Skip to main content
Last updated: 1 May 2025

Privacy Notice

Version 0.1

This notice explains what personal data we collect, why we collect it, and how we protect it. We follow data minimization and transparency principles across every workflow.

What We Collect, Why We Collect It, And How Long We Keep It.

We avoid sensitive data whenever possible and only request the minimum information required to run compliance workflows.

Data CategoriesDataPurposeRetention
Account And AccessName; Work email; Role and permissionsProvision accounts, enforce access control, and maintain audit trails.Active account + 30 days.
Compliance RecordsRoPA records; DPIA and DTIA assessments; DSAR requests; Vendor risk filesProvide compliance workflows, evidence, and audit exports.Customer-configurable; deleted on request or per contract.
Usage And Security TelemetryFeature usage; Device and browser details; Login metadataImprove reliability, detect abuse, and measure platform health.Up to 24 months, with aggregation after 90 days.
Support CommunicationsSupport tickets; Attachments you provide; Contact historyResolve issues and maintain service quality.Up to 36 months, unless deleted earlier on request.
Billing And ContractsBilling contact; Invoices and payment status; Order formsBilling, taxation, and contract administration.Up to 10 years where required by law.

Clear, Documented, And Auditable Privacy Practices.

We show you what data is processed, where it lives, and how it is safeguarded. Every commitment is backed by evidence in the Trust Center.

  • Data minimization
  • Purpose limitation
  • Policy visibility

Clear Processing Purposes

We document each processing activity and make it visible in the Trust Center.

Retention Transparency

Retention periods are defined per data category and reviewed quarterly.

No Data Sale

Privexus does not sell personal data or use it for unrelated advertising.

Every Processing Activity Is Tied To A Defined Legal Basis.

We document the lawful basis for each workflow to ensure clarity, accountability, and transparent processing decisions.

Contract

Process account data to deliver the platform and administer agreements.

Legitimate Interests

Protect the service, detect abuse, and improve reliability.

Consent

Optional communications or analytics are used only when enabled.

Legal Obligation

Retain records required by law and respond to lawful requests.

Limited Sharing With Transparency And Safeguards.

We do not sell personal data. We share only what is required to operate the platform, and we publish subprocessor details in the Trust Center.

Subprocessors

Vetted providers for hosting, monitoring, and support. See the registry.

Customer Admins

Admins access data based on roles, approvals, and audit trails.

Regulators And Legal

Limited disclosure only when required by law or to protect rights.

Data Hosting

Currently hosted in Singapore and Cambodia, with planned full migration to Cambodia-based infrastructure.

Transfer Safeguards

Cross-border transfers use contractual safeguards such as SCCs.

Privacy By Design With Technical And Organizational Controls.

Security safeguards are designed to protect confidentiality, integrity, and availability across the platform.

Encryption

TLS in transit and AES-256 at rest with managed key rotation.

Access Controls

Role based access, SSO or MFA, and immutable audit logging.

Incident Response

We notify customers without undue delay per contract and law.

Your Rights

Understand and exercise your privacy rights regarding your personal data. We are dedicated to transparency and provide you with full control over your information.

  • Access and export your data.
  • Correct inaccuracies in records.
  • Request deletion when permitted by law.
  • Restrict processing in certain circumstances.
  • Object to certain processing activities.
  • Withdraw consent for optional processing.
  • Lodge a complaint with your supervisory authority.

For any requests or inquiries, please submit them via the button or email privacy@privexus.io. We verify identity and respond within 30 days.

Data Minimization And Processing Roles.

We limit collection to what is required and clearly define how we act as a processor on behalf of customers.

Data minimization

  • We collect only required fields for each workflow.
  • We avoid sensitive data unless explicitly needed.
  • We aggregate or anonymize telemetry whenever possible.

Processing roles

Privexus acts as a data processor for customer content. Customers remain controllers and decide what personal data is stored in the platform.

We use vetted subprocessors for hosting and support, and we provide full details in the Trust Center registry.

Clear Disclosures To Support Transparency And Accountability.

These statements clarify automated decision making, minors, and how updates are communicated.

Automated Decision-Making

Privexus does not use automated decisions with legal or similarly significant effects.

Children And Minors

The service is intended for business users and not for children under 16.

Updates To This Notice

Material changes are posted in the Trust Center with a clear effective date.

Questions About Privacy Practices Or Data Rights?

Our privacy team responds within one business day and can provide detailed evidence packs upon request.