Privacy Policy

Section 01

Who We Are

Cyvra is an IT, cybersecurity, and artificial intelligence consultancy formed through the merger of three specialist firms operating across the Netherlands, the United Kingdom, and Brazil. We help businesses manage their IT infrastructure, reduce cyber risk, achieve regulatory compliance, and implement AI solutions.

For the purposes of data protection law, Cyvra acts as the data controller for personal data processed in connection with our website, marketing activities, and client relationships.

Data Controller: Cyvra (Netherlands) and its affiliated entities in the UK and Brazil. Contact: privacy@cyvra.nl

Our EU/EEA lead supervisory authority is the Autoriteit Persoonsgegevens (AP) in the Netherlands. UK data subjects fall under the jurisdiction of the Information Commissioner's Office (ICO). Brazilian data subjects are covered by the Autoridade Nacional de Proteção de Dados (ANPD) under the LGPD.

Section 02

Data We Collect

Data you give us directly

Contact form submissions: name, work email, company, job title, and the content of your message
Email correspondence: any personal data contained in emails you send us
Career applications: name, contact details, CV, and any other information you include in an application
Client and partner onboarding: business contact details, billing information, and information required to deliver contracted services
Event sign-ups and webinars: name, email, and employer where you register for events we host

Data collected automatically

Usage data: pages visited, time on site, referral source, and interactions with page elements
Technical data: IP address, browser type and version, device type, operating system, and screen resolution
Cookie data: see Section 9 for full details

Data from third parties

LinkedIn and professional networks: if you interact with our company page or connect with our team, we may receive limited profile data
Referral partners: contact details shared with us by a partner as part of a legitimate referral arrangement

We do not collect special category data (health, religion, biometric data, etc.) through our website or standard business processes unless it is voluntarily provided and specifically required to deliver a contracted service.

Section 03

How We Use Your Data

Purpose	Data used	Legal basis
Responding to enquiries and contact form submissions	Name, email, company, message content	Legitimate interests
Delivering contracted services to clients	Contact details, billing data, project-related data	Contract performance
Sending service-related communications (updates, invoices, reports)	Name, email, contract details	Contract performance
Marketing emails and newsletters	Name, email, company, engagement data	Consent or legitimate interests
Improving our website and services	Usage data, technical data, cookie data	Legitimate interests
Processing job applications	Name, contact details, CV, application content	Legitimate interests / pre-contract steps
Complying with legal and regulatory obligations	Identity, financial, and contractual records	Legal obligation
Fraud prevention and security	Technical data, usage data	Legitimate interests / legal obligation

Section 04

Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases to process personal data:

Legitimate interests (Article 6(1)(f))

We process data for purposes that are necessary for our legitimate business interests, responding to enquiries, improving our services, network security, and direct marketing to existing and prospective clients — where those interests are not overridden by your data protection rights. You have the right to object to processing on this basis.

Contract performance (Article 6(1)(b))

Where you have engaged us for services, we process your data as necessary to fulfil our contractual obligations, including project delivery, invoicing, and support.

Legal obligation (Article 6(1)(c))

We retain certain data to comply with financial, tax, and regulatory obligations applicable to our business.

Consent (Article 6(1)(a))

Where we rely on consent, such as for marketing emails to individuals who are not existing clients or for non-essential cookies, you may withdraw that consent at any time without affecting the lawfulness of prior processing. To withdraw consent, contact us at privacy@cyvra.nl or use the unsubscribe link in any marketing email.

Legal bases under the LGPD (Brazilian data subjects)

For personal data relating to individuals in Brazil, processing is carried out in accordance with the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018). The LGPD sets out ten legal bases for processing in Article 7. The bases we rely on map to those described above: consent (Art. 7(I)), compliance with a legal or regulatory obligation (Art. 7(II)), execution of a contract or pre-contractual steps (Art. 7(V)), the legitimate interests of the controller, provided they do not override the data subject's fundamental rights and freedoms (Art. 7(IX)), and fraud prevention and the protection of the holder's safety (Art. 7(VII)). We do not process sensitive personal data (Art. 11 LGPD) in our standard business operations.

Section 05

Sharing Your Data

We do not sell personal data. We share data only where necessary, and only with parties who are contractually required to protect it.

Service providers (data processors)

Email and communication platforms: used to manage enquiries and marketing communications
CRM and project management tools: used to manage client relationships and service delivery
Cloud infrastructure providers: hosting and storage of business data
Analytics providers: aggregated, anonymised website usage data
Accounting and payroll software: for financial administration

All processors are subject to Data Processing Agreements (DPAs) requiring them to process data only on our documented instructions and to implement appropriate security measures.

Other disclosures

Within the Cyvra group: our Netherlands, UK, and Brazil entities may share data with each other where necessary to deliver services
Legal requirements: where required by law, court order, or regulatory authority
Business transfers: in the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity subject to equivalent privacy protections

Section 06

International Transfers

Cyvra operates across the Netherlands (EU), United Kingdom, and Brazil. Data may be transferred between these entities as part of normal business operations.

EU to UK: The UK benefits from an EU adequacy decision, meaning transfers from the EU/EEA to the UK do not require additional safeguards. EU/UK to Brazil: Brazil's LGPD framework is recognised as providing adequate protections; transfers are additionally covered by Standard Contractual Clauses where required.

Where we transfer data to third-party processors outside the EEA or UK, we use appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, UK International Data Transfer Agreements (IDTAs), or rely on an adequacy decision. You may request a copy of the relevant safeguards by contacting privacy@cyvra.nl.

Section 07

Data Retention

We keep personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

Data type	Retention period	Reason
Contact form enquiries (no contract)	12 months	Legitimate interests in follow-up
Client records and contracts	7 years after contract end	Legal and tax obligations
Financial and invoicing records	7 years	Tax and accounting law
Job applications (unsuccessful)	6 months	Legitimate interests; potential future roles
Marketing opt-in records	3 years from last engagement or withdrawal	Evidence of consent
Website analytics data	26 months (aggregated)	Service improvement
Security and access logs	12 months	Security monitoring and incident response

When data is no longer required, we delete or anonymise it securely. You may request early deletion of your data, see Section 8.

Section 08

Your Rights

Under GDPR, UK GDPR, and the LGPD, you have the following rights in relation to your personal data. Most requests will be fulfilled within one month (GDPR/UK GDPR) or within 15 days (LGPD). They are free of charge unless requests are manifestly unfounded or excessive.

Right of access

Request a copy of the personal data we hold about you and information about how we use it (a Subject Access Request).

Right to rectification

Request correction of inaccurate or incomplete personal data we hold about you.

Right to erasure

Request deletion of your personal data where we have no legitimate reason to continue processing it (the "right to be forgotten").

Right to restriction

Request that we restrict processing of your data, for example, while you contest its accuracy or object to our use of it.

Right to portability

Receive your personal data in a structured, machine-readable format and transfer it to another controller where technically feasible.

Right to object

Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling grounds.

Withdraw consent

Where processing is based on consent, withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

Automated decisions

Rights related to automated decision-making and profiling. We do not currently make solely automated decisions with significant legal effects.

To exercise any of these rights, contact us at privacy@cyvra.nl. We may need to verify your identity before processing a request. We will respond within one calendar month, though complex requests may take up to three months with prior notice.

Section 09

Cookies

Cookies are small text files stored on your device when you visit our website. We use the following categories:

Category	Purpose	Basis
Strictly necessary	Essential for the website to function, for example, remembering your theme preference (dark/light mode)	Not subject to consent
Analytics	Understanding how visitors use our site, pages viewed, session duration, traffic sources. Data is aggregated and anonymised where possible.	Consent
Functional	Remembering preferences and settings to improve your experience on return visits	Consent
Marketing	We do not currently use marketing or advertising cookies on this site	N/A

You can manage cookie preferences at any time using the Cookie Settings link in the footer. Most browsers also allow you to block or delete cookies through their settings, note that doing so may affect the functionality of some parts of our site.

Section 10

Security

We implement technical and organisational measures appropriate to the risk, including:

Encryption of data in transit (TLS) and at rest
Access controls and principle of least privilege across all systems
Regular security assessments and penetration testing
Staff training on data protection and security awareness
Incident response procedures and breach notification processes

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay.

Section 11

Children's Data

Our services and website are directed at business professionals and are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, contact us at privacy@cyvra.nl and we will delete it promptly.

Section 12

Changes to This Policy

We review this policy periodically and update it when our practices change or when required by law. Material changes will be communicated to existing clients and subscribers by email. The "last updated" date at the top of this page always reflects the most recent revision.

We encourage you to review this policy whenever you interact with us to stay informed about how we protect your data.

Section 13

Contact & Complaints

For any questions about this policy, to exercise your rights, or to raise a concern about how we handle your data, contact our privacy team:

Email: privacy@cyvra.nl
We aim to respond to all privacy-related queries within 5 business days.

Right to complain to a supervisory authority

If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority:

Netherlands / EU: Autoriteit Persoonsgegevens (AP)
United Kingdom: Information Commissioner's Office (ICO)
Brazil: Autoridade Nacional de Proteção de Dados (ANPD)

We would always prefer to resolve concerns directly, so please contact us first and we will do our best to address your concern promptly.