Celiveo 365 Privacy Policy, GDPR

Privacy Policy for CELIVEO 365 SaaS Platform

Effective Date: August 15, 2025

Celiveo (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Celiveo 365 Software as a Service (SaaS) platform (the “Service”). By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Effective Date” above. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.

1. Information We Collect

We collect information that you provide directly to us, as well as information generated through your use of the Service. This may include:

• Personal Information: Such as the billing and technical contact name, email address, business address, and any other details provided when your company creates an account, subscribing to the Service, or contacting support.
• End-user Information: systematically converted into a SHA256: Entra ID UID, card number, PIN code, card password of end-users printing or authenticating through the SaaS. user UPN and print job title, both can be anonymized at collection time (“Stealth mode” option available to the administrator).
• Usage Data: Information about how you interact with the Service, including IP address, printer model, browser type, device information, pages visited, and timestamps, for security purpose and optional bill-back.
• User-Generated Content: Any data you print or scan through the Service, which may include personal data of your end-users or customers (collectively, “Customer Data”), such data is encrypted.

We do not collect sensitive personal information (e.g., racial or ethnic origin, political opinions, religious beliefs, or health data) unless explicitly provided by you as part of Customer Data.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Service.
• To process payments and manage your account.
• To communicate with you, including sending service-related emails (e.g., updates, security alerts).
• To comply with legal obligations, resolve disputes, and enforce our agreements.
• For internal analytics to understand usage patterns and enhance user experience.

We do not use your information for marketing purposes without your explicit consent.

User-generated content is automatically encrypted with dynamic keys and never processed for any purpose other than the subscribing company direct usage, is not available to our team.

3. Data Sharing and Disclosure

We do not share, sell, or rent your personal information or Customer Data with any third-party companies for their own purposes. Disclosure is limited to:

• Our employees, contractors, and affiliates who need access to perform services on our behalf, under strict confidentiality agreements.
• As required by law, such as in response to a subpoena, court order, or regulatory request.
• In the event of a merger, acquisition, or sale of assets, where your information may be transferred as a business asset (we will notify you in advance).

We do not engage in any data sharing with third parties for advertising, analytics, or other commercial purposes.

4. Data Storage and Security

Your information is stored on Microsoft Azure secure servers located in European Union (France), USA, Mexico and Singapore. We implement industry-standard security measures, including encryption, access controls, and regular audits, to protect against unauthorized access, alteration, disclosure, or destruction. Our company is certified by Intertek for full ISO 27001:2022 and ISO 9001:2015 compliance.

• Data Retention: We retain personal information and Customer Data only as long as necessary to fulfill the purposes outlined in this policy or as required by law. Upon termination of your contract or account, we will delete or anonymize all Customer Data within 30 days, except where retention is legally mandated (e.g., for billing records).
• International Transfers: There is no transfer outside of the EU and EEA.

5. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the data we hold about you as a customer. End-users need to contact their employer as we can’t access their data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data (subject to legal obligations).
• Restriction: Limit processing in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent.

To exercise these rights, contact us at dpo (at) celiveo.com. We will respond within 30 days (extendable to 60 days for complex requests).

If you are in the EU/EEA, you may also lodge a complaint with your local data protection authority.

6. Children’s Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware of such collection, we will delete it promptly.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, such as for session management and analytics. You can manage cookie preferences through your browser settings. We do not use third-party tracking cookies.

8. Contact Us

For questions about this Privacy Policy, contact us at:

Celiveo
541 Orchard road
238881 Singapore
Email: dpo (at) celiveo.com

This Privacy Policy is governed by the laws of Singapore, with GDPR considerations for EU users.

https://www.pdpc.gov.sg/

https://gdpr.eu/

Data Processing Agreement (DPA) for GDPR Compliance

This Data Processing Agreement (“DPA”) is entered into between Celiveo (“Processor”) and you (“Controller”) as of your SaaS subscription date. This DPA supplements the main SaaS agreement (the “Agreement”) and ensures compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person processed under this DPA.
• Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
• Controller and Processor: As defined in GDPR.

2. Subject Matter and Duration

• The Processor will process Personal Data on behalf of the Controller solely to provide the Service as described in the Agreement.
• This DPA remains in effect until the termination of the Agreement, plus any period required for data deletion (up to 30 days post-termination).

3. Nature and Purpose of Processing

• Processing is limited to providing the SaaS platform, including hosting, maintenance, and support.
• Types of Personal Data: billing and technical contact name, email address, business address, print jobs metadata (title, time, date, owner UPN, IP address), and any other details provided when your company creates an account, subscribing to the Service, or contacting support.
• Categories of Data Subjects: [Specify, e.g., Customer’s employees, end-users].
• The Processor will not process Personal Data for any other purpose without the Controller’s written instructions.

4. Processor Obligations

• Process Personal Data only on documented instructions from the Controller, including transfers to third countries (if any).
• Ensure personnel are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure security (e.g., encryption, access controls) as detailed in Annex 1.
• Assist the Controller with data subject rights requests, impact assessments, and regulatory consultations, at the Controller’s cost if beyond standard support.
• Notify the Controller without undue delay (within 48 hours) of any Personal Data breach.
• Not engage new sub-processors without informing the Controller 30 days prior to the change. Current sub-processors: Microsoft, Freshdesk. The Processor remains liable for sub-processors.
• Upon termination, delete all Personal Data within 30 days, and delete existing copies unless EU law requires storage.
• Make available information necessary to demonstrate compliance and allow audits (at Controller’s expense, once per year).

5. Controller Obligations

• Ensure lawful basis for Processing and provide accurate instructions.
• Warrant that Personal Data does not include special categories unless agreed.
• Cooperate with the Processor to fulfill GDPR obligations.

6. Data Transfers

• Personal Data is processed in EU (France), USA, Mexico or Singapore as per the choice of the Controller (you) at subscription time.
• For transfers outside the EEA, the parties rely on Standard Contractual Clauses (SCCs) as per Commission Implementing Decision (EU) 2021/914.

7. Liability and Indemnity

• Each party shall indemnify the other for losses arising from its breach of this DPA, subject to the liability limits in the Agreement.

8. Governing Law and Dispute Resolution

• This DPA is governed by the laws of France.
• Disputes shall be resolved through the Court of Commerce of Nanterre, France.

9. Miscellaneous

• This DPA may be amended by the Processor and accepted by Controller using electronic acceptance.
• If any provision is invalid, the remainder remains in effect.

Signed:

For the Processor: Celiveo – Date: August 15, 2025

Name: Jean-Francois Lacome Title: DPO

Annex 1: Technical and Organizational Measures

• Access Controls: Microsoft Entra ID Role-based access, Microsoft Entra ID multi-factor authentication.
• Encryption: Data at rest and in transit (TLS 1.2+, AES256-GCM, keys in Microsoft Azure Vault).
• Incident Response: 24/7 Azure Cloud Defender CSPM monitoring, regular penetration testing.
• Data Backup: Automatic Microsoft Azure encrypted backups with recovery plans.
• Audits: Annual ISO 27001:2022 compliance https://certcheck.ukas.com/certification/375199a2-df67-5c08-8159-76d4dbaac228.