Cloudimesh

Cloudimesh Privacy Policy

Effective date: June 6, 2026
Last updated: June 6, 2026

This Privacy Policy describes how Cloudimesh ("Cloudimesh", "we", "us", or "our") collects, uses, discloses, retains, and protects personal information when you use the Cloudimesh cloud and infrastructure management portal (the "Service").

This Policy applies to users who register, sign in, or interact with the Service, including administrators, approvers, project members, and invited team members.

By using the Service, you acknowledge this Privacy Policy. If you do not agree, do not use the Service.

1. Roles: Cloudimesh and your organization

Cloudimesh is typically deployed for organizational use. In most cases:

  • your employer or contracting organization decides why certain data is processed and controls tenant configuration; and
  • Cloudimesh processes data on behalf of that organization to provide the Service.

For privacy requests relating to employment or organizational data, contact your Cloudimesh administrator first. Cloudimesh will assist organizations as required by applicable law and contractual obligations.

2. Information we collect

The data we process depends on how your organization configures the Service and which features you use.

2.1 Account and identity information

  • Name, email address, and profile photo
  • Password (stored in hashed form for local accounts)
  • Email verification status
  • Authentication identifiers, including Google ID, Facebook ID, or LDAP/AD linkage
  • Two-factor authentication configuration (secrets and recovery codes are stored securely and are not displayed in plain text)
  • Current tenant selection and team memberships
  • Job title, department, manager, company, telephone number, and mobile number, when provided or synchronized from directory services
  • Account status, including whether local login is enabled or the account is disabled
  • Super-administration flags, where applicable (for example, tenant creation or cross-tenant governance permissions)

2.2 Directory and LDAP/Active Directory data

If your organization enables LDAP/AD sign-in, we may:

  • authenticate you against your organization's directory;
  • create or update a local user record matched to your corporate email;
  • store directory user identifiers, group memberships, and profile attributes synchronized from AD (such as name, department, title, manager, and phone fields); and
  • enforce access based on mapped AD groups and tenant permissions.

We do not store your corporate directory password in Cloudimesh when you authenticate via LDAP/AD.

2.3 Social sign-in (Google and Facebook)

If you use Google or Facebook to sign in, we receive information from the provider needed to authenticate you, typically including:

  • provider user ID;
  • email address; and
  • display name or avatar URL, where available.

We use this information to create or link your Cloudimesh account. The provider's own privacy policy governs its processing.

2.4 Project, workflow, and operational data

When you use project and approval features, we process information such as:

  • project titles, metadata, status, dates, and cost summaries;
  • VM/server request specifications (CPU, memory, storage, OS, applications, cloud platform, environment, and related catalog selections);
  • approval steps, comments, submission messages, and workflow state;
  • uploaded project files and documents;
  • notifications you send or receive through the Service; and
  • activity relating to provisioning, chargeback projects, and inventory allocation where enabled.

This data may include business information about your organization's infrastructure plans. It may also indirectly relate to identifiable individuals (for example, when you are named as submitter, approver, or project owner).

2.5 Inventory and cloud integration data

When administrators connect cloud and inventory systems, the Service may store and display data retrieved from those systems, including for example:

  • vCenter datacenter, cluster, host, VM, and datastore inventory;
  • VM tags, datastore tags, provision mappings, and RV Tools import records;
  • AWS EC2 catalog, AMI, instance type, and pricing reference data where synchronized;
  • Nutanix, Huawei, and other platform connection metadata; and
  • relationships between inventory objects and Cloudimesh projects or chargeback records.

This information is generally infrastructure and operational metadata. It may include hostnames, IP-related attributes, resource identifiers, and utilization figures depending on import scope.

2.6 Administrative and tenant configuration data

Tenant administrators may configure settings that can contain organizational or personal data, including:

  • SMTP server settings and sender identities;
  • LDAP connection parameters and bind account references (passwords are encrypted);
  • cloud connection credentials and integration settings (stored using application encryption practices);
  • roles, permissions, groups, approval workflow definitions, and catalog policies; and
  • tenant currency, pagination, and notification preferences.

2.7 Technical, security, and usage data

We automatically collect certain technical information when you use the Service, including:

  • IP address;
  • browser and device information (for example, browser family, platform, and device type through user-agent parsing);
  • session identifiers and authentication timestamps;
  • activity logs recording actions such as create, update, delete, login-related events, and subject records affected;
  • super-admin audit logs for cross-tenant governance actions, where enabled; and
  • approximate location derived from IP address where GeoIP services are enabled in your deployment.

We use this data to operate, secure, troubleshoot, and improve the Service.

2.8 Communications

We process email addresses and message content when the Service sends:

  • account and team invitations;
  • team join request notifications;
  • approval and project notifications;
  • password reset messages; and
  • other operational emails configured by your tenant's SMTP settings.

3. How we use information

We use personal and operational information to:

Purpose Examples
Provide the Service Authentication, tenant switching, project management, VM requests, approvals, inventory views, dashboards, and file downloads
Enforce access controls Roles, permissions, group mappings, LDAP authorization, API token scoping, and account disablement
Connect integrations vCenter, Nutanix, Huawei, AWS, orchestration tools, directory services, and email delivery
Calculate and display costs Cost breakdowns, chargeback analytics, catalog pricing, and reporting
Communicate with you In-app notifications, email alerts, and invitation messages
Maintain security Fraud prevention, abuse detection, session protection, audit trails, and incident investigation
Comply with law Responding to lawful requests and regulatory obligations
Improve reliability Debugging, performance monitoring, and feature development

We do not sell personal information. We do not use Cloudimesh project or infrastructure data for unrelated third-party advertising.

4. Legal bases for processing (EEA/UK users)

Where applicable data protection law requires a legal basis, we rely on one or more of the following:

  • Contract: processing necessary to provide the Service you or your organization requested;
  • Legitimate interests: securing the platform, preventing misuse, maintaining audit records, and improving functionality, balanced against your rights;
  • Legal obligation: compliance with applicable law; and
  • Consent: where required for optional features or cookies, or where your organization instructs us to rely on consent.

Your organization may determine additional legal bases when acting as controller for employee data.

5. How we share information

We may share information in the following circumstances:

5.1 Within your organization

Project data, approvals, inventory insight, and administrative records are visible to users according to tenant membership, project membership, and role permissions configured by administrators.

5.2 Service providers and subprocessors

We use infrastructure and software providers to host, operate, secure, email, queue background jobs, and support the Service (for example, application hosting, database storage, Redis/queue workers, PDF generation, and email transport). These providers process data under contractual safeguards and only as needed to deliver the Service.

5.3 Connected platforms and identity providers

Data is transmitted to systems your administrators connect, such as:

  • VMware vCenter, Nutanix, Huawei, AWS, Aria, Orchestrator, or similar endpoints;
  • LDAP/Active Directory servers; and
  • Google or Facebook for OAuth authentication.

Those systems process data under their own terms and your organization's agreements with them.

5.4 Legal and safety disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

  • comply with law, regulation, legal process, or governmental request;
  • enforce our Terms or protect the rights, property, or safety of Cloudimesh, users, or others; or
  • investigate suspected fraud, security incidents, or misuse.

5.5 Business transfers

If Cloudimesh is involved in a merger, acquisition, financing, or sale of assets, information may be transferred subject to continued protection consistent with this Policy.

6. International transfers

Cloudimesh may process and store information in countries other than where you are located, including where our hosting providers operate. Where required, we implement appropriate safeguards for cross-border transfers, such as contractual clauses or equivalent mechanisms agreed with your organization.

7. Retention

We retain information for as long as necessary to:

  • provide the Service;
  • meet contractual, accounting, or legal obligations;
  • resolve disputes; and
  • enforce agreements.

Retention periods may vary by data type and tenant configuration. For example:

  • Account data is retained while your account is active and for a reasonable period afterward unless deletion is requested by your administrator or required by law;
  • Project and approval records may be retained for operational, audit, and compliance purposes according to organizational policy;
  • Activity and audit logs may be retained for security investigations and governance; and
  • Session data expires according to session configuration.

Administrators may export or request deletion subject to organizational policy and legal requirements.

8. Security

We implement administrative, technical, and organizational measures designed to protect information, including:

  • authenticated access and role-based authorization;
  • encrypted storage for sensitive credentials where supported;
  • session management and CSRF protections;
  • hashed password storage for local accounts;
  • activity logging and super-admin audit trails; and
  • tenant isolation in application logic.

No method of transmission or storage is completely secure. You must protect your credentials, 2FA devices, and API tokens.

Report suspected security incidents to your administrator and Cloudimesh support promptly.

9. Your rights and choices

Depending on your location and organizational setup, you may have rights to:

  • access personal information we hold about you;
  • correct inaccurate information through your profile or administrator;
  • delete certain information, subject to legal and operational retention needs;
  • restrict or object to certain processing;
  • export information where export features or administrator assistance are available; and
  • withdraw consent where processing is based on consent, without affecting prior lawful processing.

Because Cloudimesh is organization-managed, many requests must be submitted through your Cloudimesh administrator, who controls tenant data and user lifecycle.

You may also:

  • update profile and photo settings in the Service where available;
  • enable or manage 2FA from your account security settings;
  • revoke API tokens you created; and
  • disconnect social login by contacting your administrator or using identity-provider controls.

We will respond to valid requests within timeframes required by applicable law.

10. Children

The Service is not directed to individuals under 16, and we do not knowingly collect personal information from children. If you believe a child has provided information, contact us so we can take appropriate action.

11. Third-party links and services

The Service may link to third-party websites or rely on third-party platforms. This Policy does not govern those services. Review the privacy policies of vCenter, public cloud providers, identity providers, and other integrated systems separately.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice in the Service or through your administrator.

Continued use after the effective date of an update constitutes acceptance unless applicable law requires explicit consent.

13. Contact us

For privacy questions or requests:

  1. Contact your organization's Cloudimesh administrator for tenant-specific data requests; or
  2. Contact Cloudimesh using the details published at cloudimesh.com.

If you are an administrator seeking a data processing addendum or subprocessor information for enterprise deployment, contact Cloudimesh through the same channels.

Terms Privacy Policy Cookies Policy Sign in