Legal
Privacy Policy
Version 1.0 — Effective date: 18 March 2026
This Privacy Policy explains how Ceturo ("we", "us", or "our") collects, uses, stores, and protects your personal data when you use our platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data Controller
The data controller responsible for your personal data is your organisation's tenant administrator. Ceturo acts as a data processor on behalf of your organisation.
Each organisation (tenant) on the Ceturo platform independently controls how personal data is collected, processed, and managed within their workspace. Your organisation's Data Protection Officer (DPO) or system administrator is your primary point of contact for data-related enquiries.
2. Categories of Data Collected
We collect and process the following categories of personal data:
| Category | Data Fields | Source |
|---|---|---|
| Identity | First name, last name, email address | Provided by user / administrator |
| Authentication | Password hash, session tokens, login timestamps | Generated by system |
| Technical | IP address, user agent, browser type | Collected automatically |
| Consent | Consent preferences, policy version, grant/withdrawal timestamps | Provided by user |
| Audit | Action logs, entity changes, correlation IDs | Generated by system |
3. Purpose and Lawful Basis
We process your personal data for the following purposes, each with a corresponding lawful basis under GDPR Article 6:
| Purpose | Lawful Basis |
|---|---|
| Account management and authentication | Performance of contract (Art. 6(1)(b)) |
| Security monitoring and audit logging | Legitimate interest (Art. 6(1)(f)) |
| Analytics and service improvement | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:
- Expired sessions: 30 days after expiration
- Read notifications: 180 days
- Soft-deleted user data: 90 days before full anonymisation
- Audit logs: approximately 7 years (2,555 days) for financial compliance
- Erasure requests: 30-day grace period before execution
Automated retention cleanup processes run periodically to remove data that has exceeded its retention period.
5. Data Subject Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data held about you.
- Right to rectification (Art. 16): Correct inaccurate personal data via your profile settings.
- Right to erasure (Art. 17): Request deletion of your personal data, subject to a 30-day grace period.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
- Right to withdraw consent (Art. 7(3)): Withdraw any optional consent at any time without affecting the lawfulness of prior processing.
- Right to restrict processing (Art. 18): Request restriction of processing in certain circumstances.
- Right to object (Art. 21): Object to processing based on legitimate interest.
To exercise your rights, use the Privacy & Data section in your account settings, or contact your organisation's Data Protection Officer. See the Contact page for details.
6. Third-Party Data Sharing
We share personal data with third parties only when necessary for service delivery:
- SMTP provider: Transactional emails (password resets, notifications) are sent through our email service provider. Only the recipient email address and message content are shared.
- Infrastructure providers: Hosting and database services may process data as sub-processors under appropriate data processing agreements.
We do not sell, rent, or trade your personal data to any third party for marketing purposes. All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of personal data.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords hashed using bcrypt with appropriate cost factors
- PostgreSQL Row-Level Security (RLS) policies for tenant data isolation
- JWT-based authentication with short-lived access tokens
- Rate limiting to prevent brute-force attacks
- Account lockout after repeated failed login attempts
- Comprehensive audit logging of all data access and modifications
- Encrypted connections (TLS) for all data in transit
9. International Data Transfers
If your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.
10. Children's Privacy
Our platform is designed for business use and is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the application and update the version number and effective date at the top of this page. Your continued use of the platform after such changes constitutes acceptance of the updated policy.
We track which version of the privacy policy each user has consented to, ensuring full auditability of consent records.
12. Contact Information
For any questions about this Privacy Policy or to exercise your data subject rights, please contact your organisation's Data Protection Officer or visit our DPO Contact page.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.