Privacy Policy

1. Who we are

Controller: [Legal entity name], [Address]. Contact: [privacy@yourdomain.com].

2. Scope

This Privacy Policy covers (a) our marketing website and early-access requests and (b) our product (“Chromie Payables”) where we typically act as a processor on behalf of customer companies.

3. Data we collect

• Marketing/early access: name, email, company name, message, optional phone/website.
• Account and usage: identifiers, role/permissions, authentication data, audit logs.
• Workflow data (customer-controlled): bills, invoices, expense reports, receipts/attachments.
• Support: information you submit in support cases and related communications.

4. Purposes and legal bases

• Provide and secure the service (performance of contract; legitimate interests).
• Respond to early-access requests (legitimate interests or consent depending on context).
• Security, fraud prevention, and compliance (legitimate interests; legal obligations as applicable).

5. Sharing and subprocessors

We use service providers (subprocessors) to operate the service, such as our database/hosting provider, email delivery provider, and support tooling. We maintain a subprocessor list and provide it to customers under our DPA.

6. International transfers

We host in the EU, but some vendors are headquartered outside the EEA. Where transfers occur, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and implement supplementary measures.

7. Retention

Retention depends on the data category and customer configuration. We retain operational and security logs for limited periods, and customer workflow data according to customer instructions and legal obligations.

8. Your rights

Depending on your location, you may have rights of access, correction, deletion, restriction, portability, and objection. If you interact with Chromie through a customer company, please direct requests to that company as the controller; we assist as a processor.

9. Contact

Privacy requests: [privacy@yourdomain.com]