Skip to main content
Privexus
Last updated: 1 May 2025

Privacy Notice

Version 0.1

1. Who We Are

Privexus is a digital compliance platform based in Phnom Penh, Cambodia. We provide solutions for data protection, data governance, records management, cybersecurity, and AI governance.

ContactDetails
Emailprivacy@privexus.io
Websitehttps://privexus.io
Trust Centerhttps://privexus.io/trust-center

2. How This Notice Applies to You

This Privacy Notice explains how Privexus collects, uses, and protects your personal data when you:

  • Use the Privexus Platform or related services
  • Visit our website at privexus.io or associated subdomains
  • Contact us for support, demos, or information

It is written in compliance with Cambodia's Law on Personal Data Protection (PDP Law).

If your organization is a Privexus customer: We may also process personal data on your behalf as a Data Processor. In that case, your organization's own privacy notice applies to its users. Our Data Processing Agreement — available at our Trust Center — governs that relationship.

3. Key Definitions

TermPlain English Meaning
Personal dataAny information that identifies you directly or indirectly — such as your name, work email, IP address, job title, or account details.
Sensitive dataA special category of personal data requiring higher protection, such as health information, biometric data, genetic data, religious beliefs, or criminal records.
ProcessingAnything done with personal data — collecting, storing, using, sharing, updating, or deleting it.
Data ControllerThe person or organization that decides why and how personal data is processed.
Data ProcessorA person or organization that processes personal data on behalf of a Data Controller, following the Data Controller's instructions.
Data subjectThe person the data is about — that may be you, a Platform user, an employee, a vendor, or any individual whose data appears in the Platform.

4. Our Role: Data Controller or Data Processor?

Privexus plays two different roles depending on the context.

ContextOur RoleWhat This Means
Account data, billing, website visits, and marketingData ControllerWe decide how and why this data is processed. This notice applies in full.
Data you or your organization uploads into the PlatformData ProcessorYour organization is the Data Controller. We process only on your documented instructions. Our Data Processing Agreement governs this.

If you are an individual whose data appears in a customer's Platform records (for example, as an employee or vendor), please contact that organization directly. You can also reach us at privacy@privexus.io for guidance.

5. What Personal Data We Collect

5.1 Data you or your organization provide

CategoryExamples
Account and access dataName, work email, job title, role, authentication details, access logs
Organization and workspace dataCompany name, tenant configuration, user roles and permissions
Support communicationsTickets, chat transcripts, meeting notes, attachments
Billing and contract dataBilling contact details, invoices, payment status, tax or VAT identifiers
Communication preferencesOpt-in status for newsletters, product updates, or events

Some fields are required to create an account or provide the service. Optional fields may improve your experience but are not required.

5.2 Data we collect automatically

CategoryExamples
Usage and security telemetryFeature usage, pages viewed, device and browser details, IP address, timestamps, log data
Website dataPages visited, referring URLs, approximate location derived from IP address
Cookie identifiersSession tokens, analytics cookies, preference cookies — see Section 11 for details

5.3 Customer content

Customer content is personal data that you or your organization uploads or generates within the Platform — for example, records of processing activities, DPIA entries, incident reports, governance documents, or compliance assessments.

We process customer content only on your documented instructions under our Data Processing Agreement. We do not use customer content for marketing, and we do not sell it or use it to train AI models.

6. Why We Collect Your Data — Purposes and Legal Bases

We process your personal data only when we have a lawful basis to do so under the PDP Law.

PurposeData InvolvedLegal Basis
Provide and perform the Platform under our contract with customersAccount data, customer content, organization dataContract
Provision accounts, manage authentication, and maintain access controlsAccount and access data, audit logsContract & Legitimate Interest
Deliver support, onboarding, training, and service communicationsAccount data, support communicationsContract & Legitimate Interest
Monitor platform performance, detect abuse, and maintain securityUsage telemetry, security logs, IP addressLegitimate Interest
Process billing, payments, and meet tax obligationsBilling and contract dataContract & Legal Obligation
Send product updates, events, or marketing emails you opted intoEmail address, communication preferencesConsent
Comply with legal obligations and respond to regulatory requestsAccount data, relevant recordsLegal Obligation
Establish, exercise, or defend legal claimsRelevant account and transaction dataLegitimate Interest

Consent: Where we rely on your consent, you can withdraw it at any time — this does not affect any processing we carried out before your withdrawal.

Legitimate interests: Where we rely on legitimate interests, we assess the balance between our interests and your rights. You can object to this processing at any time — see Section 12.

7. Sensitive Data and Children

Sensitive data:

The Privexus Platform is not designed to require sensitive personal data (such as health data, biometric data, or religious information) for standard use. However, customers may upload documents containing sensitive data as part of compliance workflows. If this occurs, the customer is responsible for ensuring a valid legal basis and any additional conditions required by the PDP Law.

If you believe sensitive data has been submitted in error, contact us at privacy@privexus.io.

Children:

The Platform is designed for business users. We do not knowingly collect personal data from individuals under 16. If you believe a child's data has been submitted, please contact us immediately.

8. Who We Share Your Data With

We share your personal data only where necessary to provide our services, comply with legal obligations, or protect our rights. We do not sell, rent, or trade your personal data to any third party for commercial purposes.

RecipientWhySafeguards
Sub-processors (hosting, monitoring, analytics, support tools)To operate and deliver the PlatformWritten confidentiality and security agreements. Full list in our Subprocessor Registry.
Customer administrators and authorized usersRole-based access required to use the PlatformAccess controls and audit trails
Integration providers and third-party apps you connectApps or tools you connect or authorize (e.g., SSO, ticketing)Contractual safeguards; only at customer direction
Billing, communications, and security providersTo process payments, send emails, and maintain securityContractual safeguards; listed in our Subprocessor Registry
Professional advisers (legal, audit, security)To protect our legal rights and obligationsConfidentiality obligations
Regulators, courts, or law enforcementWhen required by applicable lawOnly to the extent legally required
Successor entity in a merger or acquisitionCorporate transactionSubject to confidentiality and continued data protection

AI Agent integrations: When customers enable AI Agent features, relevant data may be shared with the selected third-party provider at the customer's direction.

9. International Data Transfers

Your personal data may be transferred outside Cambodia when necessary to deliver the Platform.

Primary hosting location: Singapore.

We transfer personal data outside Cambodia only when the conditions of the PDP Law are met. Where required, we obtain permission from the Ministry of Post and Telecommunications and apply appropriate safeguards, including data processing agreements with all sub-processors.

Current transfer destinations, safeguards, and transfer assessments are documented and available upon request. Refer to our Trust Center for the Subprocessor Registry and full transfer details.

10. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purpose it was collected, or as required by law.

Data CategoryRetention Period
Account dataDuration of the customer relationship, plus up to 6 months after account closure or contract termination (unless longer is required for disputes or legal obligations)
Customer contentIn accordance with customer instructions and the applicable contract; deleted, returned, or anonymized when no longer needed
Usage and security telemetryOnly as long as needed for operational security, service improvement, and fraud prevention, then deleted or irreversibly anonymized
Support communicationsUp to 12 months after ticket closure to manage service quality, disputes, and training, unless longer is required by law
Billing and contract recordsAs required by applicable accounting, tax, audit, and dispute-resolution obligations — varies by record type
Marketing dataUntil consent is withdrawn, an objection is received, or 12 months of inactivity — whichever comes first

We may retain data for longer periods if required to establish, exercise, or defend legal claims.

11. Cookies and Similar Technologies

We use cookies and similar technologies on our website and within the Platform to keep the site secure, measure performance, and deliver the services you request.

Cookie TypePurposeConsent Required?
Essential cookiesSecurity, authentication, core site functionality, session managementNo — required to operate the service
Analytics cookiesUnderstand how visitors use the site; improve content (anonymized)Yes
Marketing cookiesEvent measurement or advertisingYes

You can manage your cookie preferences:

  • On first visit: Use the cookie banner that appears when you visit our site
  • At any time: Visit our Cookie Preference Center at privexus.io/trust-center/cookies
  • Via your browser: Adjust your browser settings at any time

For full details on the cookies we use, refer to our Cookie Notice at privexus.io/trust-center/cookies.

12. Your Rights Under the PDP Law

Cambodia's PDP Law gives you the following rights in relation to your personal data. Some rights may be limited where data is required to comply with legal obligations, protect security, or establish legal claims.

RightWhat It Means
Right to informationBe informed before or when your data is collected — who collects it, why, on what legal basis, and who receives it
Right of accessRequest a copy of the personal data we hold about you, including transfer safeguards where applicable
Right to rectificationAsk us to correct inaccurate or incomplete data without delay
Right to erasureAsk us to delete your data when it is no longer needed, consent is withdrawn, or processing is unlawful
Right to restrictionAsk us to pause processing of your data in certain circumstances
Right to data portabilityReceive your data in a structured, commonly used format when processing is based on consent or contract and carried out automatically
Right to objectObject to processing based on legitimate interests or public interest. You have an absolute right to object to direct marketing at any time
Right to withdraw consentWithdraw consent at any time without affecting processing already carried out
Right to human involvementRequest human review of any automated decision that significantly affects you
Right to lodge a complaintFile a complaint with the Ministry of Post and Telecommunications or the relevant supervisory authority in your jurisdiction

13. How to Exercise Your Rights

Submit a request:

  • Privacy Request Portal: privexus.io/contact
  • Email: privacy@privexus.io

Please include enough information for us to verify your identity. We may request additional verification to protect against unauthorized access. Accepted methods include email verification to your registered account address, followed by identity confirmation for sensitive requests.

TopicDetails
Response timeWe respond within one month. For complex or high-volume requests, we may extend this by up to two additional months — we will notify you.
FeesRights requests are generally free of charge. A reasonable fee may apply if you submit more than two requests in a quarter, or if requests are manifestly unfounded or excessive.
Authorized agentsProvide a signed letter of authorization from the data subject along with your own identity verification. Send documentation to privacy@privexus.io.

If your data appears in a customer's records within the Platform, we may need to redirect your request to that customer (the Data Controller). We will let you know and explain how to seek further remedy or file a complaint.

14. Automated Decision-Making and AI Features

Privexus uses third-party providers to support AI-assisted features within the Platform. These features help customers manage compliance activities — such as records of processing activities (ROPA), data protection impact assessments (DPIAs), and related workflows.

Relevant user inputs may be processed by those providers on our behalf, under applicable contractual and security safeguards.

These tools assist users and do not make decisions with legal or similarly significant effects on individuals on their own.

If this changes, we will update this notice, provide advance notice, and ensure you can request human involvement in any such decision.

15. Security and Breach Notification

We apply technical and organizational measures to protect the confidentiality, integrity, availability, and resilience of your personal data. Our measures include:

  • Encryption in transit and at rest
  • Role-based access controls, multi-factor authentication, and audit logging
  • Segregated customer environments with least-privilege access
  • Vulnerability management, monitoring, and incident response procedures
  • Resilience and recovery measures
  • Regular testing and evaluation of security controls

If a breach occurs:

  • If the breach may pose a risk to data subjects, we will notify the Ministry of Post and Telecommunications within 72 hours of becoming aware of it.
  • If the breach presents a high risk to your rights and freedoms, we will notify you directly without undue delay.

16. How We Govern Privacy Internally

We build and operate the Platform with privacy by design and by default, applying PDP Law principles when developing new features and making changes. Our governance activities include:

  • Maintaining records of processing activities under our responsibility
  • Conducting Personal Data Impact Assessments for high-risk processing
  • Adopting internal policies and reviewing technical and organizational measures regularly
  • Restricting access to personal data based on roles, business need, and logging
  • Training all personnel on data protection obligations and incident response
  • Conducting vendor due diligence and maintaining data processing agreements with all sub-processors

17. Updates to This Notice

We may update this Privacy Notice from time to time. Any material updates will be published on our Trust Center with a clear effective date.

If changes materially affect your rights, we will:

  • Send an email notification to registered users, and
  • Post an updated notice on our Trust Center

We recommend reviewing this notice periodically. Previous versions are available on request.

18. Contact Us

For questions, rights requests, or complaints, please contact us:

ContactDetails
OrganizationPrivexus
LocationPhnom Penh, Cambodia
Emailprivacy@privexus.io
Privacy Request Portalprivexus.io/contact
Trust Centerprivexus.io/trust-center

If you are not satisfied with our response, you have the right to file a complaint with the Ministry of Post and Telecommunications of Cambodia, the competent data protection authority.

This notice is effective as of 1 May 2025.