1. Controller

Cloudtree Solutions, S.L. (“Cloudtree” or “we”).
VAT: B-XXXXXXXX (pending)
Registered office: (pending)
Contact: privacy@sivocenter.com
DPO: dpo@sivocenter.com

2. Data we process

2.1 Website visitors (`sivocenter.com`)

IP, browser, OS, language, device.
Pages visited, time on page, interaction events.
Contact / demo / trial form data (name, email, company, phone, message).

2.2 SaaS customers

Contact and billing data of the contracting entity.
Data of authorized users (agents, supervisors, admins): name, email, role, SIP extension.
Call metadata (CDR): origin/destination number, duration, agent, queue, hangup cause.
Recordings and transcriptions (when the customer’s recording policy is active — see SLA and terms).

2.3 Callers (third parties)

When a third party calls a PSTN number managed by SIVO, we may incidentally process: origin number, audio (if the customer’s policy records it) and transcript. The controller of this data is the customer operating the number, not Cloudtree, which acts as processor under the signed DPA.

3. Purposes and legal bases

Purpose	Legal basis
Service provision	Contract (art. 6.1.b GDPR)
Billing and accounting	Legal obligation (art. 6.1.c)
Marketing about SIVO	Consent (art. 6.1.a) or legitimate interest (active customers)
Product improvement and aggregate metrics	Legitimate interest (art. 6.1.f)
Compliance with legal requirements	Legal obligation (art. 6.1.c)
Platform security	Legitimate interest (art. 6.1.f)

4. Retention

Website data: 26 months (analytics cookies), 30 days (server logs).
Customer data: contract term + 6 years (tax obligations).
CDR and recordings: per customer-configured retention policy (30 days to 7 years).
Transcriptions: per specific policy, retention sealed at record creation.
Marketing communications: until you withdraw consent.

5. Recipients and international transfers

We share data only with the following processors:

Subprocessor	Function	Location	Safeguards
Hetzner Online GmbH	Infrastructure hosting	EU (Germany / Finland)	DPA + Adequacy
Cloudflare, Inc.	CDN, DNS, WAF, Pages	Global (EU-filtered for EU traffic)	DPA + SCC
Google Ireland Ltd.	GA4, GTM, Workspace	EU / USA	DPA + SCC + USA Adequacy
Resend / Postmark	Transactional email	EU / USA	DPA + SCC
Stripe Payments Europe	Payment processor	EU / USA	DPA + SCC
AI providers (Deepgram, ElevenLabs, OpenAI, Groq, etc.)	Only if the customer activates them with their own API keys	USA (mostly)	Customer is responsible for DPA with these providers
Salesforce Inc.	Only if the customer activates SCV integration	USA	DPA + SCC. Customer co-controls.

Transfers outside the EEA: covered by Standard Contractual Clauses (SCC) and, where applicable, adequacy decisions.

You can exercise at any time the rights to:

Access, rectification, erasure (“right to be forgotten”).
Restriction of processing.
Data portability.
Objection to processing.
Withdrawal of consent.
Not to be subject to automated decisions.

To exercise, write to privacy@sivocenter.com attaching a copy of your ID or equivalent. We will respond within 30 days max.

You have the right to file a complaint with the competent supervisory authority: AEPD (Spain) (https://www.aepd.es).

7. Cookies

Detailed info in our Cookie policy.

8. Security

We apply technical and organizational measures aligned with GDPR and ENS Medium:

At-rest encryption (AES-256-GCM in DB, SSE in buckets).
In-transit encryption (TLS 1.3, SRTP, DTLS-SRTP for WebRTC).
Granular RBAC and mandatory MFA on admin access.
Immutable audit log of sensitive actions.
Encrypted backups with retention and periodic restore tests.
ISO 27001 on roadmap for 2027 Q1.

9. Changes

If we materially change this policy, we will notify registered users by email at least 30 days in advance. The last-update date appears at the top of this document.

10. Contact

Email: privacy@sivocenter.com
DPO: dpo@sivocenter.com
Postal: Cloudtree Solutions, S.L. (postal address pending)

Privacy policy