Get AWS bill spike alerts

Get AWS bill spike alerts

Updated on May 13, 2026

Privacy Policy

1. Who we are

The controller of personal data (for the data described in clause 4 as "controller data") is PERSPEKTIV.IT Paweł S. Piotrowski, a sole proprietorship registered in Poland — NIP PL5661813091, REGON 130874623, ul. Kaliny Jędrusik 1/11, 01‑748 Warszawa, Mazowieckie, Poland ("we", "us", the "Provider").

Privacy contact: legal@watchmy.cloud.

We have not appointed a Data Protection Officer; privacy matters are handled at the address above.

2. Our two roles

watchmy.cloud is a service (for businesses and individuals) that monitors a customer's Amazon Web Services ("AWS") cost data. We act in two distinct roles:

  • Processor — for the customer's Cost Data and AWS account identifiers (AWS account ID, IAM role ARN, external ID, alert rules). This is the customer's business data; we process it on the customer's instructions to provide the Service. The terms of that processing are set out in the Data Processing Agreement (Annex A) below. If you are an individual whose data is processed because your employer uses watchmy.cloud, please direct requests to that customer (the controller); we will assist them.

  • Controller — for identity, billing and marketing data (e.g. the email address used to register, account/plan status, communication preferences, website analytics and marketing data). This Policy describes that processing.

3. Scope and acknowledgment

This Policy covers the website watchmy.cloud and the application app.watchmy.cloud. Cookies and similar technologies are described in the Cookie Policy.

By creating an account or using the Service, you acknowledge that you have been informed of how your personal data is processed as set out in this Policy. This Policy is always published at watchmy.cloud/privacy and can be reviewed before creating the account. There is no separate consent checkbox at signup because the lawful bases for our processing (clause 4) do not require additional opt‑in consent for providing the Service — processing is grounded in performance of the contract (GDPR Art. 6(1)(b)) and our legitimate interest in account administration and service reliability (Art. 6(1)(f)). Consent‑based processing (marketing email, advertising cookies, optional notification channels) is collected separately at the point of use: the cookie consent banner for cookies, an in‑app opt‑in for marketing email and notification channels.

4. What we process, why, and on what legal basis

We do not knowingly process special categories of personal data, and the Service is not directed to children (clause 11).

5. Marketing communications

If you opt in, we may send product and marketing emails. Opt‑in is separate and not pre‑ticked; you can withdraw consent at any time via the unsubscribe link or by emailing legal@watchmy.cloud. Transactional and service messages (e.g. alerts, security and account notices) are not marketing and are sent as part of the Service.

6. Recipients and subprocessors

We use third‑party providers to run the Service (authentication, hosting, email delivery, error tracking, analytics, payment processing). The current list, with purpose, data touched and location, is published and kept up to date in Annex B — Subprocessors below. Advertising partners (Google, Meta, LinkedIn) used for website analytics and retargeting act as independent or joint controllers for that activity and only receive data where you have consented through our cookie banner — see the Cookie Policy.

7. International transfers

Customer Cost Data and the application database are hosted in the European Union (AWS, eu‑central‑1). Some subprocessors (e.g. identity, error tracking, transactional email, source/CI, the payment Merchant of Record) are established in the United States or operate globally. Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards — the EU‑U.S. Data Privacy Framework (and the UK extension) and/or the European Commission's Standard Contractual Clauses with supplementary measures, as applicable per provider. Details and the safeguard per provider are in Annex B — Subprocessors below. A copy of the relevant safeguard can be requested at legal@watchmy.cloud.

8. Retention

8.1. We retain account and related data for as long as the account exists, to provide the Service. There is no fixed upper time limit while the account is active and the customer has not asked us to stop. Note that after the free trial ends the account is not deleted: the Service continues to retrieve Cost Data and may still send the first anomaly alert (see the Terms).

8.2. On request (disconnection / deletion), we delete production data within 30 days; backups are rotated out within 90 days; technical logs are retained for 90 days. Limited records may be retained where required by law (e.g. for tax/accounting via the Merchant of Record, or to establish or defend legal claims).

8.3. Erasure is currently handled as a manual process — send a request to legal@watchmy.cloud. A self‑service deletion option in the application is planned.

9. Your rights (EEA / UK GDPR)

Subject to applicable law, you have the right to access, rectification, erasure, restriction, objection, data portability, and to withdraw consent at any time (without affecting prior processing). To exercise these rights contact legal@watchmy.cloud. Where we act as a processor for a customer, we will forward the request to that customer and assist them.

You also have the right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, PUODO), ul. Stawki 2, 00‑193 Warszawa, uodo.gov.pl. UK individuals may contact the ICO (ico.org.uk).

10. U.S. state privacy rights (California / CCPA‑CPRA and similar)

10.1. Categories. In the last 12 months we collect identifiers (e.g. email, account identifiers), commercial information (subscription status), internet/ network activity (analytics), and inferences for product and marketing purposes. Sources: you, your use of the Service, and our analytics/advertising partners.

10.2. "Sale"/"Sharing". We do not sell personal information for money. However, our use of advertising and retargeting technologies (Google, Meta, LinkedIn) on the website may constitute a "sale" or "sharing" (cross‑context behavioural advertising) under California and similar laws.

10.3. Do Not Sell or Share My Personal Information / opt‑out. You can opt out of this activity at any time using the cookie consent banner / preferences on watchmy.cloud. We honour the Global Privacy Control (GPC) browser signal as a valid opt‑out.

10.4. Other rights. Subject to applicable law, you may request to know, access, delete or correct your personal information, and not be discriminated against for exercising these rights. Submit requests to legal@watchmy.cloud. We will verify requests and may use an authorised agent process.

10.5. Sensitive personal information. We do not use sensitive personal information for purposes that would require an additional opt‑out.

11. Children

The Service is not directed to children and is not intended for anyone under 18. We do not knowingly collect data from children.

12. Security

Access to the customer's AWS account is read‑only and least‑privilege: a customer‑created IAM role assumed with a unique external ID, restricted to AWS Cost Explorer read operations. We never receive or store the customer's AWS credentials and cannot create, modify, delete or view non‑cost resources. Customer Cost Data is hosted in the EU; transport is encrypted; access is restricted. No method of transmission or storage is 100% secure.

13. For business customers

If you (or your organisation) use watchmy.cloud as a business customer, the following B2B / data‑processing resources — both attached to this Policy — are part of the contract and the processor relationship described in clause 2:

  • Annex A — Data Processing Agreement (DPA) — the GDPR Art. 28 processor contract that governs our processing of your Cost Data and AWS account identifiers on your instruction. The DPA is incorporated by reference into the Terms of Service for any customer that uses the Service in a business context.

  • Annex B — Subprocessors — the live list of third parties (with purpose, data touched, location, transfer safeguard) that we engage to provide the Service. The DPA gives you a contractual right to be notified of changes and to object.

For procurement / legal due diligence the in‑page links above are sufficient; if you need a counter‑signed copy of the DPA, email legal@watchmy.cloud. We do not run a bespoke MSA programme — the DPA + Terms cover the business relationship end to end.

14. Changes

We may update this Policy. The current version is published at watchmy.cloud/privacy with the effective date above. Material changes will be notified by reasonable means (e.g. email or in‑app).

15. Contact

Privacy questions and requests: legal@watchmy.cloud. Provider identification: Imprint.

Annex A — Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer (the "Controller") and PERSPEKTIV.IT Paweł S. Piotrowski, NIP PL5661813091, REGON 130874623, ul. Kaliny Jędrusik 1/11, 01‑748 Warszawa, Poland (the "Processor"), and applies where the Processor processes personal data on behalf of the Controller in connection with the watchmy.cloud Service. It is accepted on acceptance of the Terms or on written request to legal@watchmy.cloud. In case of conflict on data‑protection matters, this DPA prevails over the Terms.

A.1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject", "supervisory authority" have the meaning given in the GDPR (Regulation (EU) 2016/679), and "UK GDPR" where the UK applies.

A.2. Roles and scope

A.2.1. The Controller is the controller and the Processor is the processor with respect to the Customer Personal Data described in Annex A‑I below.

A.2.2. The Processor processes Customer Personal Data only on the documented instructions of the Controller, including as set out in this DPA, the Terms and the Controller's use/configuration of the Service. The Processor informs the Controller if, in its opinion, an instruction infringes data‑protection law.

A.2.3. This DPA does not apply to data for which the Processor is itself the controller (identity, billing, marketing, service telemetry) — that is governed by clauses 1–15 of this Policy.

A.2.4. This DPA applies only where the Customer is a controller of the Customer Personal Data (typically business customers). It does not apply where the Customer is an individual using the Service for purely personal purposes — in that case there is no controller–processor relationship for that individual's own data and clauses 1–15 of this Policy govern.

A.3. Processor obligations

The Processor shall:

  • (a) process Customer Personal Data only on the Controller's documented instructions and for the duration and purposes in Annex A‑I;

  • (b) ensure persons authorised to process are bound by confidentiality;

  • (c) implement appropriate technical and organisational measures (Annex A‑II);

  • (d) respect the conditions for engaging subprocessors (clause A.4);

  • (e) taking into account the nature of processing, assist the Controller by appropriate measures to respond to data‑subject requests (Annex A‑I rights);

  • (f) assist the Controller with security, breach notification, data protection impact assessments and prior consultation (Art. 32–36 GDPR);

  • (g) at the Controller's choice, delete or return Customer Personal Data at the end of provision of services, and delete existing copies unless storage is required by law (see clause A.7 and the retention rules in clause 8: production ≤30 days, backups ≤90 days);

  • (h) make available information necessary to demonstrate compliance and allow and contribute to audits (clause A.6);

  • (i) notify the Controller without undue delay after becoming aware of a personal‑data breach affecting Customer Personal Data, with the information reasonably available.

A.4. Subprocessors

A.4.1. The Controller provides general authorisation for the Processor to engage subprocessors. The current list is in Annex B — Subprocessors below.

A.4.2. The Processor will inform the Controller of intended additions or replacements of subprocessors with reasonable notice (e.g. by updating the list and/or by email), giving the Controller the opportunity to object on reasonable data‑protection grounds.

A.4.3. The Processor imposes on each subprocessor data‑protection obligations substantially equivalent to those in this DPA and remains liable for the subprocessor's performance.

A.5. International transfers

processes personal data outside the EEA/UK, transfers are made under an adequacy decision, the EU‑U.S. Data Privacy Framework (and UK extension) and/or the European Commission Standard Contractual Clauses with supplementary measures as appropriate. The applicable safeguard per provider is indicated in Annex B — Subprocessors.

A.6. Audits

The Processor makes available information necessary to demonstrate compliance with this DPA. Audits may be satisfied by providing relevant documentation and, where reasonably required, by allowing the Controller (or an independent auditor bound by confidentiality) to conduct an audit during business hours, on reasonable prior notice, no more than once per year unless required by a supervisory authority or following a breach, at the requesting party's cost.

A.7. Duration and deletion

This DPA applies for as long as the Processor processes Customer Personal Data. On termination, or on the Controller's request, the Processor deletes or returns Customer Personal Data per clause A.3(g) and the retention rules in clause 8 of this Policy. Deletion is currently a manual process (request to legal@watchmy.cloud); a self‑service option is planned.

A.8. Liability

The liability of the parties under this DPA is subject to the limitations and exclusions of liability set out in the Terms, clause 9, to the maximum extent permitted by applicable law.

A.9. Governing law

This DPA is governed by Polish law and, where applicable, the GDPR/UK GDPR. Jurisdiction is as set out in the Terms (Polish court competent for Warsaw; business customers only).


Annex A‑I — Details of processing

  • Subject matter: provision of AWS cost‑monitoring and alerting.

  • Nature and purpose: retrieving, storing, analysing the Controller's AWS cost data via the AWS Cost Explorer API and delivering alerts on the Controller's instruction.

  • Duration: for the term of the Service / until deletion (see clause A.7).

  • Categories of data subjects: the Controller's authorised users and personnel configuring or receiving alerts.

  • Categories of personal data: AWS account identifiers (AWS account ID, IAM role ARN, external ID), AWS cost/usage records, alert rules and thresholds, notification‑channel targets (e.g. email/phone/webhook) chosen by the Controller. No special categories of data are intended to be processed.

  • Data‑subject rights to assist with: access, rectification, erasure, restriction, objection, portability.


Annex A‑II — Technical and organisational measures

  • Least‑privilege, read‑only AWS access: access via a Controller‑created IAM role assumed with a unique external ID, limited to AWS Cost Explorer read operations; no write/delete; no visibility of non‑cost resources; no static AWS credentials stored.

  • Data location: Customer Personal Data and database hosted in the EU (eu‑central‑1).

  • Encryption in transit; restricted, authenticated access to systems.

  • Logical separation of customer data; access controls and audit logging.

  • Backups with bounded rotation (≤90 days) and defined deletion windows.

  • Error tracking configured to avoid sending unnecessary personal data.

  • Measures are reviewed and may be updated provided the level of protection is not reduced.


Annex A‑III — Subprocessors

The authorised subprocessors and their purpose, data and location are listed and kept current in Annex B — Subprocessors below, which is incorporated into this DPA by reference.

Annex B — Subprocessors

This Annex lists the third‑party providers (subprocessors) that PERSPEKTIV.IT Paweł S. Piotrowski (watchmy.cloud) uses to provide the Service, as referenced by clause 6 of this Policy and by Annex A (DPA) clause A.4.

We keep this list current and will give reasonable prior notice of additions or replacements (by updating this Policy and/or by email), so customers can object on reasonable data‑protection grounds. Questions: legal@watchmy.cloud.

Advertising partners (website only)

The following are used on the website watchmy.cloud for analytics and retargeting and load only with your consent via the cookie banner. They generally act as independent or joint controllers for that activity rather than as our processors; see the Cookie Policy and clause 10 of this Policy:

  • Google (Google Ads, Google Analytics 4)

  • Meta (Facebook Pixel)

  • LinkedIn (Insight Tag)

Subprocessors

watchmy.cloud
A smoke detector for your AWS bill. Built by engineers who got tired of cost surprises.

Get AWS bill spike alerts

watchmy.cloud
A smoke detector for your AWS bill. Built by engineers who got tired of cost surprises.

Get AWS bill spike alerts

watchmy.cloud
A smoke detector for your AWS bill. Built by engineers who got tired of cost surprises.

Get AWS bill spike alerts