Privacy Policy

Cueva Control is a private limited company incorporated in the Netherlands (Chamber of Commerce: 99917320, VAT: NL869186632B01), with its registered office at Leeuwenhoekstraat 98, 2652 XL Berkel en Rodenrijs, the Netherlands.

We are the data controller for the personal data described in this policy. If you have any questions, contact us at legal@cuevacontrol.com.

Account data: when you create a Cueva Control account we collect your name, email address, and password hash. For business accounts we also collect company name and VAT number.

Order data: when you purchase through our store we collect your billing address, shipping address, and payment method details. Card details are processed by our payment provider and are never stored on our servers.

Device data: when you register a Cueva Control device we collect the device serial number, firmware version, and optional location name.

Usage data: we collect anonymised telemetry about how the Cueva Desktop app and Horizon dashboard are used, including feature interactions, error reports, and session duration. No flow content, credentials, or personally identifiable information is included in telemetry.

Communication data: if you contact our support team we retain records of that communication for up to three years.

To provide and maintain our services, including software updates, device management, and Horizon dashboard access.

To process orders and manage your account.

To send transactional emails (order confirmations, shipping notifications, license renewal reminders). We do not send marketing emails without your explicit consent.

To improve our products using anonymised aggregate analytics.

To comply with our legal obligations under Dutch and EU law.

Contract performance (Art. 6(1)(b) GDPR): processing necessary to fulfil your order or provide the service you signed up for.

Legitimate interests (Art. 6(1)(f) GDPR): anonymised analytics and security monitoring.

Legal obligation (Art. 6(1)(c) GDPR): tax record keeping and other statutory requirements.

Consent (Art. 6(1)(a) GDPR): marketing communications, where applicable. You may withdraw consent at any time.

We do not sell your personal data. We share data only with the following categories of processor, each bound by data processing agreements:

Payment processors (Stripe) for order processing; cloud infrastructure providers (Amazon Web Services, EU regions) for hosting; transactional email providers (Postmark) for system emails; analytics tools using anonymised, aggregated data only.

We may disclose data to law enforcement or regulatory authorities when required by applicable law.

Account data is retained for as long as your account is active plus seven years after closure, in line with Dutch tax retention requirements.

Order records are retained for seven years as required by Dutch accounting law.

Support communications are retained for three years.

Anonymised analytics data has no fixed retention period.

Under the GDPR you have the right to access the personal data we hold about you; to request correction of inaccurate data; to request erasure where there is no legitimate reason to continue processing; to object to processing based on legitimate interests; to request restriction of processing; and to data portability.

To exercise any of these rights, email legal@cuevacontrol.com. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Our website uses strictly necessary cookies for session management and a consent cookie to remember your cookie preferences. We use no third-party advertising or tracking cookies.

You can manage or withdraw cookie consent at any time using the consent widget on this site.

We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, role-based access controls, and regular security reviews. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

We may update this policy from time to time. Material changes will be communicated by email to registered users or by a prominent notice on this website at least 14 days before the change takes effect. The "last updated" date at the top of this page will always reflect the most recent revision.