Privacy Policy
Last updated: 18 April 2026
This Privacy Policy explains how Cendro Solutions (“Cendro”, “we”, “us”, or “our”), based in Cyprus, processes personal data collected through our website at cendrosol.com and in the course of our consultancy engagements.
This policy covers this website only. Our product services, including any Meta-connected applications, are operated on a separate domain and have their own privacy notices linked from that product's site.
We process personal data in accordance with the EU General Data Protection Regulation 2016/679 (GDPR), applicable Cyprus data-protection law, and the EU ePrivacy Directive 2002/58/EC.
1. Data Controller
The controller of your personal data is Cendro Solutions, based in Cyprus.
Privacy contact: [email protected]
General contact: [email protected]
We have not designated a Data Protection Officer. Our core activities do not consist of large-scale regular and systematic monitoring, or large-scale processing of special-category data, under GDPR Article 37. For any privacy matter, email [email protected].
2. Personal Data We Collect
2.1 Website visitors
- Enquiry form submissions — name, email, company (optional), and message content.
- Email correspondence — if you email us, we process the contents of your email and your email address.
- Technical data processed by our hosting provider to serve the site — IP address, user agent, referring URL, pages requested, timestamps. Stored in server logs for up to 30 days for security and debugging.
This website does not use cookies, analytics, advertising pixels, fingerprinting, or third-party embeds that set cookies. No consent banner is displayed because no non-strictly-necessary information is stored on or read from your device, in line with ePrivacy Directive Article 5(3).
2.2 Clients and prospective clients
- Contact details, role, company, correspondence, and any personal data you share with us during an engagement, plus billing data where applicable.
3. Purposes and Legal Bases
Under GDPR Article 6, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Responding to enquiries (website form or email) | Art. 6(1)(b) — steps prior to a contract, or Art. 6(1)(f) — legitimate interest in replying |
| Providing consultancy services to clients under engagement | Art. 6(1)(b) — performance of a contract |
| Operating and securing our website | Art. 6(1)(f) — legitimate interest |
| Complying with tax, accounting, and other legal obligations | Art. 6(1)(c) — legal obligation |
| Marketing to existing clients about similar services | Art. 6(1)(f) — legitimate interest, with opt-out in every message |
| Any other marketing communications | Art. 6(1)(a) — consent |
We do not sell personal data. We do not use personal data for automated decision-making that produces legal or similarly significant effects.
4. Recipients
We share personal data only with:
- Processors acting under written instructions and a GDPR Article 28 data processing agreement — in particular our hosting provider (Vercel Inc.) and email delivery provider (Resend, Inc.).
- Professional advisors (legal, accounting) bound by confidentiality.
- Competent authorities where disclosure is required by law.
5. International Transfers
Some processors are located outside the European Economic Area (in particular in the United States). Where applicable, we rely on:
- the EU–US Data Privacy Framework where the processor is certified;
- Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914; and
- supplementary technical measures, including encryption in transit and at rest, where necessary.
To request a copy of the safeguards in place, email [email protected].
6. Retention
- Enquiries — up to 24 months from the last meaningful interaction, then deleted or anonymised.
- Client and billing records — up to 7 years after the end of the engagement, to comply with Cyprus tax and accounting law.
- Server logs — up to 30 days.
7. Your Rights
Subject to the conditions in GDPR, you have the right to:
- Access your personal data (Art. 15).
- Rectification of inaccurate or incomplete data (Art. 16).
- Erasure(“right to be forgotten”) where applicable (Art. 17).
- Restriction of processing (Art. 18).
- Data portability for data processed by automated means on the basis of consent or contract (Art. 20).
- Objection to processing based on legitimate interests or for direct marketing (Art. 21).
- Withdraw consent at any time, without affecting processing carried out before withdrawal (Art. 7(3)).
Email [email protected] to exercise any right. We respond within one month of receipt, extendable by up to two further months for complex requests (GDPR Art. 12(3)).
You may lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus: 1 Iasonos Street, 1082 Nicosia, P.O. Box 23378, 1682 Nicosia, Cyprus; email [email protected]; dataprotection.gov.cy. You may also complain to the supervisory authority in your EU country of residence.
8. Security
We apply technical and organisational measures appropriate to the risk, including TLS for data in transit, encryption at rest where available, least-privilege access, multi-factor authentication on administrative accounts, and periodic review of supplier security. No system is fully secure; please report suspected incidents to [email protected].
9. Children
Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes
We may update this Policy. The “Last updated” date at the top reflects the latest revision. Material changes will be announced on the website and, where we have your contact details, by email.
11. Contact
Privacy matters: [email protected]. Other enquiries: [email protected].