Privacy Policy

Last updated: 27 May 2026. This policy is actively maintained as our practices mature. Material changes will be announced at least 30 days in advance via the website and to any registered users by email.

1. Who We Are

This privacy policy applies to Znu-Cloud OÜ (Znu-Cloud), an Estonian private limited company registered at Sepapaja 6, Tallinn, Estonia, under registry code 17390732.

Znu-Cloud builds CRM intelligence and AI strategy tools for European businesses. This policy describes how we collect, use, store, and protect personal data when you visit our website, contact us, or use our services.

For all data protection inquiries, contact data.privacy@znu-cloud.com.

Znu-Cloud has not appointed a Data Protection Officer (DPO) as we do not currently meet the threshold defined in GDPR Article 37. All data protection matters are handled by company management.

2. What This Policy Covers

This policy covers personal data collected through:

• The Znu-Cloud website (znu-cloud.com, or znucloud.com and its language variants)
• Email correspondence with Znu-Cloud
• Future use of Znu-Cloud products and services

If you are an end user of a Znu-Cloud customer’s system (for example, a contact whose record appears in a customer’s CRM that Znu-Cloud enriches), your personal data is processed under the customer’s privacy policy, with Znu-Cloud acting as a data processor on the customer’s behalf. The customer is the data controller.

3. Legal Bases for Processing

Under the EU General Data Protection Regulation (GDPR), Znu-Cloud processes personal data on the following legal bases:

• Consent (Article 6(1)(a)) — for analytics cookies, marketing communications, and any optional data collection. You can withdraw consent at any time.
• Contract (Article 6(1)(b)) — to provide services to customers under signed agreements.
• Legitimate interests (Article 6(1)(f)) — to maintain website security, prevent fraud and abuse, and respond to inquiries you initiate. We balance this against your rights and freedoms.
• Legal obligation (Article 6(1)(c)) — to comply with Estonian and EU law, including tax, accounting, and regulatory requirements.

4. What Data We Collect

Website visitors

When you visit our website, we collect minimal information:

• Analytics data via Plausible Analytics: pages visited, referring site, browser type, country (derived from IP, not stored), and screen size. Plausible does not use cookies and does not collect personally identifiable information. Data is aggregated and stored on EU infrastructure.
• Server logs for security and operational purposes: IP addresses, request timestamps, response codes, and user agent strings. Server logs are retained for 30 days, then automatically deleted unless required for an active security investigation.

When you contact us

If you email us at info@znu-cloud.com, data.privacy@znu-cloud.com, or any other Znu-Cloud address, we collect:

• Your email address
• Your name and any other information you choose to share in your message
• Our response history with you

Contact correspondence is retained for the duration of our relationship plus 6 years thereafter for tax, accounting, and legal documentation purposes, as required by Estonian commercial law.

When you use our services (future)

Once you become a customer, we will collect:

• Account information (name, email, company, role, billing address)
• Authentication data (passwords are stored as cryptographic hashes, never in plaintext)
• Service usage data (logins, feature usage, API calls)
• Customer content (data you submit through CRM Intelligence or the AI Strategy Portal)

Customer content is processed solely to deliver the services you have contracted for. We do not use customer content to train AI models. We do not sell, rent, or otherwise commercialize customer content.

5. Forms and Spam Prevention

When forms are added to the website, we will use Friendly Captcha (Friendly Captcha GmbH, Germany) to prevent automated abuse. Friendly Captcha is GDPR-native and does not use cookies, IP tracking, or behavioral profiling. It operates by requiring the visitor’s browser to solve a cryptographic puzzle — a method that distinguishes humans from bots without collecting personal data.

6. Email Communications

Transactional email

When you become a customer or interact with our systems, we send necessary transactional emails (account confirmations, billing notifications, security alerts, service updates) using Brevo (Sendinblue SAS, France), a French email service provider.

Transactional email is sent on the legal basis of contract performance. You cannot opt out of essential transactional email without terminating your account.

Marketing email

We do not send unsolicited marketing email. If we send any marketing communications in the future, we will:

• Require double opt-in consent before adding you to any marketing list
• Provide a working unsubscribe link in every marketing message
• Honor unsubscribe requests within 48 hours
• Process marketing email on the legal basis of consent, never legitimate interest

We will not share your email address with third parties for their marketing purposes under any circumstances.

7. AI Processing and Third-Country Transfers

Znu-Cloud’s AI Strategy Portal will use large language models hosted by third parties for inference. Once the Portal is generally available, users will be able to select between two providers:

• Anthropic, Inc. (United States) — primary inference provider for Claude models
• Mistral AI SAS (France) — EU-based inference for Mistral models

Identifying metadata (account identifiers, IP addresses, session tokens) will be masked before transmission to the selected inference provider, so that the provider cannot associate queries with user identity.

International data transfers to Anthropic (US): when operational, transfers to Anthropic will occur under the Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third countries lacking an EU adequacy decision. Anthropic’s security and legal safeguards have been evaluated in advance, including their commitment not to use API content for model training.

8. Sub-Processors

The following sub-processors handle personal data on behalf of Znu-Cloud:

We maintain Data Processing Agreements (DPAs) with each sub-processor in compliance with GDPR Article 28. We notify customers in advance of any material change to our sub-processor list.

9. Cookies and Consent Management

The Znu-Cloud website uses strictly necessary cookies only at this time. These cookies are required for the website to function (session management, language preference, security tokens) and do not require consent under the EU ePrivacy Directive.

We do not currently deploy:

• Analytics cookies (Plausible operates cookie-free)
• Advertising or tracking cookies
• Third-party cookies of any kind
• Social media tracking pixels
• Cross-site behavioral profiling

Consent management platform

A consent management platform (CCM19, operated by Papoo Software & Media GmbH, Germany) is loaded on all pages of this website. Its purpose is to manage cookie consent for any future optional cookies introduced as the site evolves — for example, when contact forms, embedded media, or analytics requiring consent are added.

CCM19 itself does not set tracking cookies and does not transmit personal data to third parties. It is hosted on EU infrastructure and operates in accordance with GDPR and the EU ePrivacy Directive.

What this means for you today: even if you click “Accept” on the consent banner, no optional cookies are placed on your device, because none are currently in use. The banner is in place so that if and when optional cookies are introduced, your consent choices will already be respected.

When optional cookies are introduced, this policy will be updated to describe each category, its purpose, retention period, and the legal basis for processing.

10. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

• Server logs: 30 days
• Contact correspondence: duration of relationship + 6 years (Estonian commercial law)
• Customer account data: duration of contract + 6 years after termination
• Customer content (CRM data, Portal queries): as specified in your service agreement, typically deleted within 30 days of contract termination
• Marketing consent records: until consent is withdrawn + 3 years thereafter (proof of valid consent for regulatory purposes)
• Financial records: 7 years (Estonian tax law)

After the retention period expires, personal data is permanently deleted or anonymized.

11. Your Rights Under GDPR

If you are in the European Union, the United Kingdom, or any jurisdiction recognizing equivalent rights, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure (“right to be forgotten”) — request deletion of your personal data, subject to legal retention requirements
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — request your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent for any processing based on consent
• Right not to be subject to automated decision-making — including profiling that produces legal or similarly significant effects

To exercise any of these rights, contact data.privacy@znu-cloud.com. We will respond within 30 days. There is no fee for reasonable requests.

You also have the right to lodge a complaint with a supervisory authority. For Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee. If you reside in another EU member state, you may contact your local data protection authority.

12. Security

We implement appropriate technical and organizational measures to protect personal data, including:

• TLS encryption for all data in transit
• Encryption at rest for stored customer data
• Access controls limiting personal data access to authorized personnel only
• Regular security review of infrastructure and sub-processor commitments
• EU-hosted infrastructure (Hetzner, Germany) with physical and network security controls
• Logging and monitoring of access to systems containing personal data

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours of discovery, and affected individuals without undue delay, as required by GDPR Articles 33 and 34.

13. Children’s Privacy

The Znu-Cloud website and services are not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact data.privacy@znu-cloud.com and we will delete it.

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, our service offerings, or applicable law. Material changes will be announced at least 30 days in advance via:

• A notice on this page
• A notice on the Znu-Cloud website homepage
• Direct email to registered users (where the change affects them)

The “Last updated” date at the top of this policy will always reflect the most recent revision.

15. Contact

For any privacy-related inquiry, contact:

Znu-Cloud OÜ
Attn: Data Protection Inquiries
Sepapaja 6, Tallinn, Estonia
data.privacy@znu-cloud.com

We respond to all data protection inquiries within 30 days, often faster.