Legal

Privacy Policy

Last updated: 4 June 2026

This Privacy Policy explains how Cloudpepper BV ("Cloudpepper", "we", "us") collects and uses personal data when you visit our website, sign up for our services, contact us, or otherwise interact with us. We are committed to handling your personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

Who we are

The data controller for the personal data described in this Privacy Policy is:

Cloudpepper BV
Witte Patersstraat 4, 1040 Brussels, Belgium
Enterprise number: BE 0804.323.604
Email: privacy@cloudpepper.io

What this policy covers

This Privacy Policy applies to personal data we collect and process as a controller — meaning data we decide the purposes and means of processing for. This includes data about:

visitors to our website (cloudpepper.io and related properties);
prospective customers who contact us or sign up for trials, demos or newsletters;
customers and their administrative contacts;
people who reach out to our support team or otherwise communicate with us.

What this policy does not cover. When you are a customer of Cloudpepper, we host and manage Odoo environments on your behalf. The personal data you store within those environments (e.g., your own customers’, employees’ or suppliers’ details) is processed by us as a processor on your instructions. The terms of that processing are set out in our Data Processing Agreement, not in this Privacy Policy.

Personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

Account and billing data. When you register for our services, we collect your name, business email address, postal address, phone number, company name, VAT number, and payment details (card data is collected directly by our payment processor and we do not store full card numbers).

Communication data. When you contact us by email, chat, contact form or phone, we collect the contents of those communications and any contact information you provide.

Marketing data. If you sign up for our newsletter or download a resource, we collect your email address and your preferences. If you are an existing customer, we may add your administrative contact email to service-related and product-update mailings on the basis of our existing relationship; you can opt out at any time.

Support data. When you use our chat or open a ticket, we keep a record of the conversation, the systems involved, and any troubleshooting steps performed.

Technical and usage data. When you visit our website or use our services, our servers and analytics tools automatically collect information such as your IP address, device and browser characteristics, pages visited, referring URL, timestamps, campaign parameters and ad click identifiers where applicable. We also generate operational telemetry (logs, performance metrics, security events) about the use of our platform.

Cookies and similar technologies. See our Cookie Policy for details on the cookies and tracking technologies used on our website and how you can manage your preferences.

How we use your data and our legal basis

We process personal data only where we have a lawful basis under Article 6 GDPR. The table below summarises our main processing activities, the data involved, and the legal basis we rely on.

Purpose	Data used	Legal basis
Providing the Services to our customers (provisioning servers, deploying Odoo, monitoring, support).	Account and billing data, communication data, support data, technical/usage data.	Performance of a contract (Art. 6(1)(b)).
Billing and payment processing.	Account and billing data.	Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for invoicing and tax records.
Securing the platform: detecting and preventing fraud, abuse, and security incidents.	Technical/usage data, account data.	Legitimate interests (Art. 6(1)(f)) — ensuring the security and integrity of our services.
Responding to your enquiries and providing customer support.	Communication data, support data, account data.	Performance of a contract (Art. 6(1)(b)) for customers, legitimate interests (Art. 6(1)(f)) for prospective customers.
Sending service updates and product announcements to existing customers.	Marketing data, account data.	Legitimate interests (Art. 6(1)(f)) — informing customers about the services they use; you can opt out at any time.
Sending marketing emails to prospective customers and newsletter subscribers.	Marketing data.	Consent (Art. 6(1)(a)); you can withdraw at any time.
Website analytics and marketing performance measurement.	Pageview and CTA metadata, cookie-consent status, campaign parameters, ad click identifiers; for account conversions, limited account, billing, attribution and technical data.	Consent (Art. 6(1)(a)) where required for optional ad cookies and ad-platform user data; legitimate interests (Art. 6(1)(f)) for internal measurement and for ad measurement in regions where opt-out rules apply. You can object by contacting privacy@cloudpepper.io.
Improving and developing our services (capacity planning, product analytics on aggregated data).	Aggregated and anonymised technical/usage data.	Legitimate interests (Art. 6(1)(f)) — improving our services for all customers.
Complying with legal obligations (accounting, tax, responding to lawful requests from authorities).	Account and billing data, communication data as relevant.	Legal obligation (Art. 6(1)(c)).
Establishing, exercising or defending legal claims.	Whatever data is relevant to the claim.	Legitimate interests (Art. 6(1)(f)).

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

We do not sell your personal data. We share it only with the categories of recipients set out below, and only to the extent necessary for the purposes described above.

Service providers acting as our processors. We engage trusted service providers to help us operate our business and deliver the Services. These providers act under our instructions and are bound by written data processing agreements.

Infrastructure and platform providers. We use cloud infrastructure, content-delivery and edge-security providers to host our management platform and customer environments. The current providers are Amazon Web Services, Google Cloud, OVHcloud, Cloudflare, and — where you select them — UpCloud and Vultr. The current sub-processor list is maintained in Annex A of our Data Processing Agreement.

Customer support and communications. We use Crisp IM for customer support chat and ticketing, and Google Workspace for our internal email, calendar and document management used in the course of communicating with you.

Operations and observability. We use Grafana Labs for platform observability and operational monitoring (job status, capacity, error signals). The data involved is limited to operational metadata such as which provisioning jobs have failed and aggregated counts; it does not include the contents of hosted Odoo environments.

ERP, billing and payments. We use Odoo SA for the Odoo Enterprise software that powers our billing, invoicing and customer-relationship records, and Stripe for processing payments on our customer subscriptions.

Marketing and advertising. We use Klaviyo to send service-related and marketing emails to our administrative contacts and newsletter subscribers; the subscription is processed server-side and Klaviyo does not place any JavaScript or cookies on cloudpepper.io. For advertising performance measurement, we may use Google, Meta, LinkedIn and Reddit tags on cloudpepper.io where allowed by your region, consent choice and browser privacy signal. When you start a trial or paid subscription on my.cloudpepper.io, we may also share limited conversion information with advertising platforms we advertise on, so they can measure campaign performance. We do not use a visitor ID cookie or fingerprinting to track anonymous journeys. You can manage optional ad cookies using the Privacy choices link, and you can object to marketing measurement by contacting privacy@cloudpepper.io.

Professional services. We share limited personal data with categories of trusted professional service providers in the course of running our business, including external accountants and tax advisors, banks and payment institutions, payroll and employment service providers, and our legal advisors. These providers process personal data only for the specific purposes for which we engage them and under appropriate confidentiality and data protection arrangements.

Authorities and other third parties. We may disclose personal data: (i) where required by law, court order or other legal process; (ii) to protect the rights, property or safety of Cloudpepper, our customers or others; or (iii) in connection with a corporate transaction such as a merger, acquisition or sale of assets, in which case the recipient will be bound by terms consistent with this Privacy Policy.

International transfers

We store and process personal data within the European Economic Area (EEA) wherever possible, including on infrastructure located in Belgium and elsewhere in the EU. Some of the service providers listed above are based outside the EEA, or may transfer limited personal data to entities outside the EEA in the course of providing their services. In those cases, we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by additional technical and organisational safeguards where necessary, to ensure that your personal data continues to be protected.

You can request a copy of the safeguards we apply by emailing privacy@cloudpepper.io.

How long we keep your data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to comply with legal, accounting and reporting requirements. Our standard retention periods are:

Account and billing data: for the duration of the customer relationship and for seven (7) years after termination, in line with Belgian tax and accounting obligations.
Communication and support data: up to three (3) years after the last interaction, unless a longer period is required for legal or contractual reasons.
Marketing data: until you unsubscribe or withdraw your consent, and for a short period thereafter to give effect to your opt-out.
Technical and usage data (logs, security events): typically up to twelve (12) months, subject to longer retention where needed for security investigations.
Website analytics data: pageview events are retained in our analytics and ad-measurement systems according to the relevant provider settings. Cloudpepper’s ad-consent cookie is kept for up to 180 days, consented campaign-attribution data for up to 90 days, and server-side conversion delivery logs for up to twelve (12) months so we can audit delivery status and diagnose ad-platform integration issues.
Backups: production data is removed within 30 days of contract termination; data residing in routine backups is overwritten within the standard backup cycle (currently up to 90 days).

Where we no longer need your personal data, we delete it or anonymise it.

Your rights

Under the GDPR, you have the following rights in relation to your personal data:

Right of access — to obtain confirmation of whether we process your personal data and a copy of that data.
Right to rectification — to have inaccurate or incomplete personal data corrected.
Right to erasure (“right to be forgotten”) — to have your personal data deleted in certain circumstances.
Right to restriction of processing — to limit how we process your personal data in certain circumstances.
Right to data portability — to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
Right to object — to object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Right not to be subject to automated decision-making — we do not carry out such decision-making in a way that produces legal or similarly significant effects on you.

To exercise any of these rights, contact us at privacy@cloudpepper.io. We may need to verify your identity before responding. We will respond within one (1) month, with the possibility of extending by up to two further months for complex requests, in which case we will inform you within the first month.

Right to lodge a complaint. If you believe that our processing of your personal data infringes Data Protection Laws, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Cloudpepper is the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Drukpersstraat 35, 1000 Brussels, Belgium
Website: www.gegevensbeschermingsautoriteit.be

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

Cookies and similar technologies

Our marketing website uses cookies set by Cloudflare for bot protection, cookies set by our Crisp Live Chat support widget, and optional advertising and measurement cookies. In the EEA, United Kingdom and Switzerland, we ask before using optional ad cookies; outside those regions, we may use them by default unless you opt out or your browser sends a recognised privacy signal. For full details, please see our Cookie Policy.

Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, taking into account the risks involved and the deployment models used. These measures include role-based access controls, authentication requirements for administrative access, encryption of data in transit, network segmentation, vulnerability management, centralised logging, regular backups and a documented incident-response process. Specific measures may vary depending on the deployment model, infrastructure provider and service plan. A more detailed description is set out in Annex B of our Data Processing Agreement.

No security measure is perfect, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your personal data, we will notify you and the competent supervisory authority where required by law.

AI assistants (MCP connector)

Cloudpepper offers a Model Context Protocol (MCP) connector at mcp.cloudpepper.io that lets you operate your Cloudpepper account from an AI assistant or other MCP-compatible client you choose to connect (for example, Claude). The connector exposes the same management actions available in your dashboard — such as listing servers and Odoo instances, creating instances, deploying from git, running and inspecting backups, reading logs, and inspecting database health.

Authentication. Access requires your authorisation. You connect using OAuth 2.0 through our authorisation server, or with a Cloudpepper API key. The connector is a stateless proxy: it forwards your authorised request to our API and returns the result. It does not store your account data, the contents of your environments, your access tokens, or your API keys.

What we log. For security and audit purposes, we record operational metadata about connector calls: which tool was invoked, the type of operation (read or write), the identifiers of the resources targeted, whether the call succeeded or was refused, a timestamp, the duration, and — so we can attribute the action — the identity associated with your authorisation (such as your user and workspace) or a non-reversible fingerprint of the API key used. We do not log the contents of your requests, your environment data, or secrets. This telemetry is handled as described in “Technical and usage data” above and retained in line with “How long we keep your data”.

Data returned to your AI assistant. When you connect a third-party AI assistant, the data returned by the tools you invoke is transmitted to, and processed by, that assistant’s provider under your control and subject to that provider’s terms and privacy policy. This may include — where you choose to run tools that read from your hosted environments (for example, listing Odoo users or reading instance logs) — limited personal data from those environments. You decide which assistant to connect and which actions to run. Where such data concerns one of your hosted Odoo environments, Cloudpepper’s processing of it is governed by our Data Processing Agreement, and the AI provider you connect acts as your processor, not ours; you are responsible for your relationship with that provider.

Children’s data

Our services are intended for businesses and are not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child’s data has reached us, email privacy@cloudpepper.io and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The latest version will always be available on our website, and the “Last updated” date at the top will indicate when it was most recently revised. For material changes, we will provide additional notice (such as by email or a notice on the website).

Contact us

If you have any questions, concerns or requests relating to this Privacy Policy or our processing of your personal data, please contact us at:

Cloudpepper BV
Witte Patersstraat 4, 1040 Brussels, Belgium
Email: privacy@cloudpepper.io