Privacy Policy

Last updated: February 2026

1. Introduction

This Privacy Policy explains how CBIP Solutions ("we", "us", or "our"), operating at cbip-solutions.org, collects, uses, stores, and protects your personal data when you visit our website, create an account, or use our services.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our services.

2. Data Controller

The data controller responsible for your personal data is:

For any questions or concerns about how we handle your personal data, or to exercise any of your rights under the GDPR, please contact us at the email address above.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

When you register for an account, we collect:

  • Full name
  • Email address
  • Password (stored as a salted cryptographic hash; we never store plaintext passwords)
  • Organisation name (optional)
  • Country of residence

3.2 Payment Data

When you subscribe to a paid plan, payment processing is handled entirely by our payment processor, Paddle.com Market Limited ("Paddle"). Paddle acts as the Merchant of Record for all transactions. We do not collect, store, or have access to your full credit card number or bank account details. We receive from Paddle:

  • Paddle customer ID and subscription ID
  • Subscription plan, status, and billing cycle
  • Payment method type (e.g. card brand, last four digits)
  • Transaction history (amounts, dates, invoice references)
  • Billing address and VAT number (if provided)

3.3 Usage Data

When you use our API and platform services, we collect:

  • API requests made (endpoints, timestamps, response codes)
  • Feature usage and interaction patterns within the dashboard
  • Subscription usage metrics (e.g. request counts against plan limits)
  • Search queries submitted to the platform

3.4 Technical Data

When you visit our website or use our services, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Referring URL
  • Pages visited and time spent on each page
  • Device type and screen resolution
  • Preferred language

4. Legal Bases for Processing

We process your personal data only where we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely on depend on the specific processing activity:

4.1 Performance of a Contract (Article 6(1)(b))

Processing that is necessary for the performance of our contract with you, or to take steps at your request before entering into a contract. This includes:

  • Creating and managing your account
  • Processing your subscription and providing access to paid features
  • Delivering API services in accordance with your subscription plan
  • Providing customer support related to your account or services
  • Sending transactional communications (e.g. subscription confirmations, payment receipts, service notifications)

4.2 Legitimate Interest (Article 6(1)(f))

Processing that is necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. This includes:

  • Monitoring and improving the performance, reliability, and security of our platform
  • Analysing aggregated usage patterns to improve our products and services
  • Detecting, preventing, and responding to fraud, abuse, or security threats
  • Enforcing our Terms of Service
  • Maintaining internal business records and administration

4.3 Consent (Article 6(1)(a))

Where we rely on your consent, you have the right to withdraw it at any time. This applies to:

  • Sending marketing communications (e.g. product updates, newsletters, feature announcements)
  • Setting non-essential cookies and similar tracking technologies
  • Any other processing activity for which we have specifically requested your consent

You may withdraw consent at any time by contacting us at privacy@cbip-solutions.org or by using the unsubscribe link in any marketing email. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.4 Legal Obligation (Article 6(1)(c))

Processing that is necessary for compliance with a legal obligation to which we are subject. This includes:

  • Retaining financial and transaction records as required by tax and accounting regulations
  • Responding to lawful requests from regulatory authorities or law enforcement
  • Fulfilling obligations under applicable anti-money laundering or counter-terrorism legislation

5. How We Use Your Data

We use the personal data we collect for the following purposes:

  1. Service delivery: To create and maintain your account, authenticate your access, and provide the services you have subscribed to.
  2. Payment processing: To facilitate subscription billing through Paddle, manage plan changes, and maintain transaction records.
  3. Platform improvement: To analyse usage patterns (in aggregate where possible), identify performance bottlenecks, and improve the user experience.
  4. Security and integrity: To monitor for suspicious activity, enforce rate limits, detect abuse, and protect the platform and its users.
  5. Communication: To send you transactional messages about your account and services. Where you have opted in, to send marketing communications about product updates and new features.
  6. Legal compliance: To comply with applicable laws, regulations, and legal processes, including responding to lawful data requests.

6. Data Processors and Third-Party Services

We share your personal data with the following categories of third-party processors, each bound by data processing agreements that ensure GDPR-compliant handling of your data:

6.1 Paddle (Payments)

  • Provider: Paddle.com Market Limited
  • Purpose: Payment processing, subscription management, tax compliance, and invoice generation
  • Data shared: Name, email, billing address, subscription details
  • Location: United Kingdom / European Economic Area
  • Privacy policy: paddle.com/legal/privacy

6.2 Vercel (Frontend Hosting)

  • Provider: Vercel Inc.
  • Purpose: Hosting and serving the CBIP Solutions website and web application
  • Data shared: IP address, request headers, and other technical data transmitted during website visits
  • Location: United States (with global edge network)
  • Privacy policy: vercel.com/legal/privacy-policy

6.3 Hetzner (Backend Infrastructure)

  • Provider: Hetzner Online GmbH
  • Purpose: Hosting backend services, databases, and API infrastructure
  • Data shared: All data stored in our backend systems, including account data, usage data, and API request logs
  • Location: Germany / Finland (European Union)
  • Privacy policy: hetzner.com/legal/privacy-policy

6.4 Cloudflare (CDN and Security)

  • Provider: Cloudflare Inc.
  • Purpose: Content delivery, DDoS protection, DNS management, and web application firewall services
  • Data shared: IP address, request headers, and other network-level data transmitted during access to our services
  • Location: United States (with global edge network)
  • Privacy policy: cloudflare.com/privacypolicy

We do not sell your personal data to any third party. We only share data with processors as described above and as necessary to provide our services.

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). However, some of our processors are based in the United States (Vercel, Cloudflare). When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We have entered into EU Standard Contractual Clauses (as adopted by the European Commission) with our US-based processors to ensure that your data receives an equivalent level of protection as it would within the EEA.
  • Supplementary measures: Where required, we implement additional technical and organisational measures to supplement the SCCs, including encryption in transit and at rest, access controls, and data minimisation.
  • EU-based infrastructure: Our primary backend infrastructure (Hetzner) is located exclusively within the European Union (Germany and Finland), ensuring that the majority of data processing occurs within the EEA.

You may request a copy of the safeguards we have in place by contacting us at privacy@cbip-solutions.org.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are:

  • Account data: Retained for the duration of your account. Upon account deletion, personal identifiers are removed within 30 days. Anonymised records may be retained for analytics purposes.
  • Payment and transaction data: Retained for 7 years after the last transaction, as required by tax and accounting regulations in our jurisdiction.
  • Usage data: Retained in identifiable form for 12 months from the date of collection. After 12 months, usage data is aggregated and anonymised for statistical analysis.
  • Technical data (server logs): Retained for 90 days for security monitoring and incident investigation. Logs are then deleted or anonymised.
  • Marketing consent records: Retained for 3 years after consent is withdrawn, as evidence of lawful processing during the consent period.
  • Support correspondence: Retained for 2 years after the last interaction, or for the duration of your account, whichever is longer.

When the retention period expires, data is securely deleted or irreversibly anonymised. You may request earlier deletion by exercising your right to erasure (see Section 9).

9. Your Rights Under the GDPR

Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at privacy@cbip-solutions.org. We will respond to your request within 30 days.

9.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is processed, the purposes of processing, the categories of data concerned, and the recipients to whom it has been disclosed.

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed. You can update most account information directly through your dashboard settings.

9.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and no other legal basis applies
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

Please note that we may need to retain certain data where there is a legal obligation (e.g. tax records) or where the data is necessary for the establishment, exercise, or defence of legal claims.

9.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, or where you have objected to processing pending verification of legitimate grounds.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance. This right applies to data you have provided to us and which is processed on the basis of consent or contract performance, by automated means.

9.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

You have an absolute right to object to processing for direct marketing purposes at any time, and we will cease such processing without exception.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in solely automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy and ensure appropriate safeguards are in place, including the right to obtain human intervention, express your point of view, and contest the decision.

9.8 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent by:

  • Clicking the unsubscribe link in any marketing email
  • Updating your communication preferences in your account settings
  • Contacting us at privacy@cbip-solutions.org

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our services. Cookies are categorised as follows:

10.1 Strictly Necessary Cookies

These cookies are essential for the operation of our website and services. They enable core functionality such as authentication, session management, and security. These cookies cannot be disabled and do not require consent under the GDPR.

10.2 Analytics Cookies

With your consent, we may use analytics cookies to understand how visitors interact with our website. These cookies collect information in an aggregated form to help us improve our services. You can withdraw consent for analytics cookies at any time through our cookie settings.

10.3 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may impair the functionality of our services.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 encryption.
  • Password security: Passwords are hashed using bcrypt with a cost factor of 12 or higher. We never store plaintext passwords.
  • Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis. All access is logged and audited.
  • Infrastructure security: Our servers are protected by firewalls, intrusion detection systems, and DDoS protection (via Cloudflare). Regular security patches are applied.
  • API security: API access is authenticated via API keys. Rate limiting is enforced to prevent abuse. All API traffic is encrypted.
  • Backups: Encrypted backups are performed regularly and stored in geographically separate locations within the EU.
  • Incident response: We maintain an incident response procedure. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by Article 33 of the GDPR, and affected individuals where required by Article 34.

12. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe that a child has provided us with personal data, please contact us at privacy@cbip-solutions.org.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users via email if the changes materially affect how we process their personal data
  • Where required by law, obtain your consent before applying changes that affect existing processing activities

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Contact and Complaints

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

If you are not satisfied with our response, or if you believe that we are processing your personal data in a manner that is not compliant with the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. A list of supervisory authorities in the EEA is available on the European Data Protection Board website.