Legal · Privacy
Privacy Policy
Last updated: May 31, 2026
This policy explains what Kubeadapt collects, what it deliberately never collects, and the choices you have. In short: the Kubeadapt agent collects Kubernetes resource metadata only. It never reads your application data, secrets, config, or logs, and we never sell your data.
Don’t take our word for it. The agent is open source. You can read exactly what it collects, and confirm it only ever performs read-only list/watch calls, in the source: github.com/kubeadapt/kubeadapt-agent.
Overview
Kubeadapt (“we”, “us”) provides a Kubernetes FinOps platform for cost visibility, rightsizing, and capacity planning. This policy applies to the Kubeadapt website (kubeadapt.io), the web application, and the kubeadapt-agent you install in your cluster.
The agent runs with read-only Kubernetes RBAC (list and watch only — no get, create, update, delete, or patch). It never modifies your cluster.
Data we collect
The agent sends a structured snapshot of Kubernetes resource metadata on each collection cycle. This is configuration and utilization data about your cluster — not the contents of your workloads.
Cluster resource metadata
- Nodes — capacity and allocatable (CPU, memory, GPU), labels (instance type, zone, region, node pool), taints, conditions, and provider ID (used to derive cloud and region).
- Pods — container list, resource requests and limits, owner references, scheduling status, and QoS class.
- Namespaces — names, labels, and status, used as the boundary for cost attribution.
- Workloads — Deployments, StatefulSets, DaemonSets, Jobs, and CronJobs (replica counts, selectors, template specs, schedules).
- Autoscaling & disruption — HorizontalPodAutoscalers, PodDisruptionBudgets, and VerticalPodAutoscalers (when the VPA API group is present).
- Network — Services and Ingresses (type, ports, rules, TLS references only — never certificate contents).
- Storage — PersistentVolumes, PersistentVolumeClaims, and StorageClasses (capacity, access modes, provisioner, binding status).
- Scheduling — PriorityClasses, LimitRanges, and ResourceQuotas.
- Cloud-native — Karpenter NodePools (when the Karpenter API group is present).
Utilization metrics
- Live CPU and memory usage per node and pod, read from metrics-server (the
metrics.k8s.ioAPI). Actual-vs-requested usage is the core signal for rightsizing. - GPU device utilization and memory — collected only on GPU nodes where an NVIDIA DCGM exporter is present.
Account & site data
- Account and billing information (name, work email, organization, plan, payment records).
- Communications you send us (support requests, sales inquiries).
- Standard website and product telemetry (pages viewed, approximate region, device/browser type) used to operate and improve the service.
Data we never collect
By design, the agent collects metadata only. The following are never collected or transmitted:
- Environment variable values, Secret contents, or ConfigMap data.
- Application logs or pod stdout/stderr.
- Service mesh payloads or HTTP request/response bodies.
- TLS certificate contents or private keys.
- The data your applications process or store.
The agent’s read-only RBAC makes most of this technically impossible: it cannot get individual Secrets or read pod contents. ReplicaSets are read internally only to resolve workload ownership and are discarded before the snapshot is sent.
How we use data
- Produce cost visibility, rightsizing recommendations, and capacity plans for the clusters you connect.
- Attribute spend to teams, namespaces, and workloads, and match discounts (Reserved Instances, Savings Plans).
- Operate, secure, and improve the platform.
- Manage billing, provide support, and send service-related communications.
We do not sell your data, and we do not use your cluster metadata to train models for other customers.
Legal basis (GDPR)
Where the GDPR applies, we process data under: (a) contract — to deliver the service you signed up for; (b) legitimate interests — to secure and improve the platform, balanced against your rights; and (c) legal obligation — to retain billing records as required by law.
Data residency & transfers
Cluster snapshots are processed in the region you choose at onboarding — the European Union (EU) or the United States (US). The agent transmits exclusively over HTTPS. Where data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.
Retention
- Cluster metrics and snapshots are deleted 5 years after you cancel, unless you request earlier deletion.
- Billing records are retained for the period required by applicable law.
- Account data is deleted on request once outstanding obligations are settled.
Security
- Read-only Kubernetes RBAC (
list/watchonly); the agent self-validates its permissions at startup. - All backend communication is encrypted in transit with TLS; non-HTTPS endpoints are rejected.
- The agent authenticates with a per-tenant bearer API key.
- The agent ships as a distroless, non-root container with no shell and an in-memory-only, read-only filesystem.
See our Security page for more detail.
Your rights
Depending on your location (e.g. the EEA, UK, or California), you may have the right to access, correct, export, or delete your personal data, to object to or restrict processing, and to withdraw consent. To exercise any right, contact us using the details below. You also have the right to complain to your local data protection authority.
Children
Kubeadapt is a business product and is not directed to anyone under 16. We do not knowingly collect data from children.
Changes to this policy
We may update this policy as the product evolves. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated directly.
Contact
Privacy questions: privacy@kubeadapt.io. Data subject requests: dpo@kubeadapt.io.