Privacy Policy

Effective date: October 1, 2025

Controller: Siriustech SRL ("Siriustech", "we", "us", "our")

Trade Register no.: J2025065962001

Registered office: Stejerisului 30H, 500122 Brașov, România

General privacy contact: office@gradum.io

Support: support@gradum.io

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our websites, complete Online Checkout, interact with our support team, or use the Gradum SaaS platform (the Service). It is written for business users. The Service is not intended for consumers.

Role overview. For website, account, billing, and marketing data, Siriustech acts as controller. For "Customer Data" that customers upload to or process in the Service, Siriustech acts as processor on behalf of the customer. Processing of Customer Data is governed by a separate Data Processing Agreement (DPA) available on request.

1) Personal data we process (controller context)

We process, as controller, the following categories:

Account & profile: name, business email, job title, company, password hash, authentication tokens.
Billing: subscription plan, billing contact, billing address, VAT/tax numbers, partial payment card identifiers (tokenized), transaction timestamps; card data is processed by our payment provider (see Sharing below).
Service usage & logs: IP address, device/browser identifiers, timestamps, feature usage, error logs, diagnostic data.
Support content: messages, attachments, and metadata in support tickets or chats.
Marketing preferences: newsletter opt-in/out, event/webinar registrations, campaign interactions.
Contributor submissions (metadata): account details and model submission metadata for Contributors (the content of Maturity Models is treated as Customer Data—see Role overview above).

We may also process publicly available business contact data (e.g., corporate emails found on company websites) for B2B outreach, where permitted by law.

2) Sources

Directly from you (account creation, checkout, support); automatically from your device via cookies/SDKs; from your employer or colleagues (Authorized Users); and from service providers (e.g., fraud/abuse signals).

3) Purposes and legal bases (GDPR Art. 6)

Provide and administer the Service: create accounts, authenticate, operate core features; Art. 6(1)(b) (contract necessity).
Billing and payments: charge subscription fees, tax compliance, receipts; Art. 6(1)(b) and Art. 6(1)(c) (legal obligation).
Security and abuse prevention: access control, logging, incident response, rate limiting; Art. 6(1)(f) (legitimate interests in securing the Service).
Product analytics & service improvement: usage metrics to improve reliability and features; Art. 6(1)(f) (legitimate interests). Where local law requires, we rely on consent for analytics cookies (Art. 6(1)(a)).
Customer communications & support: send service/transactional emails, respond to tickets; Art. 6(1)(b).
Direct B2B marketing: send relevant product updates to business contacts; Art. 6(1)(f) (legitimate interests). You can object at any time.
Legal compliance: tax/audit records, sanctions/export controls; Art. 6(1)(c).

Where we rely on consent, you may withdraw it at any time via the cookie banner or the unsubscribe link without affecting prior processing.

4) Cookies and similar technologies

We use essential cookies to operate the Service and, with your consent where required, analytics/functional cookies for usage insights. You can change your choices at any time via the "Manage cookies" link in the footer and through your browser settings. Blocking certain cookies may impact functionality.

5) Sharing and disclosures

We do not sell personal data. We share data with:

Payment processing: card payments are processed by Stripe acting as an independent controller for payment data. We receive limited payment metadata and transaction confirmations.
Cloud hosting and infrastructure: reputable providers that host and run the Service.
Customer support, communications, analytics, and security vendors: to provide ticketing, email delivery, error monitoring, anti‑abuse, and analytics (only where permitted by your cookie settings).
Professional advisors and auditors: where necessary for our business and legal compliance.
Corporate transactions: disclosures in connection with mergers, acquisitions, financing, or sale of assets, subject to confidentiality protections.
Legal and safety: where we are required to disclose information to competent authorities or to protect rights, safety, and the integrity of the Service.

We require service providers acting as processors to enter into written data protection terms and to process personal data only on our documented instructions.

An up‑to‑date list of key subprocessors is available on request from office@gradum.io.

6) International transfers

We may transfer personal data outside the EEA/UK/Switzerland. Where we do, we use lawful transfer mechanisms, such as the European Commission Standard Contractual Clauses and any UK addendum, and implement appropriate safeguards.

7) Retention

We keep personal data only as long as necessary for the purposes above:

Account & profile: for the life of the account, then deleted or anonymized within a reasonable period.
Billing & payment records: retained as required by tax and accounting laws (often up to 10 years, depending on jurisdiction).
Logs & security records: typically up to 12 months, unless needed to investigate incidents.
Support content: typically 24 months after ticket closure, unless a longer period is required for compliance or dispute resolution.

For Customer Data we process as processor, retention is controlled by the customer per the DPA and your in‑product settings. After termination, data export/deletion follows the timelines set in the Service and/or DPA.

8) Your rights

Subject to conditions and applicable law, you may have the right to access, rectify, erase, restrict, port, or object to processing of your personal data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority, including the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

To exercise your rights, email office@gradum.io from the business email associated with your account. We may need to verify your identity and your relationship to a relevant customer.

9) Children

Our Service and websites are directed to professionals. We do not knowingly collect personal data from children. Do not use the Service if you are under the age required by your local law to consent to data processing.

10) Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, network segregation, and regular monitoring. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11) Third‑party links and services

The Service may contain links to third‑party sites or integrations. Their privacy practices are governed by their own policies.

12) Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated via the Service or by email. The "Effective date" above shows when this Policy last changed.

13) Contact

Questions about this Policy or our data practices: office@gradum.io

Support: support@gradum.io

B2B notice. Our Service is provided exclusively to business users. Where applicable law grants consumer‑specific rights, those do not apply to our provision of the Service.

Contract status. This Policy is for transparency and does not create contractual warranties or obligations beyond those in our Terms & Conditions and any applicable DPA.

Loading…