Privacy Policy — Costory
Last updated: 2026-04-29
3SR, registered in France (228 Boulevard de la République, 33510 Andernos-les-Bains), publishes Costory on Microsoft Commercial Marketplace as an Azure Managed Application. This privacy policy describes the data practices specific to this product.
1. Data we collect
1.1 Inside your Azure tenant
The Managed Application runs entirely inside your Azure tenant. The Function App calls Microsoft Azure Cost Management API on the subscriptions you configured, aggregates cost data into a Cosmos DB serverless account also located within your subscription, and calls Azure AI Foundry (deployed on your tenant) to generate the narrative report PDF. The PDF is stored in the Storage Account of the Managed Resource Group.
Data retained in your tenant includes:
- Daily and monthly aggregated cost data (per subscription, service, resource)
- The narrative reports generated by the AI model (PDF + raw markdown)
- Custom events emitted to your Application Insights for the email delivery flow
1.2 What 3SR does not access
3SR holds no access to your cost data. The publisher principal granted on the Managed Resource Group has only the Reader role — sufficient for support diagnostics (e.g. checking Function App logs in case of issue), but explicitly excluding access to the cost data, the AI prompts, and the generated reports. 3SR personnel will only use this access if you explicitly request a support intervention.
1.3 What 3SR may collect outside your tenant
- Marketplace lead capture: when you click "Contact Publisher" on the offer, your name, company, email, phone (optional). Stored in 3SR's Azure storage in EU. Used solely to follow up on your enquiry. Retention: 5 years from last contact.
- Support emails sent to support@3sr.fr: your email + content. Stored on 3SR's Microsoft 365 tenant. Retention: 7 years.
- Anonymous telemetry of installation (plan, version, anonymized deployment date — no tenant ID, no resource IDs). For product analytics only.
2. AI model and your data
The AI model used by Costory (Phi-4, gpt-4o-mini, or gpt-4o depending on plan) is deployed via Azure AI Foundry with disableLocalAuth: true — meaning even within your tenant, the model is callable only via Managed Identity authentication, no API keys.
The AI processes your cost data inside your tenant. Microsoft does not train Azure OpenAI models on your data per the Azure OpenAI Service product terms. 3SR has no access to either the prompts or the responses.
3. Cookies and tracking
Costory itself uses no cookies and no tracking. This public website (marketplace.3sr.fr) uses no third-party trackers and no cookies.
4. Third-party services
Costory does not share your data with any third party. The application interacts only with Microsoft services already authorized by your tenant (Cost Management API, Resource Graph, Advisor, Cosmos DB, AI Foundry, Application Insights — all within your subscription).
5. Legal basis (GDPR Art. 6)
- Lead capture & support: contractual interest + your explicit action
- Anonymous telemetry: legitimate interest (improving the product)
6. Your rights (GDPR)
Right to access, rectification, erasure, restriction, objection, portability. Contact dpo@3sr.fr — response within 30 days.
7. Subprocessors
| Service | Role | Location |
|---|---|---|
| Microsoft Azure (West Europe / France Central) | Lead capture infrastructure | EU |
| Microsoft 365 | Email + ticketing | EU |
No subprocessor outside the European Union.
8. Security
- 3SR systems use Microsoft Entra ID + MFA enforced
- Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- 3SR personnel access limited via Azure RBAC + audit logs (7 years)
9. Changes to this policy
Material changes will be announced via support@3sr.fr.
10. Complaints
French Data Protection Authority (CNIL) — https://www.cnil.fr.
11. Contact
3SR — 228 Boulevard de la République, 33510 Andernos-les-Bains, France. Privacy: dpo@3sr.fr · General: support@3sr.fr