Stratoscope

Privacy Policy

Version 2026-05-26

Stratoscope LLC, a Texas limited liability company ("Stratoscope", "we", "us").

What we collect

When you use Stratoscope Console, we collect:

  • Azure resource metadata — resource names, types, locations, tags, SKUs, and configuration properties needed to assess governance posture
  • Assessment data — Advisor recommendations, Defender controls, Policy compliance state, WAF scores, and cost data from Azure Cost Management
  • Account information — your name and email from Microsoft Entra ID, your Azure tenant and subscription IDs
  • Usage data — feature interactions, token usage for AI operations, and audit logs of all approved governance actions

What we do NOT collect

  • Application data or business data stored in your Azure resources
  • Key Vault secrets or certificate private keys
  • Storage blob contents or database records
  • End-user data from your applications

How we use your data

We use collected data to:

  • Operate the governance loop (Discover → Assess → Remediate → Watch → Verify)
  • Generate WAF assessments and remediation recommendations
  • Maintain audit trails of all approved governance actions
  • Improve the platform (aggregated, de-identified patterns only)

We do not sell or rent your data. We do not use your Azure environment data to train AI models without explicit consent.

Legal basis (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, our lawful basis for processing is the performance of our contract with you (Art. 6(1)(b) GDPR) and our legitimate interest in operating and improving the Service (Art. 6(1)(f) GDPR). Where consent is required (e.g. optional product analytics), we collect it separately and you may withdraw it at any time.

International transfers from the EEA/UK/Switzerland to the United States are governed by the European Commission's Standard Contractual Clauses (2021/914) and equivalent UK and Swiss addenda. A copy of the executed SCCs is available on request.

California residents (CCPA / CPRA)

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act. California residents have the right to know, delete, correct, and limit use of their personal information. To exercise these rights, contact privacy@stratoscope.io. We will not discriminate against you for exercising these rights.

Data residency

Stratoscope Console runs on Azure Container Apps in Azure Commercial (Central US by default). Enterprise customers with specific data residency requirements should contact us about the BYOA deployment model.

Data retention

Governance assessment history is retained according to your plan (30 days for Starter, 90 days for Professional, configurable for Enterprise). Audit logs are retained for 1 year. On account closure, customer data is deleted within 30 days except where retention is required by law or for active audit obligations.

Security and breach notification

We maintain technical and organizational measures appropriate to the risk, including workspace-level isolation enforced by row-level security, encryption in transit and at rest, and least-privilege access to production systems. In the event of a personal-data breach likely to result in risk to your rights, we will notify affected customers without undue delay and in any case within 72 hours of becoming aware, as required by GDPR Art. 33.

Sub-processors

We use the following sub-processors to deliver the Service:

  • Microsoft Azure — hosting, infrastructure, and identity (Entra ID)
  • Anthropic — AI reasoning for governance recommendations
  • Stripe — payment processing for direct subscriptions

Material changes to this list will be announced at least 30 days before they take effect. Enterprise customers may subscribe to sub-processor change notifications.

Cookies and similar technologies

The marketing site (www.stratoscope.io) uses only strictly-necessary cookies. The Console application uses session cookies for authentication and CSRF protection. We do not use third-party advertising cookies. We do not respond to Do-Not-Track browser signals because there is no industry consensus on how to interpret them; we do not track you across third-party sites regardless.

Children

The Service is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us and we will delete it.

Your rights

You may request access to, correction of, portability of, or deletion of your personal data at any time by contacting privacy@stratoscope.io. EEA/UK residents may also lodge a complaint with their local supervisory authority.

Changes to this policy

We may update this policy. Material changes will be announced via email to account administrators at least 30 days before they take effect, and the version date at the top of this page will be updated.

Contact

Stratoscope LLC
Privacy: privacy@stratoscope.io
General: engineering@stratoscope.io