Privacy Policy

Language Clause: This Agreement is drafted in both French and English. In the event of any contradiction, ambiguity, or discrepancy, the French version shall prevail.

1. Introduction

Cervical places paramount importance on protecting the privacy of its customers, partners, and suppliers. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Belgian law.

This policy aims to inform you clearly and transparently about how we process personal data within the framework of our B2B (Business to Business) business relationships.

2. Data Controller – Contact

The data controller is:

• Company Name: Cervical
• Company Number (BCE): BE1031380907
• Contact Email (Privacy): [email protected]

Important – Role of Data Processor

When the Provider processes data on behalf of a client (e.g., within a client-managed application or environment), it acts as a data processor and processes the data only on documented instructions from the client, in accordance with the contract and, where applicable, a Data Processing Annex (DPA) compliant with Article 28 of the GDPR.

3. Data Processed

As part of our consulting and application development services, we only process data strictly necessary for professional collaboration, including:

3.1 Identification and Contact Data (B2B Clients/Prospects)

• Last name, first name, job title/position within the company;
• Professional email address, professional telephone number;
• Company identification data (registered office, VAT number).

3.2 Financial and Administrative Data

Data necessary for invoicing and accounting (e.g., billing details, billing history, payment tracking).

3.3 Technical and Connection Data (if applicable)

• Technical logs, connection information, IP addresses (e.g., if a platform, test environment, or website is provided);
• Email exchanges and support tickets related to the project;
• Visual or audio recordings (only with prior consent).

3.4 Data relating to subcontractors (freelancers/partners)

Professional identification data, skills, rates, billing information, information necessary for contractual monitoring.

4. Purposes of processing

We process your data for the following purposes:

1. Performance of the IT mission: client relationship management, performance of consulting services (on a time and materials basis) and/or development services (fixed price), project monitoring, delivery and acceptance testing;
2. Administrative and accounting management: invoicing, debt collection, compliance with accounting and tax obligations;
3. Management of subcontractors: organization and coordination of project stakeholders (if applicable);
4. Information and communication: responding to contact requests and communications related to our services in a strictly professional B2B context;
5. Protection of our interests: prevention and management of disputes.

5. Legal Basis

In accordance with Article 6 of the GDPR, each processing operation is based on one of the following legal grounds:

• Performance of a contract (Art. 6.1.b): project management, service delivery, contractual monitoring;
• Legal obligation (Art. 6.1.c): accounting, taxation, document retention;
• Legitimate interest (Art. 6.1.f): system security, abuse prevention, defense of our rights, management of the B2B business relationship and cookie-less audience measurement/usage analysis of the website or application without advertising purposes (unidentified events not linked to any identity).

6. Data Recipients

Your data is processed confidentially. It may be shared with third parties only to the extent strictly necessary, including:

• Subcontractors/project stakeholders (e.g., freelance developers, experts) when they are involved in the project;
• IT service providers (hosting, technical tools, security, email);
• External advisors: lawyer, insurer;
• Authorities: tax or judicial authorities if required by law.

7. Transfers outside the EEA (outside the EU)

Data is primarily processed within the European Economic Area (EEA). However, some service providers may be located outside the EEA or process data from third countries, depending on the architecture and location of the infrastructure actually used. When transfers outside the EEA occur, we ensure that they are governed by appropriate safeguards as provided for by the GDPR and, where applicable, by additional measures.

8. Data Retention Period

In accordance with our register, we retain your data:

• Data related to the performance of the contract: 10 years after the end of the engagement (management and defense of rights);
• Accounting and tax documents: 7 to 10 years (legal obligations);
• Prospect data (without a contract): 3 years after the last contact.

9. Your Rights

In accordance with the GDPR, you have the following rights:

• Right of access;
• Right to rectification;
• Right to erasure (subject to legal/contractual obligations);
• Right to restriction of processing;
• Right to object (in particular to direct marketing);
• Right to data portability (under the conditions provided for by the GDPR);

To exercise your rights: [email protected]

You also have the right to lodge a complaint with the Data Protection Authority (DPA) in Belgium.

When we act as a data processor, requests relating to the rights of data subjects should, in principle, be addressed to the client (data controller); we assist them in accordance with contractual commitments and/or the Data Protection Act (DPA).

10. Security

We implement appropriate technical and organizational measures to protect data against loss, unauthorized access, alteration, or unauthorized disclosure (access control, confidentiality, system security, etc.).

11. Cookies, Trackers, and Audience Measurement

Cervical uses the PostHog tool to analyze website and/or web application usage. PostHog is configured in “cookie-less” mode: no audience measurement cookies are placed on the user’s device.

In this context, technical browsing data may be collected for strictly statistical and security purposes (e.g., URL visited, device type, operating system, browser, and associated technical information). This data is not used for advertising purposes, is not used to track advertising campaigns, and is not shared with third parties for these purposes.

Cervical does not associate these events with an identity (no voluntary identification via identify/alias), and uses this information solely to understand website/application usage and improve the service.

Data location: PostHog metrics are hosted within the European Union (PostHog Cloud EU instance).

12. Mandatory nature of data provision

Certain data (e.g., business contact information, data required for invoicing) is necessary for managing the contractual relationship and/or complying with legal obligations. Without this data, we may not be able to conclude or perform the service, or to properly process the business relationship.

13. Updates

This policy may be updated to reflect changes in our data processing, tools, or the legal framework. The applicable version is the most recent version communicated/published.