Privacy Policy

Last updated: May 8, 2025

1. WHO WE ARE

Cust is the trading name of UAB "Autonominiai pardavimai", company code 306362685, registered in Lithuania, EU ("Cust", "we", "our").

We act as the data controller for the personal data described in this notice, unless stated otherwise. Privacy contact: dpo@cust.co.

2. SCOPE

This Policy describes how we collect, use, share and secure personal data when you:

  • visit cust.co or any sub-domain;
  • create or use a Cust workspace;
  • connect Cust to your e-mail, CRM or other systems;
  • communicate with us by any channel.

It does not cover third-party sites or services you access via Cust.

3. THE DATA WE COLLECT

CategoryExamplesSource
User Account DataName, business e-mail, password hash, company, roleYou
Billing DataVAT number, billing address, card last 4 digits (handled by Stripe)You / Stripe
Workspace ContentE-mails, CRM records, product usage metrics, support chats, call transcripts, files you uploadYou / integrations
AI Artefacts"Wikipedia-style" summaries, prompts, recommended actionsDerived from Workspace Content
Usage DataIP address, device, browser, feature usage logs, timestampsAutomated collection
Support DataHelp-desk tickets, feedback, meetings transcriptsYou


4. PURPOSES & LEGAL BASES


PurposeLegal basis (Art. 6 GDPR)
Provide and secure the serviceContract performance
Billing & fraud preventionLegal obligation / Legitimate interest
Product analytics (aggregated, cookie-based)Legitimate interest (opt-out available)
Optional e-mail delivery on your behalfContract performance
Compliance with legal duties & dispute defenceLegal obligation / Legitimate interest

5. AUTOMATED PROCESSING & PROFILING

Cust's AI suggests and, if you enable "Autonomous mode", executes customer-success actions (e.g., sending follow-up e-mails). These do not create legal or similarly significant effects on individuals within the meaning of GDPR Art. 22.

6. COOKIES & SIMILAR TECHNOLOGIES

Essential cookies (sign-in, CSRF protection) are always active. Analytics cookies (PostHog): placed only after consent; retention 12 months.

7. HOW WE SHARE PERSONAL DATA

We never sell your data. We disclose it only:

  • to vetted sub-processors under enterprise agreements;
  • to competent authorities when legally obliged;
  • with your explicit consent.

Current sub-processors:

  • Heroku / Salesforce – cloud hosting – DE (EEA)
  • Stripe – payment processing – IE (EEA)
  • PostHog – product analytics – DE (EEA)
  • OpenAI – AI inference – US
  • Google – AI inference, authentication & Gmail/Workspace integration – EU
  • Microsoft – authentication & Outlook/Microsoft 365 integration – EU
  • Postmark – transactional e-mails – US

8. INTERNATIONAL TRANSFERS

Where data leaves the European Economic Area (EEA) - we rely on the European Commission's Standard Contractual Clauses (2021 edition) and have performed Transfer Impact Assessments.

Additional safeguards include encryption in transit and at rest, data-minimisation, and a strict prohibition on AI model training with customer data.

9. RETENTION

Data typeRetention period
Workspace Content (e-mails, CRM data, AI artefacts)Deleted within 30 days after you remove it or close your account; backups deleted ≤ 90 days later
User Account Data30 days after account closure
Billing & Tax Records7 years (statutory requirement)
Usage & Analytics LogsAggregated/pseudonymised after 12 months
Support Records3 years after ticket resolution


10. SECURITY MEASURES

  • AES-256 encryption at rest; TLS 1.2+ in transit
  • ISO 27001-certified data-centre (AWS via Heroku)
  • Mandatory MFA for Cust personnel; least-privilege access
  • Third-party penetration testing at least annually
  • Continuous logging & intrusion detection
  • Incident-response policy including 72-hour breach notification

11. YOUR RIGHTS

You may: (i) access your data, (ii) correct inaccuracies, (iii) request erasure, (iv) restrict or object to processing, (v) obtain a portable copy, (vi) withdraw any consent you have given.


Exercise rights by e-mailing dpo@cust.co. We respond within 30 days. If you believe that we have not handled your request properly, you can complain to a supervisory authority.

12. SPECIFIC THIRD-PARTY DISCLOSURES

Google APIs: Our use and transfer of information received from Google APIs complies with Google API Services User Data Policy, including Limited-Use requirements (see https://developers.google.com/terms/api-services-user-data-policy).

Microsoft APIs: Our use and transfer of information received from Microsoft APIs complies with Microsoft API Terms of Use.

OpenAI: We use OpenAI Enterprise endpoints; model weights are never trained or fine-tuned on your data.

Stripe: Payment card details are handled exclusively by Stripe and never stored on Cust servers.

13. CHANGES TO THIS POLICY

We may update this Policy from time to time. Material changes will be e-mailed to workspace owners at least 15 days before they take effect.

14. CONTACT

Questions, concerns or requests:

  • E-mail: dpo@cust.co
  • Post: Privacy Team, UAB "Autonominiai pardavimai", Nemenčinės pl. 4e-10, LT-10109 Vilnius, Lithuania