Legal

Privacy Policy

Last updated: May 2, 2026

This Privacy Policy describes how Sponif ("we", "our", "us") collects, uses, and protects personal data when you use our cloud FinOps intelligence platform. Sponif is operated by Lorenzo De Lia, an independent developer based in Italy, and is subject to the General Data Protection Regulation (GDPR) and applicable Italian data protection law.

1. Data Controller

The data controller for personal data processed through the Sponif service is Lorenzo De Lia, operating as an independent software developer based in Italy. For privacy-related enquiries, contact:

2. Data We Collect

We collect the following categories of personal and operational data:

Account data

Email address — used for authentication, billing communications, and support
Name (optional) — used for personalisation
Subscription and billing history — managed via Paddle; Sponif does not store card or payment details

Cloud cost and usage metadata

Cost and usage records fetched from your cloud provider accounts (AWS, Azure, GCP) via read-only IAM permissions you provision
No credentials, secrets, private keys, or sensitive configuration data are stored — only the cost metadata returned by provider APIs

Technical and usage data

IP address and approximate geographic location
Browser type and version
Pages visited and feature usage within the application
Error logs and diagnostic data

3. How We Use Your Data

We use your personal data exclusively for the following purposes:

Providing, operating, and maintaining the Sponif service
Processing subscription payments and managing your account
Sending service-related communications (billing receipts, critical alerts, account notices)
Responding to support requests and contact form submissions
Detecting and preventing fraud, abuse, and security threats
Improving and debugging the service based on usage patterns and error logs
Complying with legal obligations

4. Legal Basis for Processing (GDPR)

We process personal data under the following lawful bases:

Legal Basis	Processing Activity
Contract performance (Art. 6(1)(b))	Providing the subscription service, processing payments, sending billing and service communications
Legitimate interests (Art. 6(1)(f))	Security monitoring, fraud prevention, service diagnostics, and improving reliability
Legal obligation (Art. 6(1)(c))	Retaining invoicing and financial records as required by Italian tax law
Consent (Art. 6(1)(a))	Marketing communications, where explicitly opted in (currently not sent)

5. Sub-Processors and Third Parties

We engage the following third-party processors to operate the service. Each is bound by appropriate data processing agreements:

Processor	Purpose	Location
Microsoft Azure	Cloud hosting, data storage, and compute infrastructure	EU / Global
Paddle	Subscription billing and payment processing	US / EU
Formspree	Contact form submission processing	US

6. Data Retention

We retain personal data only for as long as necessary for the purposes described above:

Account data: retained for the duration of your subscription and deleted within 30 days of account closure
Cloud cost and usage metadata: deleted within 30 days of account closure on request; may be retained up to 90 days for backup and recovery purposes
Billing records: retained for 10 years as required by Italian fiscal law
Technical logs and diagnostics: retained for up to 90 days
Contact form submissions (via Formspree): subject to Formspree's own retention policy

7. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Cloud provider access relies exclusively on scoped, read-only IAM permissions you provision and can revoke at any time. No sensitive credentials are stored by Sponif. The service is hosted on Microsoft Azure with redundant infrastructure. Despite these measures, no transmission over the internet or electronic storage is fully secure, and we cannot guarantee absolute security.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate or incomplete data
Right to erasure — request deletion of your personal data, subject to legal retention requirements
Right to restriction — request that we limit how we process your data in certain circumstances
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing

To exercise any of these rights, contact us at privacy@sponif.com. We will respond within 30 days. You also have the right to lodge a complaint with the Italian supervisory authority: Garante per la protezione dei dati personali (www.garanteprivacy.it).

9. Cookies

Sponif uses only technically necessary cookies required for authentication and session management. No advertising, tracking, or analytics cookies are set. No third-party tracking scripts are loaded on the marketing pages. By using the service, you consent to the use of strictly necessary cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notification at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

11. Contact and Complaints

For privacy-related questions, data subject requests, or complaints, please contact the data controller at:

If you believe your rights under GDPR have not been respected, you may also contact the Garante per la protezione dei dati personali, the Italian data protection supervisory authority: www.garanteprivacy.it