This Privacy Policy describes how CentaurX Technologies, S.L. ("CentaurX", "we", "us", or "our") collects, uses, and protects information about you when you use the CentaurX Revenue Intelligence platform and associated services, accessible at app.centaurx.io.

We are the data controller for personal data collected through our platform. For data processed on behalf of our customers within their own CRM systems, we act as data processor.

1. Who We Are

CentaurX Technologies, S.L. operates the Revenue Intelligence platform at app.centaurx.io and the marketing website at centaurx.io.

For privacy inquiries: privacy@centaurx.io

2. Data We Collect

Account data: Name, work email address, company name, job title, and password (hashed with bcrypt). Collected when you register or are invited by your organization.

Usage & telemetry data: Pages visited, features used, AI agent interactions, session duration, and error logs. Used to improve the platform and diagnose issues.

CRM & pipeline data (via integrations): Deal names, contact names, company names, deal amounts, stages, and associated metadata synchronized from connected CRM systems (e.g., HubSpot). This data is processed on behalf of the customer and is never used for any purpose other than providing the service.

Billing data: Subscription tier and billing status. Payment card details are processed directly by Stripe and never stored on our servers.

Technical data: IP address (used for abuse prevention — not retained beyond 30 days), browser type, operating system, and referral URL.

3. How We Use Your Data

We use your personal data to:

Provide, operate, and improve the CentaurX platform and its AI agents
Authenticate your identity and manage your account
Process payments and issue invoices via Stripe
Send transactional emails (welcome, billing confirmations, password resets)
Synchronize and analyze CRM data to generate AI-powered revenue insights
Respond to support requests and communicate product updates
Detect fraud, abuse, and security threats
Comply with legal obligations

We do not sell your personal data. We do not use your CRM data to train machine learning models without your explicit consent.

4. Legal Basis for Processing (GDPR Art. 6)

| Basis | Processing Activities | |-------|-----------------------| | Contract | Account data, CRM pipeline data, billing processing | | Legitimate Interest | Product analytics, security monitoring, fraud prevention | | Consent | Marketing communications (withdrawable at any time) | | Legal Obligation | Tax records, compliance with law enforcement requests |

5. Sharing & Disclosure

We share personal data only with the following sub-processors, all bound by Data Processing Agreements:

Stripe Inc. — payment processing (PCI DSS Level 1 certified)
Google Cloud Platform — infrastructure hosting (Cloud Run, Cloud SQL, Secret Manager) in us-central1
Resend — transactional email delivery
HubSpot Inc. — when you connect your HubSpot account, we access your CRM data via OAuth on your behalf
Apollo.io — prospecting data enrichment, only when enabled by your team
Google Gemini API — AI inference for revenue analysis (data sent is limited to the deal context you submit)
Sentry — error monitoring (anonymized stack traces; no PII transmitted)

We do not share data with advertisers or data brokers.

6. HubSpot Integration

CentaurX is listed on the HubSpot App Marketplace. When you connect your HubSpot portal:

We request only the OAuth scopes necessary to deliver the service (deals read, contacts read, companies read)
Your HubSpot access token is stored encrypted at rest in Google Cloud Secret Manager
You can revoke access at any time from the CentaurX Integrations page or directly from your HubSpot Connected Apps settings
When you uninstall the CentaurX app from HubSpot, we automatically revoke all OAuth tokens and delete your integration credentials from our systems within 24 hours
CRM data synchronized via HubSpot is used exclusively to provide the CentaurX service and is not shared with third parties for their own marketing purposes

CentaurX does not use your HubSpot CRM data to train AI models or benchmark against other customers' data without explicit consent.

7. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account data | Duration of subscription + 60 days after deletion | | CRM pipeline data | Duration of active integration; deleted within 24h of uninstall | | AI analysis history | 12 months rolling | | Billing records | 7 years (legal/tax obligation) | | Server logs (IP) | 30 days maximum | | Backups | 90 days |

8. Your Rights (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

Access — Request a copy of the personal data we hold about you
Rectification — Correct inaccurate or incomplete data
Erasure — Request deletion of your personal data ("right to be forgotten")
Restriction — Ask us to limit processing in certain circumstances
Portability — Receive your data in a structured, machine-readable format
Objection — Object to processing based on legitimate interests
Withdraw Consent — Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@centaurx.io. We will respond within 30 days.

HubSpot GDPR erasure: If HubSpot receives a GDPR data erasure request for a contact whose data we have processed, we will delete that contact's data from our systems within 30 days via our POST /api/gdpr/erase webhook endpoint.

9. Security

All data in transit encrypted via TLS 1.2+
Data at rest encrypted via AES-256 (Google Cloud SQL)
OAuth tokens stored in Google Cloud Secret Manager (not in the database)
Row-Level Security (RLS) enforced at the database level per tenant
Passwords hashed using bcrypt (cost factor ≥ 12)
Session tokens: cryptographically random (256-bit), stored as hashes
Two-factor authentication (TOTP) available for all accounts
HMAC-SHA256 signature verification for all incoming webhooks

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Art. 33.

10. Cookies

We use strictly necessary cookies to operate the platform:

| Cookie | Purpose | Duration | |--------|---------|----------| | centaur_session | Session authentication token (httpOnly, Secure) | Session | | centaur_ob | HMAC-signed onboarding completion flag (httpOnly) | Session |

We do not use advertising, tracking, or third-party analytics cookies.

11. International Data Transfers

CentaurX stores data on Google Cloud Platform servers located in the United States (us-central1). Transfers from the EEA are safeguarded by:

Standard Contractual Clauses (SCCs) incorporated into our agreements with Google Cloud
Google's participation in the EU-U.S. Data Privacy Framework

A copy of our DPAs and SCCs is available upon request to privacy@centaurx.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance.

13. Contact

For privacy-related inquiries or data subject requests:

CentaurX Technologies, S.L.
Privacy & Data Protection
privacy@centaurx.io