Request deletion of personal information we hold, subject to exceptions under the CCPA.
  • Right to Correct. Request correction of inaccurate personal information.
  • Right to Opt-Out. We do not sell or share personal information. No opt-out is required, but you may direct requests to hello@leeki.io.
  • Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To submit a verifiable consumer request, contact hello@leeki.io. We will respond within 45 days.

11International Transfers

LEEKi is operated from the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. For transfers of personal data from the EEA, UK, or Switzerland, we rely on standard contractual clauses or other lawful transfer mechanisms approved by applicable regulators.

By using the Service, you acknowledge that your data will be transferred to and processed in the United States in accordance with this Privacy Policy.

12Children

The Service is a business-to-business product and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we discover that we have inadvertently collected personal information from a minor, we will delete it promptly.

13Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be communicated to existing customers via email at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.

14Contact & Data Protection

For any privacy-related questions, rights requests, or concerns, please contact us:

LEEKi — Privacy
hello@leeki.io
leeki.io

EEA and UK residents may also contact their national data protection authority if they believe their rights have not been respected. A list of EEA supervisory authorities is available at edpb.europa.eu.