TenantThrift
Why trust it How it works Pricing Docs
Start free trial

Privacy Policy

Last updated: 12 July 2026

Who is responsible

The data controller for your account is Simon Vedder, a sole proprietor at Schulstrasse 38, 8952 Schlieren (Canton of Zürich), Switzerland. Contact for any privacy matter: info@simonvedder.com. We process personal data under the Swiss Federal Act on Data Protection (FADP/revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

The short version

TenantThrift is a hosted service. With access you grant, it reads billing and resource metadata from your Microsoft Azure tenant read-only, analyses it for waste, and shows you findings and reports. We store those findings and reports in the EU. We never receive your Azure credentials or secrets, we never get write access to your resources, and we never store a full inventory — only the findings and bounded cost totals needed to show you where money is going.

Our two roles

  • Controller for your account data — the data you give us to have an account and be billed (see below). We decide how it is processed.
  • Processor for your Azure scan data — the metadata we read from your tenant on your instruction to run the Service. You remain the controller of it; we process it only to provide the Service, under our Data Processing Agreement.

What we collect and store

  • Account data — your email address and (optionally) display name, your organisation name, your role, and sign-in identifiers. If you sign in with Microsoft, that includes the identifiers Microsoft returns (your object and tenant IDs and user principal name); we do not receive your Microsoft password. Whether you have two-factor authentication enabled is stored, not the secret itself.
  • Billing data — your plan, trial status and the Stripe customer and subscription identifiers. Card details are handled entirely by Stripe; we never see or store them.
  • Azure scan data — the tenant and subscription identifiers you connect, your scan schedule and report-recipient addresses, the findings we detect (resource name, type, resource group, estimated monthly cost and savings, severity), bounded cost aggregates, and one PDF report per scan. This is business/technical metadata, not the contents of your workloads.
  • Operational data — standard server and access logs (including IP addresses) kept by our hosting providers for security and troubleshooting.

What we do NOT collect

We do not receive or store your Azure credentials, secrets, certificates or keys; we do not have write access to your resources; and we do not copy a full inventory of your environment — only findings and bounded totals. Access to your tenant is a read-only Reader role you grant to our application and can revoke at any time.

Why we process it (legal bases)

  • Performance of a contract — to create your account, connect your tenant, run scans, deliver reports and bill you (GDPR Art. 6(1)(b)).
  • Legitimate interests — to secure, operate, monitor and improve the Service and prevent abuse (Art. 6(1)(f)).
  • Legal obligation — to keep invoices and accounting records (Art. 6(1)(c)).
  • Consent — where we ask for it, e.g. optional communications; you may withdraw it at any time (Art. 6(1)(a)).

Who we share it with (sub-processors)

We use a small set of vetted providers to run the Service. Each is listed — with its purpose, location and safeguards — in our Data Processing & Sub-processors note. In summary: Supabase (database and file storage, Germany), Microsoft Azure (the compute that runs the scan and stores report PDFs, EU/West Europe), Vercel (application and website hosting), Stripe (payments) and Resend (transactional email). We do not sell personal data or share it for advertising.

Where it is stored & international transfers

Your account data, findings and report PDFs are stored in the EU (Supabase in Frankfurt, Germany; the scan compute and PDF storage in Microsoft Azure West Europe). We are domiciled in Switzerland, which the EU recognises as providing an adequate level of protection (and vice-versa). A few providers (e.g. Stripe, Resend, Vercel) may process limited data outside Switzerland/the EU; where they do, transfers are covered by adequacy decisions or the EU Standard Contractual Clauses.

How long we keep it

We keep account data for as long as you have an account, and afterwards only where the law requires it (for example, invoices are retained for statutory accounting periods). Scan data is subject to retention limits: we keep the most recent scans in full and prune the detail of older ones. When you delete a connection, or your organisation, we delete the associated findings, aggregates and report PDFs, including from file storage. Residual copies in encrypted backups rotate out on the provider's backup cycle.

Your rights

Under the GDPR and Swiss FADP you may request access to your personal data, and its rectification, erasure, restriction or portability, and you may object to processing based on legitimate interests and withdraw any consent. Much of this you can do yourself in the app (edit your profile, delete a connection, delete your organisation and account). For anything else, email info@simonvedder.com. You may also complain to a supervisory authority — in Switzerland the Federal Data Protection and Information Commissioner (FDPIC), or your local authority in the EU.

How we protect it

Data is hosted in the EU, encrypted in transit, and isolated per organisation with row-level security so one customer can never see another's. Access to your Azure tenant is least-privilege and read-only, and we store no credentials for it. Two-factor authentication is available on your account, and sign-in via your Microsoft Entra tenant lets your own security policies apply.

Cookies & tracking

We use only strictly-necessary cookies to keep you signed in. We do not use advertising cookies or third-party analytics that track you across sites.

Changes

We may update this policy as the Service evolves. Material changes will be announced in the app or by email; the "last updated" date above always reflects the current version.

Contact

Questions or requests: info@simonvedder.com.

TenantThrift Docs · Terms · Privacy · DPA · Imprint · Built by Simon Vedder · read-only access, EU-hosted, credentials never stored. © 2026 Simon Vedder · TenantThrift is an independent product, not affiliated with or endorsed by Microsoft. Microsoft, Azure and Microsoft Entra are trademarks of the Microsoft group of companies.