This Privacy Policy (the “Policy”) describes how Cendryva, Inc. and its affiliates (collectively, “Cendryva,” “we,” “us,” or “our”) collect, use, disclose, retain, and otherwise process Personal Data in connection with the Cendryva platform, websites, applications, application programming interfaces, and related services (collectively, the “Services”). This Policy applies to visitors to our marketing properties, prospective and current customers, authorized users acting on behalf of a customer (each, an “Authorized User”), and individuals whose Personal Data is submitted to the Services by a customer (each, a “Data Subject”).

Where Cendryva processes Personal Data on behalf of a customer pursuant to a subscription agreement, master services agreement, or other commercial contract (each, a “Customer Agreement”), Cendryva acts as a processor (and the customer as the controller) within the meaning of Regulation (EU) 2016/679 (“GDPR”) and equivalent legislation. With respect to data we collect directly from website visitors and Authorized Users for our own administrative, security, billing, and product improvement purposes, Cendryva acts as a controller.

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law, including the GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act as amended (“CCPA/CPRA”), and comparable statutes.
• “Customer Data” means electronic data, content, and records submitted to or generated within the Services by or on behalf of a customer.
• “Sub-processor” means any third party engaged by Cendryva to process Customer Data on its behalf in furtherance of the Services.
• “Processing” bears the meaning ascribed to it under Article 4(2) of the GDPR.

We collect the following categories of Personal Data, depending on the nature of the interaction:

• Identification and Contact Data: name, business email address, telephone number, employer, job title, and locale.
• Account and Credentialing Data: hashed authentication secrets, multi-factor authentication device identifiers, single sign-on assertions, session tokens, and role assignments.
• Customer Data: the operational records, key performance indicators, files, advisory session metadata, and other content that customers and Authorized Users submit to the Services.
• Billing and Transactional Data: billing contact, billing address, value-added tax identifiers, invoice history, and tokenized payment instrument references (we do not store full payment card numbers).
• Technical and Telemetry Data: IP address, device and browser identifiers, operating system, referring URL, page interaction events, diagnostic logs, and security telemetry necessary to operate, secure, and improve the Services.
• Communications Data: the contents of correspondence with our support, sales, security, and legal teams.

We process Personal Data for the following purposes and rely on the corresponding legal bases under Article 6(1) of the GDPR (and equivalent provisions of other applicable laws):

• Performance of a contract (Art. 6(1)(b)): provisioning the Services, authenticating Authorized Users, processing payments, and delivering customer support.
• Legitimate interests (Art. 6(1)(f)): securing the Services against fraud and abuse, conducting product analytics in aggregated or pseudonymized form, exercising or defending legal claims, and conducting limited B2B marketing to existing customers, in each case subject to a documented balancing test.
• Consent (Art. 6(1)(a)): non-essential cookies, optional marketing communications, and any processing for which consent is the most appropriate basis. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c)): tax, accounting, anti-money-laundering, export-control, and lawful disclosure requirements.
• Vital and public interests (Art. 6(1)(d)–(e)): in narrowly defined emergencies affecting the security of the Services or its users.

We collect Personal Data directly from you (for example, when you register for an account, request a demonstration, or contact our teams), automatically through your interaction with the Services (for example, via cookies and similar technologies), and from third parties acting under instruction from you or your organization (for example, identity providers, integrations enabled by your administrator, and enrichment vendors used to validate business contact information).

We disclose Personal Data only as described below:

• Within your organization. Customer Data is accessible to Authorized Users in accordance with the access controls configured by your administrator.
• To Sub-processors bound by written contracts that impose data protection obligations no less protective than those in this Policy.
• To professional advisors (legal, accounting, audit, and insurance advisors), each subject to professional duties of confidentiality.
• For corporate transactions (merger, acquisition, financing, asset sale, or insolvency), subject to customary confidentiality protections.
• To public authorities where disclosure is required to comply with valid legal process. Cendryva will, where lawfully permitted, notify the affected customer and challenge requests that are overbroad or unlawful.

Cendryva does not sell Personal Data, and does not “share” Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

Cendryva is headquartered in the United States and may transfer Personal Data to, and process Personal Data in, jurisdictions other than the one in which it was originally collected. Where Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a third country that has not received an adequacy determination, the transfer is governed by the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914), the UK International Data Transfer Addendum, and supplementary measures identified through a transfer impact assessment, including encryption in transit and at rest, key custody outside the importing jurisdiction where appropriate, and contractual commitments to challenge unlawful access requests.

Personal Data is retained for the period necessary to fulfill the purposes described in Section 4, unless a longer retention period is required or permitted by law:

• Customer Data: for the duration of the Customer Agreement plus a thirty (30) day post-termination grace period during which the customer may export its data, after which it is irreversibly deleted from active systems and from backups in accordance with our backup rotation schedule.
• Authentication and access logs: retained for up to twelve (12) months for security and incident-response purposes.
• Audit and compliance records: retained for up to seven (7) years to satisfy SOC 2, financial-reporting, and statute-of-limitations obligations.
• Marketing data: retained until consent is withdrawn or the contact ceases to engage with our communications for twenty-four (24) consecutive months.

Subject to applicable law, Data Subjects may exercise the following rights: access, rectification, erasure, restriction of processing, portability, objection, withdrawal of consent, and the right to lodge a complaint with a competent supervisory authority. California residents have additional rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any such right.

Where Cendryva acts as a processor, we will forward verifiable requests to the relevant customer and assist that customer in responding within the periods prescribed by applicable law. Where Cendryva acts as a controller, requests may be submitted to privacy@cendryva.com. We will respond within thirty (30) days, subject to extensions permitted by applicable law for unusually complex or numerous requests.

Cendryva maintains an information security program reasonably designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to it. Controls include AES-256 encryption at rest, TLS 1.3 in transit with HSTS enforcement, key custody in a FIPS 140-2 validated key management service, role-based access control with least-privilege provisioning, mandatory multi-factor authentication for administrative access, continuous vulnerability management, annual third-party penetration testing, twenty-four-hour security monitoring, and a documented incident response plan exercised at least annually. Notwithstanding the foregoing, no system can be guaranteed to be completely secure, and Cendryva cannot warrant the absolute security of Personal Data.

Cendryva engages Sub-processors to provide cloud infrastructure, transactional email, error monitoring, customer support tooling, and payment processing. A current list of Sub-processors is available upon written request to privacy@cendryva.com. Customers may subscribe to receive at least thirty (30) days’ advance notice of the appointment of a new Sub-processor and may object on reasonable, documented data-protection grounds in accordance with the Customer Agreement.

The Services are intended exclusively for use by businesses and professionals. They are not directed to children under the age of sixteen (16), and Cendryva does not knowingly collect Personal Data from such individuals. If we become aware that we have collected Personal Data from a child without verified parental consent, we will take reasonable steps to delete that information.

We may update this Policy from time to time. Material changes will be notified to customers and Authorized Users through the Services or by email at least thirty (30) days before they take effect, except where a shorter period is required by law or necessary to address a security or legal matter.

Questions, complaints, or requests regarding this Policy may be directed to the Cendryva Data Protection Officer at privacy@cendryva.com. You may also contact your local supervisory authority. EU and UK residents may designate Cendryva’s appointed Article 27 representative; contact details are available upon request.