1. Who we are
Secruna is the AI inventory and compliance platform for European organisations. We are headquartered in [TBD city, EU member state] and operate exclusively from within the European Union. Company registration details, VAT identifier and registered address will be published here once counsel review is complete.
You can reach our privacy team at privacy@secruna.com. If that mailbox does not respond within two business days, please escalate to hello@secruna.com.
2. Scope of this policy
This policy describes how we handle personal data on secruna.com and in our direct interactions with prospects, customers and partners — for example, via our contact form, demo requests and pre-sales email exchanges.
Customer tenant data — the data processed by the Secruna platform on behalf of an enterprise customer — is governed by the Data Processing Addendum, under which Secruna acts as a Processor and the customer is the Controller. This Privacy Policy does not override the DPA.
3. Data we collect
3.1 Marketing site analytics
We use a privacy-respecting analytics stack that records aggregate page views, referrers and anonymised device characteristics. Where the analytics provider sets cookies that are not strictly necessary, we ask for your consent first via the cookie banner. You can withdraw consent at any time.
3.2 Contact and demo form
When you contact us through the website we collect:
- Your name
- Your work email address
- Your company name (optional)
- The free-text message you send us
3.3 Email correspondence
When you email us we retain your message and our reply for the period set out in section 5. We do not run automated profiling on the content of your messages.
3.4 Cookies
We classify cookies into three buckets: strictly necessary, analytics, and marketing. Only strictly necessary cookies are set without consent. The cookie banner lists every cookie individually, including provider, lifetime and purpose.
4. Lawful basis for processing
- Contract / pre-contract (GDPR Art 6(1)(b)) — for handling your contact form submission, replying to your email and arranging a demo.
- Legitimate interest (GDPR Art 6(1)(f)) — for measuring the performance of our marketing site at an aggregate level, subject to your right to object. We balance this against your privacy expectations and only use the minimum data needed.
- Consent (GDPR Art 6(1)(a)) — for analytics and marketing cookies that are not strictly necessary.
- Legal obligation (GDPR Art 6(1)(c)) — for retaining records we are required to keep under tax, accounting or AML laws.
5. Retention
- Marketing leads (contact form, demo requests, pre-sales email): up to 12 months from the date of last contact, then deleted unless converted to a customer or unless you have asked us to keep you in the loop.
- Customer audit log entries: 7 years to satisfy GDPR Art 30 record-keeping and EU AI Act Art 12 logging obligations. See the DPA for details.
- Cookies: per the lifetime declared in the cookie banner for each individual cookie.
- Records required by tax, accounting or AML law: for the statutory period (typically 5 to 10 years depending on jurisdiction).
6. Sub-processors used by the marketing site
The marketing site itself uses a small number of sub-processors. These are separate from the customer-data sub-processors listed on the Subprocessors page.
- Cloudflare — DNS resolution and DDoS protection. Processes the IP address of visitors at the network layer.
- Amazon Web Services (CloudFront, S3) — content delivery and static asset hosting for the marketing site. Processes IP addresses at the network layer.
- Resend (or equivalent transactional email provider) — delivery of contact form responses and demo confirmations. Processes name, email address and message content.
- If and when we add a product analytics provider (such as Plausible or PostHog), it will be listed here before any personal data is sent to it.
7. Data residency and international transfers
All customer tenant data is stored exclusively in Microsoft Azure Sweden Central and never leaves the European Union. Marketing-site data processed by EU-resident sub-processors stays in the EU. Where a sub-processor (for example, Cloudflare or AWS) is headquartered outside the EU, transfers are governed by the EU Standard Contractual Clauses, supplemented where appropriate by the UK International Data Transfer Addendum.
8. Your rights as a data subject
Under GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Request deletion (the “right to be forgotten”)
- Restrict or object to processing
- Data portability in a machine-readable format
- Withdraw consent at any time, where consent is the basis
- Lodge a complaint with the supervisory authority in your EU member state of residence
To exercise any of these rights, email privacy@secruna.com. We respond within 30 days; complex requests may be extended by a further two months with notice.
9. Security
We apply the same technical and organisational measures described in the DPA to all personal data we hold, including TLS 1.2+ in transit, AES-256 at rest, role-based access control, multi-factor authentication on administrative access, time-bounded admin impersonation with four-eye review, and immutable audit logging. Confirmed personal data breaches affecting your data are notified to you within 24 hours of confirmation.
10. Children
Secruna’s services are intended for organisations, not individuals, and are not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we hold such data, please contact us so we can delete it.
11. Changes to this policy
We will publish material changes to this policy on this page and, where appropriate, via a banner on the website or by email to active customers. The effective date at the top of the page reflects the version currently in force.
12. Contact
Privacy team: privacy@secruna.com
General: hello@secruna.com
Postal address: [TBD — pending counsel review]