Legal
Privacy Policy
Last updated: May 29, 2026
This Privacy Policy explains how Cyvalent S.à r.l. ("Cyvalent", "we", "us" or "our") processes personal data in connection with our websites, our business communications, our cybersecurity consulting and advisory services, and the Cyvalent RGX cyber security / governance, risk and compliance platform. This Privacy Policy is intended to provide transparent information under the EU General Data Protection Regulation ("GDPR"). It does not replace any customer agreement, order form, data processing agreement or other contract that may apply to the use of our services.
1. Who we are
Cyvalent S.à r.l. is a Luxembourg private limited liability company / société à responsabilité limitée, with its registered office at: Cyvalent S.à r.l., 2, rue Jean Engling, L-1466 Luxembourg, Grand Duchy of Luxembourg.
For full company, legal and publication details, please see our Legal Notice.
For privacy questions or to exercise your data protection rights, you can contact us at: privacy@cyvalent.lu (privacy contact), contact@cyvalent.lu (general contact), phone: +352 691 898 941.
Cyvalent has designated a data protection contact / Data Protection Officer for data protection matters. You can reach this contact using the privacy contact details above.
Cyvalent is established in Luxembourg. We do not require an EU representative under GDPR Article 27.
2. When this Privacy Policy applies
This Privacy Policy applies when we process personal data in connection with:
- the websites operated under www.cyvalent.lu and www.cyvalent.com;
- contact forms, demo requests and waitlist registrations;
- newsletter and marketing communications;
- business development and client relationship management;
- cybersecurity consulting, advisory and project delivery;
- account creation, authentication and user management for the Cyvalent RGX platform;
- support, service administration, security logging and abuse prevention;
- billing, contracting, accounting and legal compliance.
3. Our role as controller and processor
This Privacy Policy describes our processing mainly where Cyvalent acts as controller. For certain B2B SaaS platform activities, Cyvalent may process customer-provided content on behalf of a customer organisation. In that case, the customer organisation normally determines the purposes and means of the processing, and Cyvalent acts as processor under the applicable customer agreement and/or data processing agreement.
3.1 Cyvalent as controller
Cyvalent acts as controller when we determine why and how personal data is processed. This includes, for example, personal data processed for website operation, contact handling, demo and waitlist management, newsletters, customer relationship management, account administration, billing, consulting delivery, security logging, service improvement and legal compliance.
3.2 Cyvalent as processor for customer content
When a customer uses the Cyvalent RGX platform and uploads, submits or otherwise provides security, compliance, risk, evidence, audit, governance, asset, control or other GRC-related data, that content may include personal data. Where Cyvalent processes such customer content on behalf of the customer and under the customer's instructions, Cyvalent acts as processor. In that situation, the customer is responsible for providing any required privacy information to its own users, employees, contractors or other data subjects. Cyvalent's processing as processor is governed by the relevant customer agreement, data processing agreement and customer instructions. If you are an end user of a Cyvalent customer and your request relates to customer-provided platform content, please contact that customer first.
4. Personal data we process
Depending on how you interact with us, we may process the following categories of personal data.
4.1 Contact and business information
This may include your name, business email address, phone number, company name, job title, role, professional contact details and the content of your messages to us.
4.2 Website, demo, waitlist and marketing information
This may include information you submit through our website, contact form, demo request, waitlist registration, newsletter subscription or similar communication channels.
4.3 Account and authentication information
If you use or are invited to use the Cyvalent RGX platform, we may process login credentials, authentication identifiers, account settings, user role, tenant or organisation association, access rights and related administrative information.
4.4 Platform usage and support information
This may include platform usage data, support requests, service communications, feature interactions, timestamps, user actions, audit trails and similar operational metadata.
4.5 Technical and security information
When you access our website or services, we may process IP addresses, device and browser information, technical identifiers, log data, request metadata, error logs, authentication logs, security logs and abuse-prevention signals.
4.6 Customer-provided platform content
Customer-provided content may include cybersecurity, compliance, risk, control, evidence, audit, security, asset, policy, vendor, incident or GRC-related data. Depending on what a customer submits, such content may include personal data. This processing is normally governed by the applicable customer agreement and/or data processing agreement.
4.7 Consulting, contract and billing information
This may include contract details, commercial correspondence, billing information, invoice data, project information, meeting notes and records required for accounting, legal or administrative purposes.
4.8 Special category data
We do not expect to intentionally collect special categories of personal data, such as health data, biometric data, religious beliefs or similar sensitive data, through the website or ordinary B2B interactions. Customers and users should not submit special category data to Cyvalent unless this is necessary for the agreed service, permitted by law and covered by appropriate contractual and data protection terms.
5. Why we process personal data and our legal bases
We process personal data for the purposes and legal bases described below.
Where we rely on legitimate interests, these may include operating and improving our business, securing our website and platform, preventing misuse, communicating with B2B prospects and customers, managing client relationships, and protecting our legal rights. We balance these interests against the rights and freedoms of the individuals concerned.
Where we rely on consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
Website operation, communication and analytics
Examples: Operating our website, responding to inquiries, contact forms, demo requests and waitlist registrations; understanding website usage and improving content and user experience. Legal basis: Pre-contractual steps or legitimate interests; consent for optional cookies or analytics where required.
Newsletter and marketing
Examples: Sending updates about Cyvalent, Cyvalent RGX, cybersecurity, GRC, events or related services. Legal basis: Consent where required; otherwise legitimate interests where permitted; always subject to opt-out.
Account creation and platform administration
Examples: Creating accounts, authenticating users, managing organisations, roles and permissions. Legal basis: Contract performance, pre-contractual steps or legitimate interests.
Providing and securing services
Examples: Operating Cyvalent RGX, providing support, maintaining service reliability, preventing abuse and investigating security events. Legal basis: Contract performance and legitimate interests.
Consulting and advisory delivery
Examples: Client communication, project delivery, documentation, workshops, meetings and follow-up. Legal basis: Contract performance, pre-contractual steps and legitimate interests.
AI-supported processing
Examples: Assisting with cyber security, GRC, compliance, risk, evidence or workflow-related analysis and draft outputs. Legal basis: Contract performance, legitimate interests and, for customer content, processing under customer instructions where Cyvalent acts as processor.
Billing, accounting and administration
Examples: Contracts, invoices, payment administration, accounting records and business records. Legal basis: Contract performance and legal obligations.
Legal compliance and claims
Examples: Compliance with applicable law, authority requests, dispute handling and legal claims. Legal basis: Legal obligations and legitimate interests.
6. Cookies and analytics
We use cookies and similar technologies for website operation, security, analytics and related purposes.
Detailed information about the cookies and similar technologies we use, their purposes, retention periods and your choices is provided in our Cookie Notice.
Where required by law, optional analytics or marketing cookies are used only with your consent.
7. Newsletter and marketing communications
If you subscribe to our newsletter, register for a demo, join a waitlist, attend an event, contact us or are a business contact of Cyvalent, we may send you information about Cyvalent, Cyvalent RGX, cybersecurity, GRC, compliance, AI governance, events or related services.
You can unsubscribe from marketing emails at any time by using the unsubscribe link in the message or by contacting us at privacy@cyvalent.lu.
We may still send you non-marketing service messages, security notices, contractual notices or administrative communications where necessary.
8. AI-supported processing
Cyvalent RGX is intended to support cyber security, governance, risk and compliance workflows. Depending on the service configuration and customer agreement, Cyvalent may use AI-supported functionality to help analyse, structure, summarise, classify, map or draft outputs based on cybersecurity, compliance, risk, evidence, control, audit or other GRC-related data.
Cyvalent may use third-party AI or large language model providers, including Anthropic, Microsoft, OpenAI and Google, where required to provide or support the relevant service. The exact providers, configurations, safeguards and processing roles may depend on the customer agreement, service configuration and data processing agreement.
AI-generated outputs may be subject to human review, especially where review is needed for quality, support, security, legal, compliance or service-delivery reasons.
Cyvalent does not use AI-supported processing to make solely automated decisions about individuals that produce legal effects or similarly significant effects within the meaning of GDPR Article 22.
Customers should not submit unnecessary personal data or special category data to AI-supported features. Where customer content is processed on behalf of a customer, the applicable customer agreement and/or data processing agreement will govern the processing.
9. Recipients and service providers
We may share personal data with the following categories of recipients where necessary for the purposes described in this Privacy Policy:
- hosting and infrastructure providers, including Hetzner Online GmbH and Cyvalent-operated infrastructure;
- email and communication providers, including mailbox.org;
- productivity, CRM, collaboration or support tools, including Microsoft;
- analytics providers, including Google Analytics, where enabled and subject to applicable cookie and consent rules;
- AI and large language model providers, including Anthropic, Microsoft, OpenAI and Google, where required for AI-supported services;
- payment providers: [payment provider to be inserted once selected];
- professional advisers, accountants, auditors, legal counsel and other external advisers;
- public authorities, courts, regulators or law enforcement bodies where required by law or necessary to protect rights and security;
- business counterparties in the context of a merger, restructuring, financing, investment, acquisition or similar corporate transaction, where appropriate safeguards apply.
Additional information on data sharing
We do not sell personal data. Where service providers process personal data on our behalf, we require appropriate contractual data protection commitments. For Cyvalent RGX customer content processed on behalf of customers, subprocessors and processing details should be addressed in the applicable customer agreement, data processing agreement and/or subprocessor list.
10. International transfers
Cyvalent is established in Luxembourg and aims to use EU/EEA-based processing where reasonably practicable. However, some providers or support functions may involve processing outside the European Economic Area, including limited processing in the United States, for example in connection with Microsoft O365 or other cloud, analytics, support or AI-related providers.
Where personal data is transferred outside the EEA, we use appropriate safeguards where required. These may include:
- an adequacy decision by the European Commission, where applicable;
- participation by the recipient in an applicable recognised data transfer framework, where valid and applicable;
- EU Standard Contractual Clauses;
- additional contractual, technical or organisational measures where appropriate.
Further information on transfer safeguards
Further information about relevant transfer safeguards may be provided on request, subject to confidentiality, security and legal limitations.
11. How long we keep personal data
We keep personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.
Because exact periods may depend on the service, relationship and legal context, we determine retention by considering: the purpose of the processing; the type, sensitivity and volume of data; the duration of our relationship with you or the relevant customer; legal, accounting, tax and reporting obligations; security, audit, incident-response and abuse-prevention needs; limitation periods and the need to establish, exercise or defend legal claims; and customer instructions where Cyvalent acts as processor.
- contact, demo and waitlist data is kept for as long as needed to respond, manage follow-up and maintain appropriate business records;
- newsletter data is kept until you unsubscribe or we stop providing the newsletter, subject to keeping suppression records where necessary;
- platform account data is kept for the duration of the account or customer relationship and for a limited period afterwards where necessary;
- security logs and audit logs are kept for a period appropriate to security monitoring, incident response, abuse prevention and auditability;
- consulting, contract, accounting and billing records are kept for the periods required by applicable legal, tax and accounting obligations;
- customer content processed by Cyvalent as processor is retained according to the applicable customer agreement, data processing agreement and customer instructions.
12. Security
We apply technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, authentication, encryption in transit where appropriate, logging, monitoring, backup and recovery measures, vulnerability management, secure development practices, confidentiality obligations and internal access restrictions.
No website, platform or communication system can be guaranteed to be completely secure. If you believe that you have identified a security issue affecting Cyvalent or Cyvalent RGX, please contact us at contact@cyvalent.lu.
13. Your data protection rights
Subject to the conditions and limits set out in the GDPR and applicable law, you may have the following rights:
- the right to access your personal data;
- the right to correct inaccurate or incomplete personal data;
- the right to request deletion of personal data;
- the right to restrict processing;
- the right to data portability;
- the right to object to processing based on legitimate interests;
- the right to object to direct marketing at any time;
- the right to withdraw consent where processing is based on consent;
- the right not to be subject to solely automated decisions producing legal or similarly significant effects, where applicable.
How to exercise your rights
To exercise your rights, contact us at privacy@cyvalent.lu. We may need to verify your identity before responding. If your request concerns personal data that we process as processor on behalf of a customer, we may refer your request to the relevant customer or assist the customer in responding, as required by law and contract.
14. Right to complain to a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority.
Cyvalent is established in Luxembourg. The Luxembourg supervisory authority is the Commission nationale pour la protection des données (CNPD), 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg.
You may also contact the supervisory authority in your country of residence, place of work or place of the alleged infringement.
We encourage you to contact us first at privacy@cyvalent.lu so that we can try to address your concern directly.
15. Children
Our website and services are intended for B2B use and are not directed at children. We do not knowingly collect personal data from children through our website or services.
If you believe that a child has provided personal data to us, please contact us at privacy@cyvalent.lu.
16. Links to third-party websites
Our website may contain links to third-party websites or resources. We are not responsible for the privacy practices, content or security of third-party websites. Please review the privacy information provided by those third parties.
17. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our services, website functionality, providers, legal requirements or processing activities.
When we update this Privacy Policy, we will update the "Last updated" date above. Where required by law, we may provide additional notice.
18. Related legal information
For company and website publisher information, please see our Legal Notice.
For cookies and similar technologies, please see our Cookie Notice.
For rules governing access to and use of our website, platform or services, please see our Terms of Use.
Where Cyvalent provides SaaS, consulting or customer services under a separate written agreement, order form, data processing agreement or statement of work, those terms may contain additional or more specific privacy and data protection provisions.