Privacy Policy
Last updated: May 8, 2025
1. WHO WE ARE
Cust is the trading name of UAB "Autonominiai pardavimai", company code 306362685, registered in Lithuania, EU ("Cust", "we", "our").
We act as the data controller for the personal data described in this notice, unless stated otherwise. Privacy contact: dpo@cust.co.
2. SCOPE
This Policy describes how we collect, use, share and secure personal data when you:
- visit cust.co or any sub-domain;
- create or use a Cust workspace;
- connect Cust to your e-mail, CRM or other systems;
- communicate with us by any channel.
It does not cover third-party sites or services you access via Cust.
3. THE DATA WE COLLECT
| Category | Examples | Source |
|---|
| User Account Data | Name, business e-mail, password hash, company, role | You |
| Billing Data | VAT number, billing address, card last 4 digits (handled by Stripe) | You / Stripe |
| Workspace Content | E-mails, CRM records, product usage metrics, support chats, call transcripts, files you upload | You / integrations |
| AI Artefacts | "Wikipedia-style" summaries, prompts, recommended actions | Derived from Workspace Content |
| Usage Data | IP address, device, browser, feature usage logs, timestamps | Automated collection |
| Support Data | Help-desk tickets, feedback, meetings transcripts | You |
4. PURPOSES & LEGAL BASES
| Purpose | Legal basis (Art. 6 GDPR) |
|---|
| Provide and secure the service | Contract performance |
| Billing & fraud prevention | Legal obligation / Legitimate interest |
| Product analytics (aggregated, cookie-based) | Legitimate interest (opt-out available) |
| Optional e-mail delivery on your behalf | Contract performance |
| Compliance with legal duties & dispute defence | Legal obligation / Legitimate interest |
5. AUTOMATED PROCESSING & PROFILING
Cust's AI suggests and, if you enable "Autonomous mode", executes customer-success actions (e.g., sending follow-up e-mails). These do not create legal or similarly significant effects on individuals within the meaning of GDPR Art. 22.
6. COOKIES & SIMILAR TECHNOLOGIES
Essential cookies (sign-in, CSRF protection) are always active. Analytics cookies (PostHog): placed only after consent; retention 12 months.
7. HOW WE SHARE PERSONAL DATA
We never sell your data. We disclose it only:
- to vetted sub-processors under enterprise agreements;
- to competent authorities when legally obliged;
- with your explicit consent.
Current sub-processors:
- Heroku / Salesforce – cloud hosting – DE (EEA)
- Stripe – payment processing – IE (EEA)
- PostHog – product analytics – DE (EEA)
- OpenAI – AI inference – US
- Google – AI inference, authentication & Gmail/Workspace integration – EU
- Microsoft – authentication & Outlook/Microsoft 365 integration – EU
- Postmark – transactional e-mails – US
8. INTERNATIONAL TRANSFERS
Where data leaves the European Economic Area (EEA) - we rely on the European Commission's Standard Contractual Clauses (2021 edition) and have performed Transfer Impact Assessments.
Additional safeguards include encryption in transit and at rest, data-minimisation, and a strict prohibition on AI model training with customer data.
9. RETENTION
| Data type | Retention period |
|---|
| Workspace Content (e-mails, CRM data, AI artefacts) | Deleted within 30 days after you remove it or close your account; backups deleted ≤ 90 days later |
| User Account Data | 30 days after account closure |
| Billing & Tax Records | 7 years (statutory requirement) |
| Usage & Analytics Logs | Aggregated/pseudonymised after 12 months |
| Support Records | 3 years after ticket resolution |
10. SECURITY MEASURES
- AES-256 encryption at rest; TLS 1.2+ in transit
- ISO 27001-certified data-centre (AWS via Heroku)
- Mandatory MFA for Cust personnel; least-privilege access
- Third-party penetration testing at least annually
- Continuous logging & intrusion detection
- Incident-response policy including 72-hour breach notification
11. YOUR RIGHTS
You may: (i) access your data, (ii) correct inaccuracies, (iii) request erasure, (iv) restrict or object to processing, (v) obtain a portable copy, (vi) withdraw any consent you have given.
Exercise rights by e-mailing dpo@cust.co. We respond within 30 days. If you believe that we have not handled your request properly, you can complain to a supervisory authority.
12. SPECIFIC THIRD-PARTY DISCLOSURES
Google APIs: Our use and transfer of information received from Google APIs complies with Google API Services User Data Policy, including Limited-Use requirements (see https://developers.google.com/terms/api-services-user-data-policy).
Microsoft APIs: Our use and transfer of information received from Microsoft APIs complies with Microsoft API Terms of Use.
OpenAI: We use OpenAI Enterprise endpoints; model weights are never trained or fine-tuned on your data.
Stripe: Payment card details are handled exclusively by Stripe and never stored on Cust servers.
13. CHANGES TO THIS POLICY
We may update this Policy from time to time. Material changes will be e-mailed to workspace owners at least 15 days before they take effect.
14. CONTACT
Questions, concerns or requests:
- E-mail: dpo@cust.co
- Post: Privacy Team, UAB "Autonominiai pardavimai", Nemenčinės pl. 4e-10, LT-10109 Vilnius, Lithuania
