GDPR Notice

Last updated: May 2, 2026

This GDPR Notice supplements our Privacy Policy and provides additional information for individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland regarding their rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK Data Protection Act 2018.

1. Data Controller (Article 4(7))

Cuvion CRM acts as the data controller for personal data we collect and process through our website and services.

• Controller: Cuvion CRM
• Privacy Contact: privacy@cuvioncrm.com
• Website: https://cuvioncrm.com

Note: As a small business, we are not currently required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For privacy inquiries, please contact us at the email above.

2. Principles of Processing (Article 5)

We adhere to the GDPR's seven principles of processing:

• Lawfulness, fairness and transparency — processing has a legal basis and is communicated clearly
• Purpose limitation — data is collected for specified, explicit, and legitimate purposes
• Data minimisation — only data necessary for the stated purpose is collected
• Accuracy — inaccurate data is corrected or erased
• Storage limitation — data is kept only as long as necessary
• Integrity and confidentiality — appropriate security measures are applied
• Accountability — we maintain records of processing activities

3. Lawful Basis for Processing (Article 6)

We process your personal data on the following legal grounds:

• Article 6(1)(b) — Contract: processing necessary for the performance of a contract (account registration, providing CRM services)
• Article 6(1)(c) — Legal obligation: compliance with legal requirements (tax, regulatory audits)
• Article 6(1)(f) — Legitimate interests: system security, anti-bot protection, fraud prevention
• Article 6(1)(a) — Consent: for marketing communications, analytics cookies, optional features

4. Categories of Personal Data Processed

• Identity data: first name, last name
• Contact data: email address, phone number
• Account data: company name, registration data, usage logs
• Technical data: hashed IP address, browser information, session cookies
• Marketing data: chatbot interactions, lead form content
• Financial data: billing/subscription status (card data is processed by LemonSqueezy; we do not store it)

We do not process special categories of personal data (Article 9) such as health, ethnicity, religious beliefs, or political opinions.

5. International Data Transfers (Articles 44-49)

We transfer personal data outside the EEA to the following processors based in the United States:

• Cloudflare, Inc. — Bot protection (Turnstile)
• Google LLC — AI processing (Gemini)
• OpenAI, Inc. — Backup AI processor
• LemonSqueezy — Payment processing

These transfers are protected by appropriate safeguards under Article 46, including the EU Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented by additional technical and organisational measures (PII masking before sending data to AI processors, encryption in transit).

6. Data Retention

• Chatbot conversations: 90 days (5 years if converted to a lead)
• Contact form submissions: 5 years (legitimate business interest)
• Account data: while account is active + 30 days after deletion request
• Anti-bot event logs: 90 days (security purpose)

7. Your Rights (Articles 15-22)

7.1. Right of Access (Article 15)

You have the right to obtain confirmation of whether your personal data is being processed, and a copy of the data we hold about you.

7.2. Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data we hold about you.

7.3. Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent (where consent is the basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

7.4. Right to Restriction of Processing (Article 18)

You may request that we limit the processing of your data in certain circumstances.

7.5. Right to Data Portability (Article 20)

Where processing is based on consent or contract, you have the right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.

7.6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including profiling. You can also object at any time to processing for direct marketing purposes.

7.7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects you. We do not currently engage in such automated decision-making.

7.8. Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

8. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

• Email: privacy@cuvioncrm.com (subject: "GDPR Request")
• We respond to all legitimate requests within 30 days (Article 12(3))
• We may need to verify your identity before fulfilling requests
• Our response is provided free of charge unless requests are manifestly unfounded or excessive (Article 12(5))

9. Right to Lodge a Complaint (Article 77)

If you believe we have processed your data in violation of GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

The list of EU supervisory authorities is available at: European Data Protection Board.

UK residents may complain to the Information Commissioner's Office (ICO).

10. Data Breach Notification (Article 33)

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Article 34).

11. Updates to This Notice

We may update this GDPR Notice from time to time. Significant changes will be communicated via the website and/or email. The "Last updated" date at the top of this page indicates the most recent revision.

For our general privacy policy and other regional rights: Privacy Policy · Cookie Policy