Legal

Privacy Policy

Version 1.0 — Effective date: 18 March 2026

This Privacy Policy explains how Ceturo ("we", "us", or "our") collects, uses, stores, and protects your personal data when you use our platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is your organisation's tenant administrator. Ceturo acts as a data processor on behalf of your organisation.

Each organisation (tenant) on the Ceturo platform independently controls how personal data is collected, processed, and managed within their workspace. Your organisation's Data Protection Officer (DPO) or system administrator is your primary point of contact for data-related enquiries.

2. Categories of Data Collected

We collect and process the following categories of personal data:

CategoryData FieldsSource
IdentityFirst name, last name, email addressProvided by user / administrator
AuthenticationPassword hash, session tokens, login timestampsGenerated by system
TechnicalIP address, user agent, browser typeCollected automatically
ConsentConsent preferences, policy version, grant/withdrawal timestampsProvided by user
AuditAction logs, entity changes, correlation IDsGenerated by system

3. Purpose and Lawful Basis

We process your personal data for the following purposes, each with a corresponding lawful basis under GDPR Article 6:

PurposeLawful Basis
Account management and authenticationPerformance of contract (Art. 6(1)(b))
Security monitoring and audit loggingLegitimate interest (Art. 6(1)(f))
Analytics and service improvementConsent (Art. 6(1)(a))
Marketing communicationsConsent (Art. 6(1)(a))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:

  • Expired sessions: 30 days after expiration
  • Read notifications: 180 days
  • Soft-deleted user data: 90 days before full anonymisation
  • Audit logs: approximately 7 years (2,555 days) for financial compliance
  • Erasure requests: 30-day grace period before execution

Automated retention cleanup processes run periodically to remove data that has exceeded its retention period.

5. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data held about you.
  • Right to rectification (Art. 16): Correct inaccurate personal data via your profile settings.
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to a 30-day grace period.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
  • Right to withdraw consent (Art. 7(3)): Withdraw any optional consent at any time without affecting the lawfulness of prior processing.
  • Right to restrict processing (Art. 18): Request restriction of processing in certain circumstances.
  • Right to object (Art. 21): Object to processing based on legitimate interest.

To exercise your rights, use the Privacy & Data section in your account settings, or contact your organisation's Data Protection Officer. See the Contact page for details.

6. Third-Party Data Sharing

We share personal data with third parties only when necessary for service delivery:

  • SMTP provider: Transactional emails (password resets, notifications) are sent through our email service provider. Only the recipient email address and message content are shared.
  • Infrastructure providers: Hosting and database services may process data as sub-processors under appropriate data processing agreements.

We do not sell, rent, or trade your personal data to any third party for marketing purposes. All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of personal data.

7. Cookies and Tracking

Our application uses cookies for essential functionality and, with your consent, for analytics purposes. For detailed information about the cookies we use, please refer to our Cookie Policy.

You can manage your cookie preferences at any time through the consent banner or the Privacy & Data section in your account settings.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords hashed using bcrypt with appropriate cost factors
  • PostgreSQL Row-Level Security (RLS) policies for tenant data isolation
  • JWT-based authentication with short-lived access tokens
  • Rate limiting to prevent brute-force attacks
  • Account lockout after repeated failed login attempts
  • Comprehensive audit logging of all data access and modifications
  • Encrypted connections (TLS) for all data in transit

9. International Data Transfers

If your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

10. Children's Privacy

Our platform is designed for business use and is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the application and update the version number and effective date at the top of this page. Your continued use of the platform after such changes constitutes acceptance of the updated policy.

We track which version of the privacy policy each user has consented to, ensuring full auditability of consent records.

12. Contact Information

For any questions about this Privacy Policy or to exercise your data subject rights, please contact your organisation's Data Protection Officer or visit our DPO Contact page.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.