Last updated: 22/07/2025
Purpose of this Privacy Policy
This Privacy Policy is intended to provide clear and transparent information about how [Platform Name] (hereinafter the « Platform ») processes personal data in the course of its activities, acting as:
- a data processor, processing personal data on behalf of its clients (who act as data controllers); and
- a data controller, for specific processing operations related to user management, system security, and legal obligations.
All personal data processing is carried out in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR) and the Belgian Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data.
Definitions
The terms used in this Privacy Policy shall have the meaning assigned to them in the General Data Protection Regulation (GDPR), including but not limited to:
- Personal data: any information relating to an identified or identifiable natural person;
- Processing: any operation or set of operations performed on personal data, whether or not by automated means (such as collection, recording, storage, modification, consultation, use, transmission, deletion, etc.);
- Data controller: the natural or legal person who determines the purposes and means of the processing of personal data;
- Data processor: the natural or legal person who processes personal data on behalf of the controller;
- Recipient: the natural or legal person to whom personal data is disclosed;
- Third party: a person other than the data subject, controller, processor, or persons authorized to process data under the direct authority of the controller or processor;
- Consent: any freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data.
Contact Details of the Data Controller and Data Protection Officer
For processing activities for which the Platform acts as a data controller, the contact details are as follows:
PLX Group, société en commandite with its registered office at Rue Albert Ier 113, 5640 Mettet, Belgium, registered with the Belgian Crossroads Bank for Enterprises undernumber 0734.793.905, duly represented by Sébastien Pesleux
Email: support@cboxx.app
If you have any questions regarding this Privacy Policy or the processing of your personal data, you may contact the Platform at the email address above.
Categories of Personal Data Processed
a) When acting as a data controller, the Platform processes the following categories of personal data:
- Identification data: such as first name, last name, professional email address, user ID, password;
- Technical data: including IP address, connection logs, user activity logs, cookies;
- Contractual data: such as subscription details, billing information, support history, and correspondence;
- Security-related data: such as access records, security alerts, and anti-fraud measures.
These categories of data are processed solely for the purposes outlined in this Privacy Policy and are subject to appropriate security and confidentiality safeguards.
b) When acting as a data processor, the Platform processes:
- Any personal data determined by the Client (the data controller), including data entered through various modules of the Platform (e.g., customer records, tasks, photos, reports, etc.);
- GPS data and other location-related elements, when explicitly activated by the Client or its Users.
Such data is processed strictly in accordance with the Client’s documented instructions, as set forth in the applicable SaaS contract and related agreements.
The Platform does not determine the purposes or means of such processing and does not reuse such data for its own purposes.
Legal Basis and Purposes of Processing
a) When acting as a data controller, the Platform processes personal data on the following legal grounds and for the following purposes:
| Purpose of Processing | Legal Basis |
| Management of user accounts | Performance of the contract |
| Securing access and infrastructure | Legitimate interest |
| Customer support and handling of service requests | Performance of the contract |
| Billing and accounting | Legal obligation |
| Service improvement (e.g., analysis of logs, performance) | Legitimate interest |
The Platform’s legitimate interests include ensuring the integrity, security, and efficiency of the services, as well as maintaining high service quality and responding effectively to client needs.
b) When acting as a data processor, the Platform processes personal data:
- On behalf of the Client, who acts as the data controller;
- On the basis of the Client’s documented instructions;
- For the purposes determined by the Client, as defined in the applicable service agreement.
In such cases, the Platform does not independently determine the purpose or legal basis of the processing and does not reuse the data for its own purposes.
Sharing of Personal Data
The Platform may share certain categories of personal data with third parties, strictly limited to what is necessary for the performance of its services and in compliance with applicable data protection laws.
a) When acting as data controller, the Platform may share data with:
- Technical service providers involved in hosting, maintenance, security, or customer support, subject to strict confidentiality and data protection obligations under GDPR-compliant agreements;
- Public authorities or judicial bodies, but only when required by law, regulation, or court order.
b) When acting as data processor, the Platform:
- Does not disclose or share any personal data it processes on behalf of its Clients to third parties,
except:- upon the Client’s written instructions, or
- when legally required to do so by a competent authority (in which case, the Client will be informed unless prohibited by law).
The Platform ensures that all third-party recipients provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to protect personal data.
Transfers Outside the European Economic Area (EEA)
By default, all personal data processed by the Platform is hosted and stored within the European Economic Area (EEA).
In the event that a transfer of personal data outside the EEA becomes necessary (e.g., for technical reasons, subcontractor involvement, or cross-border operations), the Platform undertakes to implement one of the following safeguards, as required by the GDPR:
- A European Commission adequacy decision covering the destination country;
- The use of Standard Contractual Clauses (SCCs) adopted by the European Commission;
- The implementation of supplementary technical and organizational measures, where necessary;
- Or any other mechanism approved under the applicable data protection legislation.
The Platform ensures that such transfers, when they occur, are documented and justified in accordance with Article 46 and following of the GDPR.
Your Rights and How to Exercise Them
If your personal data is processed by the Platform as data controller, you benefit from the rights granted by the GDPR, subject to the conditions and limitations provided for by law:
Your rights include:
- Right of access: to obtain confirmation as to whether or not your personal data is being processed and access to that data;
- Right to rectification: to correct inaccurate or incomplete personal data;
- Right to erasure (“right to be forgotten”): to request deletion of your personal data when legally permissible;
- Right to restriction of processing: to temporarily suspend processing under certain conditions;
- Right to object: to processing based on the Platform’s legitimate interest, unless the Platform demonstrates compelling legitimate grounds;
- Right to data portability: to receive your personal data in a structured, commonly used, and machine-readable format;
- Right to withdraw your consent: at any time, where processing is based on your consent.
How to exercise your rights:
You may exercise your rights by sending a written request to: support@cboxx.app
To protect your data and prevent unauthorized disclosure, the Platform may ask you to provide a valid proof of identitybefore processing your request.
Right to lodge a complaint:
If you believe your rights have been violated, you also have the right to lodge a complaint with the Belgian Data Protection Authority (APD):
Data Protection Authority
Rue de la Presse 35, 1000 Brussels
+32 (0)2 274 48 00
contact@apd-gba.be
www.autoriteprotectiondonnees.be
Cookies
The Platform uses cookies and similar technologies to ensure the proper functioning, security, and performance of its services.
Types of cookies used:
- Technical cookies: strictly necessary for the operation of the Platform (e.g., session management, authentication);
- Analytical cookies: used to collect anonymous statistical data on usage, in order to improve service quality and user experience.
These cookies do not store any directly identifying personal data and cannot be used to track your browsing across other websites.
For more detailed information, including how to manage or disable cookies, please refer to our dedicated cookie policy.
Security Measures
The Platform implements a range of technical and organizational security measures designed to ensure an appropriate level of protection for personal data, in accordance with Article 32 of the GDPR.
These measures include, but are not limited to:
- Access control mechanisms (e.g., strong user authentication, role-based access restrictions);
- Activity logging and traceability (e.g., login history, access logs);
- Daily backups and data recovery procedures;
- Regular security testing, including vulnerability scans and penetration tests;
- Environment segregation to isolate production data from test or development systems;
- Anti-fraud and intrusion detection mechanisms.
The Platform continuously monitors the effectiveness of these measures and updates them where necessary to respond to evolving threats and maintain compliance with industry standards.
Data Retention Periods
The Platform retains personal data only for the time strictly necessary to fulfill the purposes for which it was collected, and in accordance with applicable legal and contractual obligations.
a) When acting as data controller, the Platform applies the following retention periods:
| Purpose of Processing | Retention Period |
| User account management | 3 years after account closure or inactivity |
| Technical logs (for security purposes) | 6 to 12 months, depending on criticality |
| Contractual and billing data | 10 years (in accordance with accounting law) |
b) When acting as data processor, data retention is governed by:
- The instructions of the Client (data controller), as defined in the service agreement;
- At the end of the contract, data is either returned or securely deleted, in accordance with the provisions of the data processing agreement and the Client’s instructions.
The Platform commits to ensuring secure deletion of data at the end of the retention period, unless a longer retention is required by law or justified by the Client.