Privacy Policy · CySo Solutions

CySo Solutions Ltd respects your privacy and is committed to protecting your personal data in line with the EU General Data Protection Regulation (GDPR). This is a static informational website. Our applications — CySo Flow, Time, VAT and Invoicing — have their own privacy notices within each app; this policy covers only what happens on this marketing site.

Who we are

CySo Solutions Ltd is the data controller responsible for the personal data described in this policy. We are a software company registered in Cyprus.

CySo Solutions Ltd

Registered office: 7 Igerias Street, Limassol, Cyprus

Company registration number: HE487195

Contact: [email protected]

If you have any question about this policy or about how we handle your data, email us at the address above. We respond to privacy enquiries promptly.

What we collect, and how

We deliberately collect as little as possible. The only personal data this website collects directly from you is what you choose to send through our contact form:

Name — so we know who we are replying to.
Email address — so we can reply to you.
Company — optional, only if you choose to provide it.
Your message — whatever you decide to tell us.

When you submit the contact form, the details are sent securely to our website's serverless function (running on our hosting provider, Cloudflare) which forwards them to our company inbox as an email through our email-delivery provider, Resend. We receive only what you choose to send. If that submission ever fails, the form offers a link to email us directly instead.

Server logs. This site is served as static files by our hosting provider. Like virtually all web hosting, the provider may automatically log technical information such as your IP address and browser type for security and to keep the service running. We do not use these logs to identify or profile visitors.

Fonts. The site loads typefaces from Google Fonts. To deliver those fonts, Google may receive your IP address. See section 05.

Why we use it, and our lawful basis

Under Article 6 of the GDPR we must have a lawful basis for processing your data. Here is exactly what we do and why:

Responding to your enquiry — we use your name, email and message to reply to you and to discuss our products or a possible engagement. Lawful basis: your consent (Art. 6(1)(a)), which you give by ticking the consent box and sending the form.
Keeping our website secure and available — processing of technical log data by our host. Lawful basis: legitimate interests (Art. 6(1)(f)) in protecting and maintaining the site.

We do not use your data for advertising, profiling, or automated decision-making, and we never sell it.

The CySo Time team waitlist

You may use the contact form to ask to join the CySo Time team waitlist. This is entirely optional. If you request it, we add your name and email to a list so we can let you know when team plans open and bring you on board.

We process this on the basis of your consent (Art. 6(1)(a)). You can ask to be removed from the waitlist at any time by emailing us — withdrawing consent is as easy as giving it, and it does not affect anything you have already sent us.

Third parties and processors

We keep the list of third parties short on purpose:

Google Fonts — delivers the fonts used on the site. To do this, Google may receive your IP address. No fonts are used to track you, and Google Fonts does not set advertising cookies on this site.
Cloudflare — our hosting provider. It serves the website's static files and runs the serverless function that processes your contact-form submission, and may process technical log data (such as IP addresses) on our behalf.
Resend — our email-delivery provider. It transmits your contact-form enquiry to our inbox as an email on our behalf. It processes only the details you submit in the form.
Google / Gmail — our inbox is a Google Workspace / Gmail account, so Google processes the enquiry email we receive as our email provider.

We do not sell your personal data, and we run no advertising trackers, analytics, or third-party marketing pixels on this site.

International transfers

Some of the providers above (notably Google) are organisations that may process data outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, it is protected by appropriate safeguards recognised under the GDPR — in particular the European Commission's Standard Contractual Clauses (SCCs) and/or an adequacy decision, as applicable.

You can ask us for more detail about these safeguards using the contact address above.

Cookies and tracking

This website does not set any cookies. We use no analytics, no advertising tags, and no tracking technologies. There is nothing to consent to and no cookie banner, because there are no cookies to manage.

Your browser does communicate with Google's servers to fetch fonts, as described above, but the site itself stores nothing on your device for tracking purposes.

How long we keep your data

We keep enquiry emails only as long as we need them. Where an enquiry leads to no further contact, we delete it within 12 months. Where it leads to an ongoing conversation or a business relationship, we keep the correspondence for as long as that relationship requires, and for any period we are legally obliged to retain it.

Waitlist details are kept until team plans open and you are onboarded, or until you ask to be removed — whichever comes first.

Your rights under the GDPR

You have the following rights over your personal data:

Access — ask for a copy of the personal data we hold about you.
Rectification — have inaccurate or incomplete data corrected.
Erasure — ask us to delete your data ("right to be forgotten").
Restriction — ask us to limit how we use your data.
Portability — receive your data in a portable, machine-readable form.
Objection — object to processing based on our legitimate interests.
Withdraw consent — where we rely on consent, withdraw it at any time, without affecting processing carried out before you withdrew it.
Complain — lodge a complaint with a data protection supervisory authority.

Our lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (dataprotection.gov.cy). You may also complain to the supervisory authority in your own EU country of residence.

How to exercise your rights

To exercise any of the rights above, simply email [email protected]. We will respond within one month, as the GDPR requires. There is no charge for a reasonable request, and we may ask you to confirm your identity so that we only release data to the right person.

How we protect your data

We apply reasonable technical and organisational measures appropriate to a small, EU-based company and to the limited data we hold. These include encrypted transport (HTTPS) for the website, access controls and strong authentication on the inbox that receives enquiries, and the principle of collecting and keeping as little data as possible. No method of transmission or storage is ever completely secure, but we take the protection of your data seriously.

Children

This website and our products are intended for businesses and professionals. They are not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time, for example if we add a feature or change a provider. When we do, we will revise the effective date below and, where the change is significant, take reasonable steps to highlight it.

This policy is effective from 2 June 2026.