Privacy Policy

Last Updated: April 6, 2026

1. Who We Are and What This Policy Covers

Cloudforce (“Cloudforce,” “we,” “us,” or “our”) is a technology company headquartered at 120 Waterfront Street, Suite 500, National Harbor, MD 20745, United States.

This Privacy Policy applies to:

Cloudforce as a company — including our business operations, sales, professional services and customer communications
nebulaONE® — our Private SaaS (Software as a Service) AI gateway product built on Microsoft Azure

This Policy covers how we handle personal information when you:

Visit our website at nebulaone.ai or gocloudforce.com (the “Websites”)
Contact us through our Website or by email
Use nebulaONE as an enterprise client, educational institution, or as an individual end user within a client organization
Engage with us as a support contact, partner, or job applicant

What this Policy does not cover: How your own organization processes personal information through nebulaONE within your Azure tenant. Your organization controls that data entirely, and your own privacy policies and data governance practices govern it.

Questions? Contact us at privacy@gocloudforce.com

2. The Personal Information We Collect — and Why It’s Limited

We want to be direct: Cloudforce collects a narrow and specific set of personal information. We do not profile users, track behavior across the web, build marketing audiences, or process sensitive personal data categories.

Here is precisely what we collect and why:

2a. Contact Information from Website Visitors and Support Admins

When you submit a contact form on our Website, or when you contact us as a designated support administrator for your organization, we collect:

Your name/title
Your email address
Your organization (if applicable)

We use this information to:

Respond to your inquiry or support request
Store your contact record in our CRM so we can maintain our business relationship with your organization
Send you product updates, service announcements, or other communications — only with your consent, which you can withdraw at any time

We do not use your contact information for any other purpose. We do not sell it, share it with third parties for their own use, or use it to build advertising profiles.

Legal basis (GDPR): Responding to inquiries and maintaining client records — legitimate interests (Article 6(1)(f)); consent-based communications — consent (Article 6(1)(a)).

2b. Website Usage Data

When you visit our Websites, our hosting infrastructure and analytics tools automatically collect certain non-identifying technical data, including:

IP address
Browser type and operating system
Pages visited and time spent on each
Referring URL

This data is used in aggregate to understand how our Websites are used and to improve them.

2c. Cookies

We use cookies on our Websites. A cookie is a small text file stored on your device by your browser.

We use two categories of cookies:

Strictly Necessary Cookies — Required for the Website to function, such as session management. These cannot be disabled without affecting your ability to use the Website.

Analytics Cookies — Help us understand how visitors navigate our Websites. We use Google Analytics (and HubSpot) to collect information about how our Websites are used and to improve performance and user experience.

You can manage or disable cookies through your browser settings at any time. For visitors in the EU, EEA, and UK, we will request your consent before placing non-essential cookies. You can update your preferences or withdraw consent at any time via Cookie Settings.

2d. nebulaONE Product — Anonymized Telemetry Only

The nebulaONE Product is deployed and hosted entirely within your organization’s Microsoft Azure tenant. Cloudforce has no access to your tenant, your users’ data, your documents, or the content of any AI prompts or outputs processed within the Product.

The only data Cloudforce collects in connection with the Product’s operation is:

Anonymized system telemetry — high-level performance metrics, error reports, and feature usage statistics. This data cannot be linked to any individual and is fully anonymized consistent with Recital 26 of the GDPR.

Anonymized token usage statistics — aggregate counts of AI model interactions used to monitor system health and inform product improvements. This data contains no personal identifiers. We do not collect, access, or process any end-user content through the Product. Your data never leaves your cloud boundary.

2e. Support Interactions

When your organization contacts us for technical support, we may receive logs or telemetry data that you choose to share with us to help diagnose an issue. nebulaONE in it’s native state does not require Cloudforce to access your Azure tenant directly and Cloudforce has no default access to your environment. All support is conducted through information you proactively share with us. Any data shared during a support interaction is used only to resolve the specific issue, is not shared externally, and is not retained beyond what is necessary. These interactions are governed by a Data Processing Agreement (“DPA”) – see Section 5.

3. What We Do Not Collect

To be explicit about what falls outside the scope of this Policy and our practices:

We do not collect sensitive personal information such as government ID numbers, financial account data, health information, biometric data, or precise geolocation
We do not collect personal information from end users of the nebulaONE Product — that data remains solely within your organization’s Azure tenant
We do not engage in automated decision-making or profiling using personal information
We do not purchase, rent, or obtain personal data from third-party data brokers

4. How We Share Your Information

We do not sell your personal information. We do not share it with third parties for their own marketing or commercial purposes.

We share information only in these limited circumstances:

Service Providers: We use a small number of trusted vendors to operate our business – including our CRM platform and Website infrastructure. These vendors are contractually bound to use data only on our instructions. For a full list of Cloudforce sub-processors, please refer to our current sub-processor list located on our Trust Center.

Microsoft: nebulaONE is built on Microsoft Azure. Cloudforce participates in Microsoft’s Supplier Security and Privacy Assurance (SSPA) program and, where applicable, maintains a Record of Processing Activities in accordance with GDPR Article 30.

Legal Requirements: We may disclose personal information if required by law, regulation, court order, or lawful government request, or where we reasonably believe disclosure is necessary to protect rights, prevent fraud, or address safety concerns.

Business Transfers: In the event of a merger, acquisition, or asset sale involving Cloudforce, personal information may be transferred as part of that transaction. We will notify affected individuals as required by applicable law.

5. Our Role When Supporting Your nebulaONE Deployment

When your organization uses nebulaONE, your organization is the Data Controller for all personal data your users process within the Product. Cloudforce does not control, access, or determine the purpose of that data processing. In the limited context of providing support – where you may share logs or other data with us – Cloudforce acts as a Data Processor on your behalf. We process that data only to resolve your support request and only on your instructions. We are currently developing a standard Data Processing Agreement (DPA) that formalizes these obligations, consistent with GDPR Article 28. Until it is available, enterprise and education clients with specific DPA requirements should contact us at privacy@gocloudforce.com to discuss contractual arrangements.

6. International Data Transfers

Cloudforce is based in the United States. If you are located in the EU, EEA, or UK, the limited personal information we collect (contact details – see Section 2a) may be transferred to and stored in the United States.

We rely on the following transfer mechanisms to ensure your information is protected:

Standard Contractual Clauses (SCCs): We use the European Commission’s approved SCCs (Decision 2021/914) for transfers of EU personal data to the US.

UK International Data Transfer Agreements (IDTAs): For transfers involving UK residents’ personal data.

EU/EEA and UK Representative: As Cloudforce is established outside the EU/EEA and UK, we have appointed Data Protection Representative Limited (trading as DataRep) as our Representative under Article 27 of the GDPR. EU/EEA and UK residents may contact DataRep directly by email at digitalrequest@datarep.com, via the online webform at www.datarep.com/data-request, or by post at DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland.

7. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law.

Data Type

Website contact form submissions

CRM contact records

Support interaction logs you share with us

Consent records for communications

Anonymized product telemetry

Retention Period

3 years from last contact

Duration of client relationship plus 3 years

24 months following resolution

Until consent is withdrawn, plus 24 months after withdrawal/opt-out for compliance documentation

24 months rolling

When data is no longer needed, we securely delete or irreversibly anonymize it.

8. Security

We maintain administrative, technical, and physical safeguards appropriate to the limited personal data we hold. Our measures include:

Encryption of data in transit (TLS) and at rest
Role-based access controls limiting staff access to personal data on a need-to-know basis
SOC 2 Type Icertification
Regular security assessments
Formal incident response procedures
Employee security awareness training

In the event of a data breach that is likely to result in risk to your rights, we will notify you and relevant regulatory authorities within the timeframes required by law – including within 72 hours to EU supervisory authorities under GDPR Article 33.

9. Your Privacy Rights

Depending on where you live, you have rights regarding the limited personal information we hold about you. Because our data collection is narrow — limited to contact details you provide directly — most requests can be resolved quickly and simply by contacting us.

EU and EEA Residents — GDPR

You have the right to:

Access — Request a copy of the personal information we hold about you
Rectification — Ask us to correct inaccurate or incomplete information
Erasure — Ask us to delete your personal information where we have no overriding legal basis to retain it
Restriction — Ask us to restrict our processing in certain circumstances
Portability — Receive your information in a structured, machine-readable format
Object — Object to processing based on legitimate interests
Withdraw Consent — Withdraw any consent you have given at any time, without affecting prior lawful processing

We will respond to verified requests within 30 days, with a possible 60-day extension for complex cases.

You have the right to lodge a complaint with your national Data Protection Authority. A directory of EU DPAs is available at edpb.europa.eu.

UK Residents — UK GDPR

UK residents have the same rights described above and may complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

California Residents — CCPA / CPRA

You have the right to:

Know — Request disclosure of the personal information we have collected about you, its sources, the purposes for collection, and any third parties with whom it has been shared
Delete — Request deletion of your personal information, subject to legal exceptions
Correct — Request correction of inaccurate personal information
Opt Out of Sale or Sharing — We do not sell or share your personal information for advertising purposes. You may still submit an opt-out request.
Non-Discrimination — We will not treat you differently for exercising your rights

Other U.S. State Residents

Residents of Virginia, Colorado, Connecticut, Texas, Montana, Oregon, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt out of certain processing. We honor these rights as required by applicable law.

How to Submit a Request

Email: privacy@gocloudforce.com
Mail: Cloudforce, Attn: Privacy Team, 120 Waterfront Street, Suite 500, National Harbor, MD 20745

We will verify your identity before processing your request and will not charge a fee for reasonable requests.

10. Children’s Privacy

Our Websites and the nebulaONE Product are intended for use by adults and organizations. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us with personal information, contact us at info@gocloudforce.com and we will delete it promptly.

Note for Education Institution Clients: nebulaONE may be deployed by educational institutions whose end users include students. Because Cloudforce does not access your Azure tenant or process any end-user data within the Product, FERPA obligations with respect to student data rest with your institution as the Data Controller. Notwithstanding, Cloudforce is FERPA compliant and will maintain FERPA compliance. If your institution’s deployment involves students under 13, please ensure your own COPPA compliance obligations are addressed.

11. Third-Party Links

Our Websites may contain links to third-party sites. This Privacy Policy does not apply to those sites. We encourage you to review their privacy policies. Our Websites use Google Fonts and Adobe Fonts, which may receive your IP address and browser information to serve font files.

12. Changes to This Policy

We will update this Policy from time to time. When we make material changes, we will update the “Last Updated” date and post a notice on our Website. Where required by law we will notify you directly. Continued use of our Websites or Product after changes are posted constitutes acceptance of the revised Policy.

13. Contact Us

Cloudforce Privacy Team 120 Waterfront Street, Suite 500 National Harbor, MD 20745, United States

Email: privacy@gocloudforce.com Phone: 202.803.6500

EU/EEA inquiries: DataRep
The Cube, Monahan Road
Cork, T12 H1XY
Republic of Ireland

Email: digitalrequest@datarep.com
Online form: https://www.datarep.com/data-request