Privacy Policy
Last updated: Dec 19, 2025
1. WHO WE ARE
Cust is the trading name of UAB "Autonominiai pardavimai", company code 306362685, registered in Lithuania, EU ("Cust", "we", "our").
We act as the data controller for the personal data described in this notice, unless stated otherwise. Privacy contact: dpo@cust.co.
2. SCOPE
This Policy describes how we collect, use, share and secure personal data when you:
- visit cust.co or any sub-domain;
- create or use a Cust workspace;
- connect Cust to your e-mail, CRM or other systems;
- communicate with us by any channel.
It does not cover third-party sites or services you access via Cust.
3. THE DATA WE COLLECT
| Category |
Examples |
| Identity & Contact Data |
Names, job titles, email addresses, phone numbers, and internal User IDs. |
| Commercial Data |
Subscription details, contract value (ARR/MRR), renewal dates, and billing status (excluding sensitive payment card details or bank account numbers). |
| Technical & Usage Data |
Information on how individuals are using products and/or services. |
| Communication Data |
Records of customer interactions, such as support ticket history, email, calendar events, call transcripts and notes entered by Customer Success Managers. |
4. PURPOSES & LEGAL BASES
| Purpose | Legal basis (Art. 6 GDPR) |
|---|
| Provide and secure the service | Contract performance |
| Billing & fraud prevention | Legal obligation / Legitimate interest |
| Product analytics (aggregated, cookie-based) | Legitimate interest (opt-out available) |
| Optional e-mail delivery on your behalf | Contract performance |
| Compliance with legal duties & dispute defence | Legal obligation / Legitimate interest |
5. AUTOMATED PROCESSING & PROFILING
Cust's AI suggests and, if you enable "Autonomous mode", executes customer-success actions (e.g., sending follow-up e-mails). These do not create legal or similarly significant effects on individuals within the meaning of GDPR Art. 22.
6. COOKIES & SIMILAR TECHNOLOGIES
Essential cookies (sign-in, CSRF protection) are always active. Analytics cookies (PostHog): placed only after consent; retention 12 months.
7. HOW WE SHARE PERSONAL DATA
We never sell your data. We disclose it only:
- to vetted sub-processors under enterprise agreements;
- to competent authorities when legally obliged;
- with your explicit consent.
Current sub-processors:
- Heroku / Salesforce – cloud hosting – EU / US
- OpenAI – AI inference
- Google – AI inference
- Postmark – transactional e-mails
8. INTERNATIONAL TRANSFERS
Where data leaves the European Economic Area (EEA) - we rely on the European Commission's Standard Contractual Clauses (2021 edition) and have performed Transfer Impact Assessments.
Additional safeguards include encryption in transit and at rest, data-minimisation, and a strict prohibition on AI model training with customer data.
9. RETENTION
| Data type | Retention period |
|---|
| Workspace Content (e-mails, CRM data, AI artefacts) | Deleted within 30 days after you remove it or close your account; backups deleted ≤ 90 days later |
| User Account Data | 30 days after account closure |
| Billing & Tax Records | 7 years (statutory requirement) |
| Usage & Analytics Logs | Aggregated/pseudonymised after 12 months |
| Support Records | 3 years after ticket resolution |
10. SECURITY MEASURES
- AES-256 encryption at rest; TLS 1.2+ in transit
- ISO 27001-certified data-centre (AWS via Heroku)
- Mandatory MFA for Cust personnel; least-privilege access
- Third-party penetration testing at least annually
- Continuous logging & intrusion detection
- Incident-response policy including 72-hour breach notification
11. YOUR RIGHTS
You may: (i) access your data, (ii) correct inaccuracies, (iii) request erasure, (iv) restrict or object to processing, (v) obtain a portable copy, (vi) withdraw any consent you have given.
How to Exercise Your Rights: To ensure your request is tracked and processed securely, please submit all data deletion or access requests via our Privacy Request Form on this page. We log all requests to ensure compliance with statutory timeframes.
12. SPECIFIC THIRD-PARTY DISCLOSURES
Google APIs: Our use and transfer of information received from Google APIs complies with Google API Services User Data Policy, including Limited-Use requirements (see https://developers.google.com/terms/api-services-user-data-policy).
Microsoft APIs: Our use and transfer of information received from Microsoft APIs complies with Microsoft API Terms of Use.
OpenAI: We use OpenAI Enterprise endpoints; model weights are never trained or fine-tuned on your data.
Stripe: Payment card details are handled exclusively by Stripe and never stored on Cust servers.
13. AI GOVERNANCE & STAKEHOLDER INFORMATION
We utilize third-party Artificial Intelligence (AI) models (from OpenAI and Google) to provide our services. We do not train, fine-tune, or improve these models using your Customer Data.
In alignment with ISO 42001 standards, we address our stakeholders as follows:
- Customers (You): You retain full ownership of your inputs and the output generated by the AI on your behalf. We ensure that your data is not shared with third-party model providers for their own model training purposes.
- Regulators: We maintain comprehensive logs of AI decision-making processes and sub-processor agreements, which are available to competent authorities upon lawful request to demonstrate accountability.
- Society: We evaluate our use of AI to ensure it does not reinforce bias or cause harm. Since we use "frozen" pre-trained models, we rely on the safety filters and alignment work of our providers (OpenAI/Google) while implementing our own acceptable use policies to prevent misuse.
14. CHANGES TO THIS POLICY
We may update this Policy from time to time. Material changes will be e-mailed to workspace owners at least 15 days before they take effect.
15. CONTACT
Questions, concerns or requests:
- E-mail: dpo@cust.co
- Post: Privacy Team, UAB "Autonominiai pardavimai", Nemenčinės pl. 4e-10, LT-10109 Vilnius, Lithuania
- Or please submit your privacy request via form:
