Privacy Policy

Last updated: 26 April 2026

This Privacy Policy explains how Cloudpepper BV (“Cloudpepper”, “we”, “us”) collects and uses personal data when you visit our website, sign up for our services, contact us, or otherwise interact with us. We are committed to handling your personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

The data controller for the personal data described in this Privacy Policy is:

Cloudpepper BV
Witte Patersstraat 4, 1040 Brussels, Belgium
Enterprise number: BE 0804.323.604
Privacy contact: privacy@cloudpepper.io

This Privacy Policy applies to personal data we collect and process as a controller — meaning data we decide the purposes and means of processing for. This includes data about:

• visitors to our website (cloudpepper.io and related properties);
• prospective customers who contact us or sign up for trials, demos or newsletters;
• customers and their administrative contacts;
• people who reach out to our support team or otherwise communicate with us.

What this policy does not cover. When you are a customer of Cloudpepper, we host and manage Odoo environments on your behalf. The personal data you store within those environments (e.g., your own customers’, employees’ or suppliers’ details) is processed by us as a processor on your instructions. The terms of that processing are set out in our Data Processing Agreement, not in this Privacy Policy.

Depending on how you interact with us, we may collect the following categories of personal data:

Account and billing data. When you register for our services, we collect your name, business email address, postal address, phone number, company name, VAT number, and payment details (card data is collected directly by our payment processor and we do not store full card numbers).

Communication data. When you contact us by email, chat, contact form or phone, we collect the contents of those communications and any contact information you provide.

Marketing data. If you sign up for our newsletter or download a resource, we collect your email address and your preferences. If you are an existing customer, we may add your administrative contact email to service-related and product-update mailings on the basis of our existing relationship; you can opt out at any time.

Support data. When you use our chat or open a ticket, we keep a record of the conversation, the systems involved, and any troubleshooting steps performed.

Technical and usage data. When you visit our website or use our services, our servers and analytics tools automatically collect information such as your IP address, device and browser characteristics, pages visited, referring URL, and timestamps. We also generate operational telemetry (logs, performance metrics, security events) about the use of our platform.

Cookies and similar technologies. See our Cookie Policy for details on the cookies and tracking technologies used on our website and how you can manage your preferences.

We process personal data only where we have a lawful basis under Article 6 GDPR. The table below summarises our main processing activities, the data involved, and the legal basis we rely on.

Purpose	Data used	Legal basis
Providing the Services to our customers (provisioning servers, deploying Odoo, monitoring, support).	Account and billing data, communication data, support data, technical/usage data.	Performance of a contract (Art. 6(1)(b)).
Billing and payment processing.	Account and billing data.	Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for invoicing and tax records.
Securing the platform: detecting and preventing fraud, abuse, and security incidents.	Technical/usage data, account data.	Legitimate interests (Art. 6(1)(f)) — ensuring the security and integrity of our services.
Responding to your enquiries and providing customer support.	Communication data, support data, account data.	Performance of a contract (Art. 6(1)(b)) for customers, legitimate interests (Art. 6(1)(f)) for prospective customers.
Sending service updates and product announcements to existing customers.	Marketing data, account data.	Legitimate interests (Art. 6(1)(f)) — informing customers about the services they use; you can opt out at any time.
Sending marketing emails to prospective customers and newsletter subscribers.	Marketing data.	Consent (Art. 6(1)(a)); you can withdraw at any time.
Website analytics, performance measurement and advertising.	Technical/usage data, online identifiers.	Consent (Art. 6(1)(a)) where required, expressed via the cookie banner.
Improving and developing our services (capacity planning, product analytics on aggregated data).	Aggregated and anonymised technical/usage data.	Legitimate interests (Art. 6(1)(f)) — improving our services for all customers.
Complying with legal obligations (accounting, tax, responding to lawful requests from authorities).	Account and billing data, communication data as relevant.	Legal obligation (Art. 6(1)(c)).
Establishing, exercising or defending legal claims.	Whatever data is relevant to the claim.	Legitimate interests (Art. 6(1)(f)).

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

We do not sell your personal data. We share it only with the categories of recipients set out below, and only to the extent necessary for the purposes described above.

Service providers acting as our processors. We engage trusted service providers to help us operate our business and deliver the Services. These providers act under our instructions and are bound by written data processing agreements.

Infrastructure and platform providers. We use cloud infrastructure, content-delivery and edge-security providers to host our management platform and customer environments. The current providers are Amazon Web Services, Google Cloud, OVHcloud, Cloudflare, and — where you select them — UpCloud and Vultr. The current sub-processor list is maintained in Annex A of our Data Processing Agreement.

Customer support and communications. We use Crisp IM for customer support chat and ticketing, and Google Workspace for our internal email, calendar and document management used in the course of communicating with you.

Operations and observability. We use Grafana Labs for platform observability and operational monitoring (job status, capacity, error signals). The data involved is limited to operational metadata such as which provisioning jobs have failed and aggregated counts; it does not include the contents of hosted Odoo environments.

ERP, billing and payments. We use Odoo SA for the Odoo Enterprise software that powers our billing, invoicing and customer-relationship records, and Stripe for processing payments on our customer subscriptions.

Marketing and advertising. We use Klaviyo to send service-related and marketing emails to our administrative contacts and newsletter subscribers, and Google (Google Analytics, Google Ads) and Reddit (Reddit Ads) for website analytics and advertising measurement, in each case subject to your cookie preferences.

Professional services. We share limited personal data with categories of trusted professional service providers in the course of running our business, including external accountants and tax advisors, banks and payment institutions, payroll and employment service providers, and our legal advisors. These providers process personal data only for the specific purposes for which we engage them and under appropriate confidentiality and data protection arrangements.

Authorities and other third parties. We may disclose personal data: (i) where required by law, court order or other legal process; (ii) to protect the rights, property or safety of Cloudpepper, our customers or others; or (iii) in connection with a corporate transaction such as a merger, acquisition or sale of assets, in which case the recipient will be bound by terms consistent with this Privacy Policy.

We store and process personal data within the European Economic Area (EEA) wherever possible, including on infrastructure located in Belgium and elsewhere in the EU. Some of the service providers listed above are based outside the EEA, or may transfer limited personal data to entities outside the EEA in the course of providing their services. In those cases, we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by additional technical and organisational safeguards where necessary, to ensure that your personal data continues to be protected.

You can request a copy of the safeguards we apply by emailing privacy@cloudpepper.io.

We keep personal data only for as long as necessary for the purposes for which it was collected, including to comply with legal, accounting and reporting requirements. Our standard retention periods are:

• Account and billing data: for the duration of the customer relationship and for seven (7) years after termination, in line with Belgian tax and accounting obligations.
• Communication and support data: up to three (3) years after the last interaction, unless a longer period is required for legal or contractual reasons.
• Marketing data: until you unsubscribe or withdraw your consent, and for a short period thereafter to give effect to your opt-out.
• Technical and usage data (logs, security events): typically up to twelve (12) months, subject to longer retention where needed for security investigations.
• Website analytics data: as configured in our analytics tools (currently up to 14 months for Google Analytics).
• Backups: production data is removed within 30 days of contract termination; data residing in routine backups is overwritten within the standard backup cycle (currently up to 90 days).

Where we no longer need your personal data, we delete it or anonymise it.

Under the GDPR, you have the following rights in relation to your personal data:

• Right of access — to obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification — to have inaccurate or incomplete personal data corrected.
• Right to erasure (“right to be forgotten”) — to have your personal data deleted in certain circumstances.
• Right to restriction of processing — to limit how we process your personal data in certain circumstances.
• Right to data portability — to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
• Right to object — to object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making — we do not carry out such decision-making in a way that produces legal or similarly significant effects on you.

To exercise any of these rights, contact us at privacy@cloudpepper.io. We may need to verify your identity before responding. We will respond within one (1) month, with the possibility of extending by up to two further months for complex requests, in which case we will inform you within the first month.

Right to lodge a complaint. If you believe that our processing of your personal data infringes Data Protection Laws, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Cloudpepper is the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Drukpersstraat 35, 1000 Brussels, Belgium
Website: www.gegevensbeschermingsautoriteit.be

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

Our website uses cookies and similar technologies for functional, analytical and advertising purposes. We obtain your consent for non-essential cookies via our cookie banner before they are placed on your device, and you can change your preferences at any time. For full details on the cookies we use and the choices available to you, please see our Cookie Policy.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, taking into account the risks involved and the deployment models used. These measures include role-based access controls, authentication requirements for administrative access, encryption of data in transit, network segmentation, vulnerability management, centralised logging, regular backups and a documented incident-response process. Specific measures may vary depending on the deployment model, infrastructure provider and service plan. A more detailed description is set out in Annex B of our Data Processing Agreement.

No security measure is perfect, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your personal data, we will notify you and the competent supervisory authority where required by law.

Our services are intended for businesses and are not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe that we have collected personal data from a child, please contact us at privacy@cloudpepper.io and we will take steps to delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The latest version will always be available on our website, and the “Last updated” date at the top will indicate when it was most recently revised. For material changes, we will provide additional notice (such as by email or a notice on the website).

If you have any questions, concerns or requests relating to this Privacy Policy or our processing of your personal data, please contact us at:

Cloudpepper BV
Witte Patersstraat 4, 1040 Brussels, Belgium
Email: privacy@cloudpepper.io