GDPR Data Protection Policy

Last updated: February 17, 2026

1. Commitment to Data Protection

C5S Technology Limited ("Company"), operating the BiVelio platform, and its European holding entity Chronos Technology SLU (Andorra), are committed to protecting the personal data of all individuals whose data is processed through our Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Andorran Data Protection Act (Llei 29/2021), and all applicable data protection legislation.

This GDPR Policy supplements our Privacy Policy and provides specific information about how we comply with the GDPR when processing personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Andorra.

2. Roles and Responsibilities

2.1 As Data Controller

When processing personal data of our users (account holders), we act as the Data Controller. This includes:

  • Account registration and authentication data
  • Billing and subscription information
  • Platform usage analytics
  • Support communications

2.2 As Data Processor

When processing data on behalf of our clients (their customers' data, leads, conversations, etc.), we act as the Data Processor. In this capacity:

  • We process data only on documented instructions from the Controller (our client).
  • We enter into Data Processing Agreements (DPAs) with all clients.
  • We ensure all personnel processing data are bound by confidentiality obligations.
  • We implement appropriate technical and organizational measures to ensure security.
  • We assist the Controller in responding to data subject requests.
  • We delete or return all personal data upon termination of the agreement.

2.3 Data Protection Officer

We have designated a Data Protection Officer (DPO) who can be contacted at:

  • Data Protection Officer: privacy@bivelio.com
  • General support: support@bivelio.com
  • Address: Chronos Technology SLU, Andorra

3. Lawful Basis for Processing

We process personal data under the following lawful bases as defined in Article 6 of the GDPR:

Processing ActivityLawful BasisGDPR Article
Account creation & authenticationContract performanceArt. 6(1)(b)
Service delivery & featuresContract performanceArt. 6(1)(b)
Payment processingContract performanceArt. 6(1)(b)
Security monitoring & fraud preventionLegitimate interestArt. 6(1)(f)
Analytics & service improvementLegitimate interestArt. 6(1)(f)
Marketing communicationsConsentArt. 6(1)(a)
Tax & financial record keepingLegal obligationArt. 6(1)(c)
AI processing of user dataContract performanceArt. 6(1)(b)
Third-party integration data sharingConsentArt. 6(1)(a)

4. Data Subject Rights

Under the GDPR, data subjects have the following rights. We are committed to facilitating the exercise of these rights within the statutory timeframes:

4.1 Right of Access (Article 15)

You may request a copy of all personal data we hold about you. We will provide this within 30 days in a commonly used electronic format.

4.2 Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. You can also update most data directly through your account settings.

4.3 Right to Erasure (Article 17)

You may request deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected.
  • You withdraw consent and there is no other legal basis for processing.
  • You object to processing and there are no overriding legitimate grounds.
  • The data has been unlawfully processed.

Note: We may retain certain data where required by law (e.g., tax records, audit logs).

4.4 Right to Restriction (Article 18)

You may request restriction of processing while we verify the accuracy of your data, resolve an objection, or when processing is unlawful but you prefer restriction over erasure.

4.5 Right to Data Portability (Article 20)

You may request your data in a structured, commonly used, machine-readable format (JSON, CSV). We provide data export functionality within the Service.

4.6 Right to Object (Article 21)

You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

4.7 Rights Related to Automated Decision-Making (Article 22)

Where we use automated processing (including AI) that significantly affects you, you have the right to:

  • Obtain human intervention in the decision.
  • Express your point of view.
  • Contest the decision.

4.8 How to Exercise Your Rights

Submit requests to privacy@bivelio.com. We will:

  • Verify your identity before processing any request.
  • Respond within 30 days (extendable by 60 days for complex requests, with notification).
  • Fulfill requests free of charge, except for manifestly unfounded or excessive requests.

5. Data Processing Agreements

In compliance with Article 28 of the GDPR, we enter into Data Processing Agreements (DPAs) with:

  • Our Clients: Where we act as Data Processor for their end-users' data.
  • Our Sub-Processors: All third-party service providers who process data on our behalf.

DPAs include:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the Controller
  • Technical and organizational security measures
  • Sub-processor management and notification obligations

6. Sub-Processors

We use the following categories of sub-processors:

CategoryPurposeLocation
Cloud InfrastructureHosting, database, and compute servicesEU / US (with SCCs)
AI Model ProvidersNatural language processing, classificationUS (with SCCs)
Payment ProcessorBilling and subscription managementUS (with SCCs)
Email Service ProviderTransactional and notification emailsUS (with SCCs)
Analytics ProviderUsage analytics and product improvementEU

We will notify clients of any changes to our sub-processor list at least 30 days in advance, providing the opportunity to object.

7. International Transfers

As our corporate structure spans Hong Kong and Andorra, personal data may be transferred internationally. We ensure compliance through:

  • Andorra Adequacy Decision: Andorra is recognized by the European Commission as providing an adequate level of data protection (Decision 2010/625/EU).
  • Standard Contractual Clauses (SCCs): For transfers to jurisdictions without adequacy decisions, we implement SCCs as adopted by the European Commission (Decision 2021/914).
  • Transfer Impact Assessments (TIAs): We conduct TIAs for all transfers to third countries to evaluate the legal framework in the recipient country.
  • Supplementary Measures: Additional technical measures including encryption, pseudonymization, and access controls.

8. Technical and Organizational Measures

In accordance with Article 32 of the GDPR, we implement the following measures:

8.1 Technical Measures

  • End-to-end TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • Database-level Row-Level Security (RLS) ensuring tenant isolation
  • Automated vulnerability scanning and dependency auditing
  • Web Application Firewall (WAF) and DDoS protection
  • Regular penetration testing by independent third parties
  • Automated backup with point-in-time recovery (PITR)
  • Secrets management with encrypted vault storage

8.2 Organizational Measures

  • Role-Based Access Control (RBAC) with principle of least privilege
  • Mandatory data protection training for all personnel
  • Background checks for employees with access to personal data
  • Documented information security policies and procedures
  • Regular internal audits and management reviews
  • Incident response plan with defined roles and escalation procedures
  • Data protection by design and by default in all development processes

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR for processing activities that are likely to result in high risk to data subjects, including:

  • Large-scale processing of personal data through AI agents
  • Systematic monitoring of customer interactions across multiple channels
  • Automated profiling or scoring (e.g., lead scoring)
  • Processing of sensitive categories of data
  • New features or integrations that significantly change data processing

10. Data Breach Notification

In the event of a personal data breach, we will:

  • Internal Response: Activate our incident response team within 1 hour of breach detection.
  • Supervisory Authority: Notify the competent supervisory authority within 72 hours of becoming aware of the breach (Article 33), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
  • Data Subjects: Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Article 34).
  • Data Controllers (when we act as Processor): Notify affected clients without undue delay after becoming aware of the breach.
  • Documentation: Maintain detailed records of all breaches, including facts, effects, and remedial actions taken.

11. Records of Processing Activities

In compliance with Article 30 of the GDPR, we maintain comprehensive records of all processing activities, including:

  • Name and contact details of the controller/processor and DPO
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Technical and organizational security measures

12. AI and Automated Processing

BiVelio uses AI for various processing activities. Our approach to AI complies with GDPR requirements:

  • Transparency: We clearly disclose when AI is used in processing personal data.
  • Purpose Limitation: AI processing is limited to the purposes specified in this policy and our Privacy Policy.
  • Data Minimization: Only data necessary for the AI task is processed.
  • No Third-Party Training: Personal data processed through BiVelio's AI features is not used to train or improve third-party AI models.
  • Human Review: Users maintain the ability to request human review of AI-generated decisions.
  • EU AI Act Compliance: We monitor and align with the EU AI Act (Regulation 2024/1689) requirements as they become applicable.

13. Children's Data

BiVelio is a B2B service not intended for individuals under 16 years of age. We do not knowingly collect or process personal data of children. If we discover that we have inadvertently collected data of a child under 16, we will immediately delete such data and notify the relevant supervisory authority if required.

14. Complaints and Supervisory Authority

If you believe your data protection rights have been violated, you may:

  1. Contact our DPO at privacy@bivelio.com to resolve the matter directly.
  2. Lodge a complaint with the competent supervisory authority:
  • Andorra: Agència Andorrana de Protecció de Dades (APDA) — www.apda.ad
  • EU Member States: Your local Data Protection Authority (DPA)
  • UK: Information Commissioner's Office (ICO) — ico.org.uk

15. Policy Updates

This GDPR Policy is reviewed and updated annually, or more frequently when required by changes in legislation, our processing activities, or organizational structure. All updates will be published on this page with a revised "Last updated" date.

16. Contact

For any questions regarding this GDPR Policy or to exercise your rights:

  • Data Protection Officer: privacy@bivelio.com
  • Privacy Team: privacy@bivelio.com
  • General support: support@bivelio.com
  • C5S Technology Limited — Hong Kong
  • Chronos Technology SLU — Andorra
  • Website: c5s.xyz