# C4CI Privacy Policy Effective date: 2026-04-09 Version: 2026-04-09 1. Scope This Privacy Policy explains how C4CI handles personal and account-related information in connection with the platform, including authentication, organisation membership, audit evidence, billing, and support operations. 2. Identity and account data When you authenticate, we process identity data such as your Keycloak subject, email address, display name, linked identity provider, role assignments, and organisation context. This data is used to operate the product, secure access, and provide account-management features. 3. Product usage and audit evidence We process platform activity records such as logins, organisation membership changes, approvals, billing actions, and other control-plane mutations. Audit-event records are used to provide traceability, product security, and compliance evidence. 4. Billing and metering data For subscription and PAYG features, we process billing-related records such as usage events, invoice references, payment state, and customer-facing billing summaries. Failed metered runs are marked as failed and not billed. 5. Connected system data The platform may process metadata from connected Azure subscriptions, Kubernetes clusters, repositories, and related infrastructure sources in order to generate diagrams, reports, and drift evidence. You remain responsible for ensuring you are authorised to connect that data. 6. Retention Different record types have different retention periods depending on operational, billing, and compliance needs. Audit and billing records may be retained longer than profile customisation data where the platform requires durable evidence of actions or charges. 7. Security C4CI is designed around tenant isolation, role-based access control, encrypted storage, and audit logging. No security control can guarantee absolute protection, but the platform is engineered to reduce unnecessary data exposure and privilege. 8. Your controls You can manage profile preferences, linked sign-in methods, and data-export or account-deletion requests through the platform where available. Some records may be retained when required for legal, billing, fraud-prevention, or security purposes. 9. Policy updates We may update this Privacy Policy as the platform evolves. When a new mandatory version materially affects platform use or data handling, we may require re-acceptance before continued use of authenticated product surfaces. 10. Contact Questions about privacy or data handling should be directed through the published C4CI contact channels.