Privacy Policy
This privacy notice explains how Celvaron (“Celvaron”, “we”, “us”, “our”) collects, uses and shares personal data when you visit celvaron.com or app.celvaron.com (together, the “Sites”), create an account or log in to our platform, communicate with us by email or phone, or interact with us through marketing, sales, events or social media.
Registered office ul. Sikorskiego 26, 53-659 Wrocław, Poland, email: privacy@celvaron.com. EU supervisory authority lead: Polish President of the Personal Data Protection Office (UODO).
Date of publication: 01 January 2025
Quick Summary
| What data? | Contact details, job information, account credentials (stored hashed), usage logs, support records. We do not process special-category (sensitive) data. |
| Why? | To operate our Sites and platform, authenticate users, manage customer relationships in HubSpot, send service emails or marketing (with consent), keep our systems secure and comply with law. |
| Legal bases (GDPR) | Contract (Art 6 (1)(b)), legitimate interest (Art 6 (1)(f)), consent (Art 6 (1)(a)), legal obligation (Art 6 (1)(c)). |
| Key processors | HubSpot Ireland Ltd. – CRM (EU data centre, Frankfurt). knowledge.hubspot.com Microsoft Ireland Operations Ltd. – Microsoft 365 within the Microsoft EU Data Boundary |
| International transfers | Primary hosting in the European Union. Limited support or analytics access from the United States is protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework. |
| Retention | We keep personal data for up to five (5) years after your last interaction unless a longer period is required by law. |
| Your rights | Access, rectification, erasure, restriction, objection, data portability and (where we rely on consent) withdrawal at any time. |
When this notice applies
This notice governs any processing of personal information that takes place when you visit celvaron.com, when you sign in to or browse our platform at app.celvaron.com, when you exchange e-mails or telephone calls with us, or when you interact with us at events, on social media or in the ordinary course of business.
What personal data we collect
We collect only the information that is necessary for the legitimate operation of our software-as-a-service platform and the management of our commercial relationships. That information falls into four broad groups:
Contact and identity data. When you fill in a form, create an account or hand us a business card you generally provide your name, business e-mail address, job title, company, direct telephone number and, if you purchase a subscription, your invoicing address and VAT number.
Account-security credentials. If you create a password, we store nothing but a salted, one-way cryptographic hash of that password. Alternatively, you may authenticate with Google Workspace or Microsoft 365 Single-Sign-On; in that case we receive your verified e-mail address, display name and (where you allow it) profile picture.
Platform-usage and technical data. Each time you use the platform our servers log the IP address from which the request originated, the browser and device type, the pages visited and the actions performed. We retain those logs only to operate the service, resolve faults and protect the security of our users.
Commercial and correspondence records. E-mail messages, call notes, support tickets, purchase orders and invoices are stored in our HubSpot customer-relationship-management (CRM) system so that we can respond consistently to your enquiries and keep accurate financial accounts.
We never knowingly gather data about children under sixteen years of age and we do not intentionally process “special categories” of data such as health information, religious beliefs or biometric identifiers.
Why we process personal data and the legal bases we rely on
We process personal data for five principal reasons:
-
To provide and maintain the platform. We cannot create user accounts, authenticate log-ins, back up databases or deliver features and customer support without processing basic identity data and platform-usage logs. Under the GDPR this is processing necessary for the performance of a contract, Article 6 (1)(b).
-
To manage customer relationships and day-to-day communications. Storing correspondence in HubSpot allows our sales, success and support teams to answer questions without repeatedly asking you for the same information. We rely on our legitimate interest in running an efficient business, Article 6 (1)(f). You may object to this processing at any time.
-
To send service notices (and, where permitted, marketing). Transactional e-mails such as password-reset links or planned-maintenance notices reach you under the contract basis. Marketing e-mails are sent only with your prior consent or, in a business-to-business context, under the “soft opt-in” exemption allowed by EU e-privacy rules; you can unsubscribe with a single click and withdraw consent at any moment.
-
To protect the security of our systems and to prevent fraud or abuse. Intrusion-detection rules and activity logs help us enforce our terms of service and keep the platform reliable for everyone. The legal basis is legitimate interest and, in some cases, legal obligation.
-
To meet legal and regulatory duties. Tax, accounting and financial-services regulations oblige us to retain certain purchase records for up to seven years. We may also need to disclose data in response to valid court orders or supervisory-authority requests. Such processing is required to comply with the law, Article 6 (1)(c).
Where we store the data and who helps us process it
All routine data are stored on servers located in Kraków, Poland, and operated for us by cyber_Folks S.A. Our CRM provider, HubSpot Ireland Ltd., hosts its EU instance in the same region, while our productivity suite, Microsoft 365 (operated by Microsoft Ireland Operations Ltd.), keeps e-mails and documents within the Microsoft EU Data Boundary.
On occasion, engineers from HubSpot or Microsoft who are based outside the European Union may need to access limited data to resolve complex support incidents. Each such transfer is covered by the European Commission’s Standard Contractual Clauses or by the provider’s certification under the EU–US Data Privacy Framework, and access is logged, strictly role-based and encrypted in transit and at rest.
Apart from the infrastructure and service providers named above, personal data are shared only with professional advisers bound by confidentiality (lawyers, auditors, accountants) and—if we ever merge, divest or restructure—with the successor entity on condition that it honours this privacy notice.
Celvaron does not sell personal data under any definition of that term.
How long we keep your information
We keep ordinary business correspondence and CRM records for five years after your last meaningful interaction with us, after which they are automatically deleted or permanently anonymised unless the document must be preserved longer to meet a statutory retention duty. System back-ups are encrypted and overwritten on a rolling thirty-day schedule.
Your rights
If you live in the European Economic Area, the United Kingdom, Switzerland or another jurisdiction with comparable data-protection law, you have the right to request access to the personal data we hold about you, to have incorrect data rectified, to request erasure or restriction, to receive a structured and machine-readable copy of data you provided to us, and—where we rely on legitimate interest—to object to further processing. Where we rely on your consent (for example, to send marketing e-mails or place non-essential cookies), you may withdraw that consent at any time without affecting the lawfulness of processing that took place before the withdrawal.
To exercise any of those rights, please write to privacy@celvaron.com. We will reply within one month, and we may extend that period by up to two additional months if the request is complex, in which case we will inform you promptly. You also have the right to lodge a complaint with your local supervisory authority; Celvaron’s lead authority is the UODO in Poland.
Cookies and similar technology
The platform sets strictly necessary cookies to maintain your session and secure our forms against cross-site-request forgery. Analytical and marketing cookies—including the HubSpot or Google Ads or Meta Ads visitor-tracking script—are placed only after you consent through the cookie banner. Detailed information appears in our separate Cookie Notice, which you may open from the banner or the footer of every page.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
Do-Not-Track signals
At present no consistent industry standard exists for interpreting browser-based “Do-Not-Track” signals, and the Celvaron sites therefore do not respond to them. If a binding standard emerges, we will update this section.
California and other U.S. state privacy disclosures
Residents of California, Colorado, Connecticut, Utah and Virginia enjoy additional rights concerning access, deletion and the opt-out of “sale” or “sharing” for cross-context behavioural advertising. Because Celvaron neither sells personal data nor uses cross-context behavioural advertising, the practical effect of those statutes is limited, but we stand ready to confirm, correct or delete your personal data on request. Details are set out in our U.S. State Privacy Notice.
Changes to this notice
We may revise this privacy notice from time to time. Any material change will be announced on celvaron.com or, where appropriate, by e-mail to current account holders. The date at the top of the page always shows the latest revision.