Privacy Policy

Last Updated: June 2025
Version: 2.0

1. Introduction and Scope

This Privacy Policy ("Policy") explains how Cloudsail Digital Solutions sp. z o.o. ("Cloudsail," "we," "us," "our," or the "Company"), operator of Sigly.ai ("Sigly," "Platform," or "Service"), processes personal data in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR")

  • Polish Act on Personal Data Protection of 10 May 2018

  • ePrivacy Directive 2002/58/EC

  • California Consumer Privacy Act ("CCPA") where applicable

  • Other applicable data protection legislation

This Policy applies to all processing activities related to our Service, including our website, platform, and related services.

2. Data Controller Information

Cloudsail Digital Solutions sp. z o.o.
Aleja Wolności 12
62-800 Kalisz
Poland

Contact Details:
Email: miki@cloudsail.com

3. Categories of Data We Process

3.1 Personal Data from Users

Account and Identity Data:

  • Full name, professional email address

  • Job title, department, seniority level

  • Company name, company size, industry sector

  • Business phone number (optional)

  • LinkedIn profile URL (optional)

  • IP address and approximate location

Financial and Transaction Data:

  • Billing name and address

  • VAT/Tax identification numbers

  • Payment card details (tokenized via PCI-compliant processors)

  • Transaction history and invoices

  • Subscription tier and usage limits

Technical and Usage Data:

  • Device information (type, OS, browser version)

  • Log data (access times, features used, errors)

  • Session recordings (with explicit consent only)

  • API usage and integration logs

  • Feature adoption and engagement metrics

  • Signal configuration preferences

Communication and Support Data:

  • Support ticket content and history

  • Email communications

  • Call recordings (with consent)

  • Feedback and survey responses

  • Training and onboarding records

3.2 Business Intelligence Data We Collect

We aggregate publicly available business information from multiple sources. Important: This is company-level data only - we do not collect or store personal information about individuals at these companies.

European Public Sources include, but are not limited to:

  • Company Registries: Bundesanzeiger (Germany), Companies House (UK), KvK (Netherlands), INSEE (France), Registro Mercantil (Spain), Camera di Commercio (Italy)

  • Job Portals: StepStone, Indeed, Monster, XING Jobs, LinkedIn Jobs, Glassdoor, AngelList, Stack Overflow Jobs, Remote.com, We Work Remotely

  • Tender Platforms: TED (Tenders Electronic Daily), national procurement portals

  • Press and Media: PRNewswire, Business Wire, company newsrooms, industry publications

  • Financial Databases: Public filing repositories, stock exchange announcements

  • Professional Networks: Public company pages on LinkedIn, XING, AngelList

  • Technical Sources: GitHub organizations, technical blogs, engineering career pages

  • Certification Bodies: ISO registries, SOC compliance databases, GDPR certification lists

North American Public Sources include, but are not limited to:

  • Regulatory Filings: SEC EDGAR database, state business registries

  • Job Platforms: Indeed, Monster, Dice, AngelList, Built In, Greenhouse public job boards

  • News Aggregators: PR distribution services, company press releases

  • Industry Databases: Crunchbase (public data), PitchBook (public information)

  • Technical Communities: Stack Overflow company pages, DevOps job boards

Types of Signals We Track:

  • Hiring patterns (e.g., "Revenue Operations Manager" posts indicating sales tool evaluation)

  • Leadership changes (e.g., new CTOs often review tech stack)

  • Funding events (e.g., Series B companies typically expand their tools)

  • Compliance achievements (e.g., SOC 2 certification requires security tools)

  • Technology adoption signals (e.g., Kubernetes job posts indicate cloud-native tools need)

  • Expansion indicators (e.g., new office openings, international job posts)

  • Digital transformation mentions (e.g., annual reports, investor communications)

  • Operational changes (e.g., remote-first announcements, restructuring news)

3.3 Data We Do NOT Collect

  • Personal contact information of employees at target companies

  • Private communications or internal company data

  • Behavioral tracking of individuals

  • Data from unauthorized access or scraping

  • Sensitive personal data categories under Article 9 GDPR

  • Data about individuals under 18 years of age

4. Legal Basis for Processing

We process personal data based on the following legal grounds under Article 6 GDPR:

4.1 Performance of Contract (Article 6(1)(b))

  • Creating and managing user accounts

  • Providing the Sigly platform and services

  • Processing payments and subscriptions

  • Delivering customer support

4.2 Legitimate Interests (Article 6(1)(f))

We have conducted Legitimate Interest Assessments (LIAs) for:

  • Service Improvement: Analyzing usage patterns to enhance features

  • Security: Preventing fraud and ensuring platform security

  • Business Intelligence: Processing public company data for sales signals

  • Direct Marketing: To existing customers about similar services

Our legitimate interests are balanced against your rights and freedoms. You may object to processing based on legitimate interests.

4.3 Consent (Article 6(1)(a))

We obtain explicit consent for:

  • Marketing communications to non-customers

  • Non-essential cookies and analytics

  • Session recordings and detailed behavioral analytics

  • Participation in beta features

4.4 Legal Obligations (Article 6(1)(c))

  • Financial record keeping for tax authorities

  • Responding to lawful data requests

  • Anti-money laundering compliance

5. Data Sharing and Recipients

5.1 Service Providers (Data Processors)

We share data with carefully selected processors under Article 28 GDPR contracts:

Infrastructure and Hosting:

  • Amazon Web Services (AWS) - Frankfurt region only

  • Cloudflare - EU data centers for CDN

  • Database hosting - EU-based PostgreSQL clusters

Payment Processing:

  • Stripe - PCI DSS Level 1 compliant

  • PayPal - For alternative payment methods

  • Local payment providers for specific EU countries

Customer Relationship:

  • HubSpot - CRM and marketing automation (EU data center)

  • Intercom - Customer support (EU hosting)

  • Calendly - Meeting scheduling (Privacy Shield)

Analytics and Monitoring:

  • Plausible Analytics - Privacy-focused, EU-based

  • Sentry - Error tracking (EU region)

  • Datadog - Infrastructure monitoring (EU instance)

Communication:

  • SendGrid - Transactional emails (EU servers)

  • Twilio - SMS notifications (EU data residency)

5.2 Third Party Recipients

Integration Partners: When you connect integrations, we share limited data with other companies, including:

  • Salesforce - Lead and signal data you choose to sync

  • HubSpot - Company and signal information

  • Pipedrive - Contact and activity data

  • Microsoft Dynamics - Configured data fields

  • Slack - Notification content

Professional Advisors:

  • Legal counsel (under confidentiality)

  • Auditors for SOC 2 compliance

  • Tax advisors

5.3 Government Authorities

Only when legally required or to protect vital interests:

  • Law enforcement (with valid legal request)

  • Regulatory bodies

  • Courts and dispute resolution

6. International Data Transfers

6.1 Primary Processing Location

All primary data processing occurs within the European Economic Area (EEA):

  • Production servers: Frankfurt, Germany

  • Backup systems: Amsterdam, Netherlands

  • Disaster recovery: Dublin, Ireland

6.2 Transfers Outside EEA

Limited transfers occur only with appropriate safeguards:

Standard Contractual Clauses (SCCs): We use European Commission approved SCCs for transfers to:

  • Support providers with follow-the-sun coverage

  • Certain sub-processors in secure third countries

Adequacy Decisions: Transfers to countries with adequacy decisions:

  • United Kingdom (post-Brexit)

  • Switzerland

  • Canada (commercial organizations)

Your Rights Regarding Transfers:

  • Request information about transfer safeguards

  • Obtain copies of SCCs used

  • Object to specific transfers

7. Data Security Measures

7.1 Technical Measures

  • Encryption: AES-256 at rest, TLS 1.3 in transit

  • Access Control: Multi-factor authentication, role-based permissions

  • Network Security: Firewalls, intrusion detection, DDoS protection

  • Application Security: OWASP compliance, regular penetration testing

  • Data Segregation: Logical separation between customer accounts

  • Backup and Recovery: Daily encrypted backups, tested recovery procedures

7.2 Organizational Measures

  • Staff Training: Annual GDPR and security training

  • Access Policies: Least privilege principle, regular access reviews

  • Incident Response: 72-hour breach notification procedure

  • Vendor Management: Security assessments for all processors

  • Data Protection by Design: Privacy impact assessments for new features

  • Compliance Programs: ISO 27001 certification in progress

7.3 Physical Security

  • Tier 3+ data centers with 24/7 monitoring

  • Biometric access controls

  • Environmental controls and redundancy

8. Your Rights Under GDPR

8.1 Right of Access (Article 15)

Request confirmation of processing and copies of your personal data, including:

  • Categories of data processed

  • Processing purposes

  • Recipients or categories of recipients

  • Retention periods

  • Source of data

8.2 Right to Rectification (Article 16)

Correct inaccurate data or complete incomplete data. You can update most information directly in your account settings.

8.3 Right to Erasure/"Right to be Forgotten" (Article 17)

Request deletion when:

  • Data no longer necessary for original purpose

  • You withdraw consent (where consent is the legal basis)

  • You object to processing with no overriding legitimate grounds

  • Data was unlawfully processed

Exceptions: Legal obligations, freedom of expression, public interest, legal claims.

8.4 Right to Restriction (Article 18)

Limit processing while we verify:

  • Accuracy of contested data

  • Legitimacy of processing

  • Our need to retain data for legal claims

8.5 Right to Data Portability (Article 20)

Receive your data in structured, commonly used, machine-readable format:

  • Available for consent or contract-based processing

  • Covers data you provided to us

  • Direct transfer to another controller where feasible

8.6 Right to Object (Article 21)

Object to processing based on legitimate interests or direct marketing:

  • We must stop unless compelling legitimate grounds override

  • Direct marketing objections are absolute

8.7 Rights Regarding Automated Decision-Making (Article 22)

While we use AI for signal detection, no fully automated decisions with legal effects are made about you.

8.8 Right to Withdraw Consent

Withdraw consent anytime without affecting prior processing lawfulness.

8.9 How to Exercise Your Rights

Submit requests via:

  • Email: miki@cloudsail.com

  • Post: Address in Section 2

Response Timeline: Within 30 days (extendable by 60 days for complex requests) Fees: Generally free; reasonable fee for manifestly unfounded or excessive requests Identification: We may request ID verification to protect your data

9. Data Retention

9.1 Retention Periods

Active Account Data:

  • Duration of service relationship

  • Plus 3 years for potential legal claims

Financial Records:

  • 7 years (tax law requirements)

  • 10 years for AML-relevant transactions

Marketing Data:

  • Until consent withdrawn or 3 years of inactivity

  • Suppression lists maintained indefinitely

Business Intelligence Cache:

  • Public signals: 90 days then refreshed

  • Historical trends: 24 months

  • Aggregated analytics: 36 months

Legal Hold: Data subject to litigation hold preserved until matter resolved

9.2 Deletion Procedures

  • Automated deletion after retention period

  • Secure overwriting of storage media

  • Certificate of destruction available upon request

10. Cookies and Tracking Technologies

10.1 Cookie Categories

Essential Cookies:

  • Session management

  • Security tokens

  • Load balancing

  • User preferences

Analytics Cookies (Consent Required):

  • Google Analytics (anonymized IP)

  • Plausible Analytics

  • Hotjar (session recordings with consent)

Marketing Cookies (Consent Required):

  • LinkedIn Insight Tag

  • Google Ads remarketing

  • Facebook Pixel (for logged-out pages only)

10.2 Cookie Management

  • Consent banner on first visit

  • Granular control via cookie preferences

  • Browser settings for blocking

  • "Do Not Track" signals respected

10.3 Other Tracking

  • Server logs (IP addresses anonymized after 30 days)

  • Error tracking (Sentry)

  • Performance monitoring (non-personal metrics)

11. Children's Privacy

Our Service is not directed to individuals under 18. We do not knowingly collect data from minors. If we become aware of such collection, we will promptly delete the data and terminate the account.

12. Data Protection Officer

Our appointed DPO oversees compliance:

Contact DPO:

  • Email: miki@cloudsail.com

  • Post: DPO, Cloudsail Digital Solutions, Aleja Wolności 12, 62-800 Kalisz, Poland

DPO Responsibilities:

  • Monitor GDPR compliance

  • Conduct privacy impact assessments

  • Serve as regulatory liaison

  • Handle complex privacy inquiries

13. Privacy by Design

We implement privacy principles throughout our service:

13.1 Data Minimization

  • Collect only necessary data

  • Automatic data purging

  • Aggregation where possible

13.2 Purpose Limitation

  • Clear purposes defined before collection

  • No secondary use without legal basis

  • Transparent about any new purposes

13.3 Transparency

  • Clear privacy notices at collection

  • Regular privacy updates

  • Open about our practices

13.4 Privacy Impact Assessments

Conducted for:

  • New data sources

  • AI/ML implementations

  • Major feature releases

  • New third-party integrations

14. Your California Privacy Rights (CCPA)

For California residents:

14.1 Right to Know

  • Categories and specific pieces of personal information

  • Sources, purposes, and third parties

14.2 Right to Delete

Subject to exceptions for security, legal obligations, and service provision

14.3 Right to Opt-Out

We do not sell personal information

14.4 Non-Discrimination

Equal service regardless of privacy rights exercise

15. Changes to This Policy

We may update this Policy to reflect:

  • Legal or regulatory changes

  • New features or services

  • Improved privacy practices

Notification Methods:

  • Email for material changes

  • In-app notifications

  • 30-day notice for adverse changes


16. Supervisory Authority

You have the right to lodge complaints with:

Lead Authority (Poland): Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warsaw, Poland Phone: +48 22 531 03 00 Email: kancelaria@uodo.gov.pl Website: uodo.gov.pl

Other EU Authorities: You may also contact your local data protection authority. List available at: edpb.europa.eu/about-edpb/board/members

17. Legal Disclosure Requirements

We may disclose data when required by:

  • Court orders or subpoenas

  • Law enforcement requests (with proper legal basis)

  • National security requirements

  • Protection of vital interests

We will notify you unless legally prohibited.

18. Contact Information

For Privacy Inquiries: Cloudsail Digital Solutions sp. z o.o. Attn: Privacy Team Aleja Wolności 12 62-800 Kalisz, Poland