Privacy Policy

Last updated: March 2026

1. Introduction

Privum Lda ("we", "us", or "our"), registered in Portugal, operates SRExpert ("the Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, in compliance with the General Data Protection Regulation (GDPR) and applicable Portuguese data protection law (Lei n.º 58/2019).

Data Controller: Privum Lda, R. Daciano Baptista Marques, 245, 4400-617 Vila Nova de Gaia, Portugal. Contact: [email protected]

2. Information We Collect

We collect information in the following categories:

Information you provide directly:

Account information (name, email address, company name)
Contact form submissions and support requests
Billing and payment information (processed by Stripe)
Newsletter subscription email addresses

Information collected automatically:

Usage data and platform interactions
Technical data (IP address, browser type, device information, operating system)
Analytics data via Google Analytics (anonymized)
Cookie preferences and consent records

Kubernetes-related data:

Cluster metadata (names, namespaces, resource types, configuration parameters)
Workload status and health metrics
Security scan results and compliance data
Alert configurations and notification preferences

Important: We do not collect or store Kubernetes secrets, credentials, API keys, or the actual content of your application data. Our agents collect metadata and configuration information only.

3. How We Use Your Information

We process your information based on the following legal bases under GDPR:

Contract performance (Art. 6(1)(b)): To provide, maintain, and improve the Service
Legitimate interest (Art. 6(1)(f)): To analyze usage patterns, improve security, and enhance the platform
Consent (Art. 6(1)(a)): To send marketing communications and use analytics cookies
Legal obligation (Art. 6(1)(c)): To comply with applicable laws and regulations

4. AI Features and Data Processing

SRExpert integrates AI capabilities through third-party providers. When you use AI features:

Queries may be processed externally. Your questions and context data are sent to third-party AI providers (Anthropic, Alibaba Cloud, OpenAI, Google, DeepSeek) for processing. Each provider has its own data handling policies.
We minimize data exposure. We strip and anonymize sensitive information before sending queries to AI providers where technically feasible. However, we cannot guarantee complete sanitization of all data.
AI providers may retain data. Third-party AI providers may temporarily retain query data in accordance with their own privacy policies. We recommend reviewing their policies directly.
No sensitive data in AI queries. Do not submit passwords, API keys, secrets, tokens, or personally identifiable information through AI chat features.
Opt-out available. AI features are optional. You can use SRExpert's monitoring, management, and security features without enabling AI capabilities.

Third-party AI provider privacy policies:

Anthropic (Claude): anthropic.com/privacy
OpenAI (ChatGPT): openai.com/privacy
Google (Gemini): policies.google.com/privacy
Alibaba Cloud (Qwen): alibabacloud.com/privacy
DeepSeek: deepseek.com/privacy

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

Encryption in transit (TLS 1.2+) and at rest
Role-based access control for all platform data
Regular security audits and vulnerability assessments
Infrastructure hosted on enterprise-grade cloud providers
Incident response procedures for data breaches

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your information according to the following periods:

Account data: For as long as your account is active, plus 30 days after deletion request
Usage analytics: 26 months (Google Analytics default)
Billing records: 7 years (Portuguese tax law requirements)
Support tickets: 2 years after resolution
Cluster metadata: Deleted within 30 days of cluster disconnection

You may request earlier deletion subject to legal retention requirements.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including when using AI features (providers may be based in the US or China). We ensure adequate data protection through:

EU Standard Contractual Clauses (SCCs) where applicable
Adequacy decisions by the European Commission
Provider certifications and compliance frameworks

8. Your Rights (GDPR)

Under the GDPR and Portuguese data protection law, you have the right to:

Access — Request a copy of your personal data
Rectification — Correct inaccurate or incomplete data
Erasure — Request deletion of your data ("right to be forgotten")
Restriction — Request restricted processing of your data
Portability — Receive your data in a structured, machine-readable format
Objection — Object to processing based on legitimate interests
Withdraw consent — Withdraw consent at any time for consent-based processing

To exercise these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD — Comissão Nacional de Proteção de Dados).

9. Cookies and Tracking

We use the following types of cookies:

Essential cookies: Required for the website to function (session management, security). Cannot be disabled.
Analytics cookies: Google Analytics (G-1JGT9EMEPB) to understand how visitors interact with our website. Data is anonymized and aggregated.
Marketing cookies: Currently not in use. If enabled in the future, we will update this policy and request your consent.

You can manage your cookie preferences through the cookie banner on our website, or by adjusting your browser settings. Disabling cookies may affect your experience.

10. Third-Party Services

We use the following third-party services that may process your data:

Google Analytics: Website usage analytics (Google LLC, USA)
Stripe: Payment processing (Stripe Inc., USA)
AI Providers: As listed in Section 4 above

Each service operates under its own privacy policy and data protection agreements.

11. Children's Privacy

SRExpert is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we may also notify you via email.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: [email protected]
Company: Privum Lda
Address: R. Daciano Baptista Marques, 245, 4400-617 Vila Nova de Gaia, Portugal
Phone: +351 225 500 233

Supervisory Authority: CNPD — Comissão Nacional de Proteção de Dados (cnpd.pt)