Privacy Policy

Last updated: May 25, 2026
FinOps AI (getfinops.cloud) is operated by HostingX Solutions LLC. This policy applies verbatim to both the HostingX parent service and all FinOps AI tenants.

1.Overview

This Privacy Policy explains how HostingX Solutions LLC ("Company", "we", "our") collects, uses, and protects data.

HostingX Solutions LLC · LLC No. 0008072296 · Founded 2026 · Registered in New Mexico, USA · 8206 Louisiana Blvd NE, Suite A #8186, Albuquerque, NM 87113, United States

2.Data Categories

  • Account Data: name, email, authentication identifiers.
  • Platform Metadata: logs, usage metrics, API timings (limited presently).
  • Customer Data: data you intentionally send to future platform features (none persisted yet beyond form submissions).
  • Support Data: messages you send us.
  • Consent & Preference Data: cookie and marketing choices.

3.Legal Bases (EEA / UK)

Contract performance (core features), legitimate interests (security, service integrity), consent (marketing and non-essential cookies), and legal obligation (records, fraud prevention).

4.Use of Data

Currently we use personal data only to:

  • respond to inquiries,
  • record consent and unsubscribe events,
  • maintain minimal security logs, and
  • send requested communications.

5.Customer Data Processing

Where we act as a processor (future pipeline features), we will only process per your documented instructions. Presently, no customer production data is ingested beyond forms.

6.Subprocessors

Subprocessors active on getfinops.cloud:

  • Amazon Web Services, Inc. (United States): static hosting (S3 + CloudFront, us-east-1), Route 53 DNS, contact-form compute (API Gateway + Lambda, us-east-1), inbound mail delivery (Amazon SES v2, us-east-1), and security logs (CloudWatch, us-east-1).
  • Google LLC (United States) — Google Tag Manager: tag-deployment container with the ID GTM-PGJRZBLJ. Loads gtm.js on every public page. GTM itself collects no personal data and sets no cookies; it is a delivery mechanism for other tags configured through tagmanager.google.com. As of the "Last updated" date above, the GTM container is empty — no third-party tags are deployed through it. Any tag added to the container in the future that introduces a new cookie or data flow will be disclosed in a Privacy Policy update before activation. Data is processed under Google's Standard Contractual Clauses for EU traffic.
  • Google LLC (United States) — Google Analytics 4: page-view and engagement analytics via gtag.js with the measurement ID G-WYE7HVPXL4. Loaded on every page of the public landing site. Writes first-party _ga and _ga_* cookies (see §11). Configured with anonymize_ip: true (IP truncated before storage), allow_google_signals: false (cross-device tracking disabled), and allow_ad_personalization_signals: false (data is not used for advertising personalization). Used solely to understand which landing pages and content perform best. Data is processed under Google's Standard Contractual Clauses for EU traffic.
  • Google LLC (United States) — Google Ads: conversion tracking via gtag.js. Loaded only when the NEXT_PUBLIC_GADS_ID build-time configuration is set, and only on the public landing page. Writes a single first-party _gcl_au cookie (see §11). The conversion event is fired only on a successful contact-form submission whose declared role is "Prospective customer" — investor, press, and "something else" submissions are excluded from advertising attribution by design. Data is processed under Google's Standard Contractual Clauses for EU traffic. No remarketing audiences are built; no personal data is shared with Google beyond the raw conversion event (no name, email, message, or IP is forwarded).

Any additional subprocessors for product features beyond the landing page will be listed here with at least thirty (30) days' notice before activation.

7.Security Measures

Encryption in transit (HTTPS), least-privilege internal access, periodic review of access logs. As the platform expands, we will publish a detailed security whitepaper.

8.Retention

Contact and consent records retained while necessary for proof of compliance (generally up to 24 months) unless earlier deletion is requested (subject to legal holds). Unsubscribe records retained to enforce suppression.

9.International Transfers

If data is transferred cross-border, we will implement appropriate safeguards (e.g., SCCs). Currently hosting is planned within reputable cloud regions.

10.Your Rights

You have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data, and to withdraw consent at any time. To exercise any of these rights, email privacy@hostingx.co.il — we reply within thirty (30) days. California residents have equivalent rights under the CCPA; we do not sell or share personal data as those terms are defined under California Civil Code § 1798.140.

11.Cookies & Local Storage

getfinops.cloud sets a minimal number of first-party cookies and one localStorage entry. We use no third-party cookies and no cross-site tracking.

  • saas-theme (localStorage): records your light/dark-mode preference so it persists between visits. Strictly necessary functional storage under Article 5(3) of the ePrivacy Directive; does not require consent. Set on every visit.
  • _ga and _ga_* (first-party cookies, 24-month TTL): set by Google Analytics 4 (see §6) to distinguish unique visitors and maintain per-session state for pageview and engagement reporting. The asterisk in _ga_* is replaced by our property ID at runtime (yielding _ga_WYE7HVPXL4). IP addresses are truncated before storage and Google Signals is disabled — no cross-device tracking.
  • _gcl_au (first-party cookie, 90-day TTL): set by Google Ads conversion tracking (see §6) only when a visitor arrives from a Google Ads click (identified by a gclidURL parameter) AND only on deploys configured with a Google Ads conversion ID. Stores an opaque identifier used solely to attribute a subsequent contact-form submission (role = "Prospective customer") back to the originating ad. Not set on organic visits or on deploys without conversion tracking enabled.

You can clear any of these any time via your browser's site-data controls, or block all third-party scripts (including Google Analytics and Google Ads) via standard ad-blocking extensions — the site remains fully functional without them.

12.Communications

Marketing emails only sent with prior opt-in; you may unsubscribe anytime. Transactional or security notifications (if any) are still sent when required.

13.Third Parties

We do not sell personal data. Any future subprocessors will be contractually bound to equivalent protections and listed prior to activation.

14.Children

Not directed to children under 16. Contact us for prompt removal if such data is discovered.

15.Changes

Material updates announced via site notice or email with effective date.

16.Contact

Privacy questions
privacy@hostingx.co.il
General inquiries
hello@getfinops.cloud