This Privacy Policy describes how Culvii ("we," "us," or "our") collects, uses, discloses, and protects the personal data of visitors to www.culvii.com, users of the Culvii platform at console.culvii.com, and anyone who interacts with our services. It also describes your rights over that data and how to exercise them.
Please read this policy carefully. By using our Services you confirm you have read and understood it. If you do not agree, please stop using our Services.
01Scope — What This Policy Covers
This Privacy Policy applies to personal data we collect and process for our own purposes as a data controller when you:
- Visit or use www.culvii.com or the Culvii platform at console.culvii.com
- Register for an account, start a free trial, or subscribe to our services
- Contact us, request a demo, or submit an enquiry through any channel
- Subscribe to our newsletter, blog, or marketing communications
- Attend a Culvii webinar, event, or training programme
- Act as a service provider or supplier to us
Our website may link to third-party sites we do not control. We encourage you to review their privacy practices separately.
Data controller vs. data processor
In providing our Services, Culvii may also process personal data on behalf of enterprise customers as a data processor. In those cases, the customer acts as the data controller and is solely responsible for their own privacy obligations. If your employer submitted your data to the Culvii platform, please direct privacy requests to them first — Culvii will cooperate to the extent our contract permits.
02Personal Data We Collect
Personal data is any information that identifies or is reasonably capable of identifying a natural person. We collect the following categories:
Data you provide directly
Platform users and customers. To create an account or subscribe to our services you provide: full name, work email address, job title, company name, and country. For paid plans we collect billing address and GST/VAT number. Full card details are handled by our PCI-DSS certified payment processor — we receive only the card type and last four digits.
Website visitors. When you complete a contact form, request a demo, or email us, we collect the contact details and message content you provide, along with professional information such as job title and department.
Support and communications. We process support ticket content, live chat transcripts, email correspondence, and survey responses when you contact us or participate in research we run.
Marketing and events. If you subscribe to our newsletter or register for a webinar or event, we collect your name, email, job title, company, and attendance records.
Data collected automatically
As you navigate our website and platform we automatically collect: pages visited, session duration, click paths, and search queries within the platform; your IP address, browser type, OS, device type, timezone, and language; authentication events such as login, logout, and MFA activity; and API call logs and error logs. We use this data to operate, secure, and improve the Services.
Data from third parties
Identity providers. When you sign in via Google Workspace, Microsoft 365, or Okta, we receive your user ID, email, name, and role from that provider.
Customer administrators. Enterprise customers may provision accounts on your behalf by supplying your name and work email to the Culvii platform.
Analytics and enrichment providers. We may receive aggregated engagement data from analytics partners. For B2B outreach, we may supplement company-level contact records with firmographic data such as company size and industry.
Culvii does not intentionally collect sensitive personal data (health, biometric, government IDs, racial or ethnic origin, religious beliefs, sexual orientation). If you believe sensitive data has been inadvertently submitted, contact support@culvii.com immediately.
03Cookies and Other Tracking Technologies
A cookie is a small file placed on your device when you visit our website. We also use web beacons, pixels, and browser local storage. We use the following categories:
- Strictly necessary. Essential for session management, authentication, CSRF protection, and load balancing. These cannot be disabled without breaking core functionality.
- Functional and preference. Remember your settings such as language, theme, and notification preferences. Retained up to 12 months.
- Analytics and performance. Help us understand how visitors use the website and platform so we can improve them. IP addresses are anonymised or truncated. Retained up to 26 months.
- Marketing and advertising. Used on www.culvii.com only — not within the platform — to measure campaign effectiveness and deliver relevant advertising. Retained up to 90 days.
Manage your cookie preferences via the cookie banner on www.culvii.com or at www.culvii.com/cookies. You may also disable cookies through your browser settings, though this may affect your ability to use parts of the Services. Culvii respects browser Do Not Track (DNT) signals for non-essential analytics cookies.
04Anonymised and Aggregated Data
Anonymisation modifies personal data so it can no longer be associated with a specific individual. Once data is genuinely anonymised, it is no longer personal data and this Privacy Policy does not apply to it.
We may use anonymised or aggregated data for any legitimate business purpose, including understanding usage patterns, improving our Services, and detecting security threats. Culvii does not use Customer Data (data uploaded by enterprise customers) in aggregated form for any purpose beyond providing and improving the Services to those customers.
05How We Use Your Personal Data
We use personal data to provide you with a secure and effective experience of the Culvii platform and website. Specifically:
- Provide our Services. To manage your account, perform our contract with you, and communicate about your use of the Services.
- Process payments and manage subscriptions. To administer your subscription, generate invoices, and collect payment through our PCI-DSS certified payment processor.
- Respond to your requests. To answer enquiries, resolve support tickets, and act on feedback you send us.
- Authenticate users and secure accounts. To verify identity, manage sessions, and protect accounts from unauthorised access using login events, MFA records, and device data.
- Improve the platform. To understand how the platform is used and develop new features, using anonymised or aggregated data wherever possible.
- Personalise your experience. To remember your settings and tailor the Services using cookies and preference data.
- Ensure security and prevent fraud. To monitor log data, IP addresses, and authentication events to detect and respond to threats, fraudulent activity, and policy violations.
- Send transactional communications. To deliver account confirmations, password resets, billing notifications, and service updates. You cannot opt out of transactional emails while your account is active.
- Send marketing communications. With your consent or where permitted by applicable law as an existing services provider, to share information about Culvii products, features, and events. Opt out at any time via the unsubscribe link in any marketing email or by contacting support@culvii.com.
- Comply with legal obligations. To retain records as required by tax, accounting, anti-money laundering, and data protection legislation.
06Legal Bases for Processing — GDPR Compliant
Culvii is GDPR compliant. For individuals in the European Economic Area (EEA) and the United Kingdom, we identify a lawful legal basis for each processing activity as required by GDPR Article 6:
| Purpose | Legal Basis | Article |
|---|---|---|
| Providing our Services; payment processing; transactional comms; account authentication | Performance of a contract | 6(1)(b) |
| Security monitoring; fraud prevention; legal compliance; tax and accounting | Legal obligation | 6(1)(c) |
| Platform analytics; product improvement; B2B marketing to existing customers; support | Legitimate interests — LIA available on request at support@culvii.com | 6(1)(f) |
| Marketing to new contacts; optional cookies; newsletter subscriptions | Consent — withdraw at any time without affecting prior processing | 6(1)(a) |
Culvii does not intentionally process special category data under GDPR Article 9. Where such data is processed, we rely on explicit consent or another applicable condition under Article 9(2).
07How We Share Your Personal Data
Culvii does not sell, rent, or trade personal data to third parties for their own marketing or commercial purposes.
Service providers and sub-processors
We work with trusted third-party providers who process personal data on our behalf under written Data Processing Agreements. These include our cloud infrastructure provider (Google Cloud Platform, which hosts all Culvii data), payment processor, customer support tooling, email delivery, analytics, security monitoring, and CRM. A complete and current list of sub-processors is published at www.culvii.com/sub-processors, updated within 30 days of any material change.
Professional advisors
We may share personal data with our legal counsel, auditors, and other professional advisors where necessary to comply with legal obligations or obtain professional advice.
Business transfers
In the event of a merger, acquisition, or corporate restructuring, personal data may transfer to the successor entity. We will notify affected individuals before any such transfer and ensure equivalent privacy protections apply.
Legal and regulatory disclosures
We may disclose personal data when required by applicable law, court order, or lawful authority request. Where legally permitted we will notify affected individuals before disclosing. We may also disclose where necessary to protect the rights, property, or safety of Culvii, our customers, or others.
With your consent
We may share personal data for any purpose you expressly consent to at the time of collection or subsequently.
08International Transfers
Culvii is headquartered in India and its primary infrastructure runs on Google Cloud Platform in asia-south1 (Mumbai). Some sub-processors are in the United States or European Union. Where we transfer personal data from the EEA or UK to countries not recognised as adequate, we rely on:
- Standard Contractual Clauses (SCCs). We incorporate the 2021 EU Commission SCCs into agreements with sub-processors outside the EEA, with Transfer Impact Assessments (TIAs) for high-risk destinations.
- UK IDTAs. For transfers from the United Kingdom we use UK International Data Transfer Agreements or the UK Addendum to the EU SCCs.
- EU adequacy decisions. Where the European Commission has recognised a country as adequate, we rely on that decision.
- GCP region selection. All Customer Data is stored by default in GCP asia-south1 (Mumbai). Enterprise customers may request storage in the GCP europe-west region. Disaster recovery uses GCP asia-southeast1 (Singapore).
To request a copy of the SCCs applicable to your data, contact support@culvii.com.
09Retention of Personal Data
We retain personal data only as long as necessary to fulfil the purposes for which it was collected and to meet our legal, regulatory, and contractual obligations:
- Active account data is retained for the duration of your subscription or account.
- Account data after termination is retained for 90 days to enable account recovery or data export, then deleted from active systems.
- Billing and financial records are retained for 7 years from the transaction date to comply with tax and accounting obligations.
- Support correspondence is retained for 3 years from ticket closure for quality assurance purposes.
- Security and audit logs are retained for 12 months in accessible form and 3 years in archived storage.
- Marketing contact data is retained until you unsubscribe or for 3 years from your last engagement, whichever is earlier. After opt-out, your email is retained on a suppression list only.
- Anonymised analytics data is retained for up to 26 months.
- Data under legal hold is retained until the legal hold is released, regardless of the above periods.
You may request deletion of your personal data at any time. We will act within 30 days unless retention is required by law or necessary to protect Culvii's legitimate legal interests.
10Data Security
In compliance with GDPR Article 32, Culvii implements appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. Our security programme is audited annually and aligned with SOC 2 Type II Trust Services Criteria.
Measures include: AES-256 encryption at rest for all data in Cloud SQL PostgreSQL and GCS using Customer-Managed Encryption Keys (CMEK); TLS 1.3 for all data in transit; role-based access control with mandatory MFA for all Culvii engineers and administrators; a private GKE cluster behind Cloud Armor WAF; automated weekly vulnerability scanning; annual third-party penetration testing; SAST in the CI/CD pipeline; 24/7 SIEM monitoring; and a formal incident response programme with breach notification procedures meeting the GDPR 72-hour requirement under Article 33.
Please keep your password confidential and do not share it. If you believe your account has been compromised, contact support@culvii.com immediately. While we take all reasonable steps to protect your data, no internet transmission is completely secure. SOC 2 audit reports are available to enterprise customers under NDA.
11Children's Personal Data
Culvii's Services are intended for business use by adults. We do not knowingly collect personal data from individuals under 18. If we discover an account has been created by or on behalf of a person under 18, we will close the account and delete the associated data. If you believe a person under 18 is using our Services, please notify us at support@culvii.com.
12Your Privacy Rights
To exercise any of the rights below, contact us at support@culvii.com. We verify your identity before processing your request. We acknowledge requests within 5 business days and respond substantively within 30 days (extendable to 60 days with prior notification).
EEA and UK residents (GDPR and UK GDPR)
- Right of access (Art. 15). Request a copy of the personal data we hold about you and information about how it is processed.
- Right to rectification (Art. 16). Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17). Request deletion of your personal data where there is no longer a lawful basis for retention. We will tell you if any data must be kept by law.
- Right to restriction (Art. 18). Request that we limit processing of your data in certain circumstances, for example while accuracy is disputed.
- Right to data portability (Art. 20). Receive your personal data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller.
- Right to object (Art. 21). Object to processing based on legitimate interests at any time. You have an unconditional right to object to direct marketing.
- Right to withdraw consent (Art. 7(3)). Withdraw consent for consent-based processing at any time without affecting prior lawful processing.
- Right not to be subject to automated decision-making (Art. 22). Culvii does not currently make solely automated decisions with legal or similarly significant effects on individuals.
If you are unsatisfied with our response, you may lodge a complaint with your local supervisory authority. UK residents: ICO — ico.org.uk. EEA residents: your national DPA (see edpb.europa.eu).
California residents (CCPA / CPRA)
- Right to know. Request disclosure of categories and specific pieces of personal information we have collected, the purposes, and who we share it with.
- Right to delete. Request deletion of personal information collected from you, subject to certain exceptions.
- Right to correct. Request correction of inaccurate personal information.
- Right to opt out of sale. Culvii does not sell personal information — this right is inherently satisfied.
- Right to non-discrimination. Culvii will not discriminate against you for exercising your CCPA rights.
India residents (DPDP Act 2023)
- Right to access information about personal data Culvii processes about you.
- Right to correction and erasure of inaccurate or no-longer-necessary personal data.
- Right to grievance redressal by contacting our DPO at support@culvii.com.
- Right to nominate another person to exercise rights on your behalf in the event of death or incapacity.
13AI-Specific Data Processing
Culvii is an AI governance platform. This section explains privacy considerations specific to our product context.
Customer data in AI governance workflows
Customers may use the Culvii platform to manage governance of AI systems that themselves process personal data. In this context Culvii acts solely as a data processor — we process information provided by our customers to help them govern their AI systems, not to independently process the underlying personal data in those AI systems. Culvii does not access the outputs of customer AI models unless explicitly shared within the platform by the customer. Customers are solely responsible for ensuring their use of the Culvii platform complies with their own privacy obligations to their data subjects.
Culvii's own AI features
Culvii uses machine learning to power platform features such as automated risk scoring and anomaly detection:
- Culvii does not use Customer Data to train its own AI or machine learning models without explicit written consent in a separate agreement.
- Culvii's AI features are trained exclusively on anonymised and aggregated platform usage patterns.
- Culvii does not make automated decisions with legal or similarly significant effects on individuals. If this changes, we will update this policy and apply GDPR Article 22 safeguards before doing so.
14Contact Us and Data Protection Officer
As required by GDPR Article 37, Culvii has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and GDPR compliance.
- General privacy enquiries: support@culvii.com
- Data Protection Officer: support@culvii.com— subject line "Attn: The DPO, Culvii"
- Data Subject Access Requests: support@culvii.com— subject "Data Subject Access Request"
- Erasure requests: support@culvii.com— subject "Erasure Request"
- DPA enquiries: support@culvii.com
- Security incidents: support@culvii.com
We acknowledge all requests within 5 business days and respond substantively within 30 days. If you are unsatisfied, you may escalate to your local supervisory authority: ICO (ico.org.uk) for UK residents, your national DPA (edpb.europa.eu) for EEA residents, or the Data Protection Board of India once established under the DPDP Act 2023.
15Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our data practices, the Services we offer, or applicable law. The date at the top of this page reflects when the current version took effect.
For material changes — those that meaningfully affect your rights or how we process your personal data — we will notify registered users by email at least 14 days before the change takes effect. Where changes require fresh consent, we will seek it before applying the change to your data.
Previous versions are available on request at support@culvii.com or at www.culvii.com/privacy-archive. Continued use of the Services after the effective date constitutes acceptance of the updated policy. If you do not accept the updated policy, please stop using the Services and contact us to close your account and request deletion of your data.