Privacy Policy

How we collect, use, and protect your personal data in compliance with the GDPR.

Last updated: April 2026

1. Data controller

CubixOne is operated by CubixOne, a company registered in Portugal.

Entity: CubixOne
Email: info@cubixone.pt
Website: cubixone.pt

2. Data we collect

Account data

When you register, we collect:

Full name, email address, phone number
Company name, VAT number (NIF), address
Password (stored hashed with bcrypt, never in plain text)

Usage data

We automatically collect:

IP address, browser type, operating system
Pages visited, actions performed, timestamps
Device identifiers and screen resolution

Business data

Data you enter while using CubixOne:

Contacts, installations, inspection records
Invoices, proposals, contracts
Documents and attachments you upload

Business data is owned by you. We process it solely to provide the service.

Payment data

Credit card numbers are never stored on our servers. Payments are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We only store a tokenized reference and the last 4 digits of your card.

3. Legal basis for processing

Purpose	Legal basis (GDPR Art. 6)
Providing the service	Contract performance (Art. 6(1)(b))
Billing and invoicing	Contract performance (Art. 6(1)(b))
Security and fraud prevention	Legitimate interest (Art. 6(1)(f))
Product improvement and analytics	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Legal obligations (tax, audit)	Legal obligation (Art. 6(1)(c))

4. How we use your data

To create and manage your account and tenant
To provide, maintain, and improve CubixOne's features
To process payments and manage subscriptions
To send transactional emails (account confirmations, password resets, invoices)
To send marketing communications (only with your explicit consent)
To detect, prevent, and address security incidents
To comply with legal obligations (tax reporting, regulatory audits)
To generate aggregated, anonymized analytics to improve the product

5. Data retention

Data type	Retention period
Account data	Duration of contract + 30 days
Business data	Duration of contract + 30 days
Invoices and billing records	10 years (Portuguese tax law)
Audit logs	1 year minimum
Usage analytics	60 days
Error logs	90 days
Marketing consent records	Duration of consent + 3 years

After contract termination, your data is permanently deleted within 30 days. You may request immediate deletion at any time.

6. Data sharing and transfers

We do not sell your personal data. We share data only with:

Provider	Purpose	Location
Stripe, Inc.	Payment processing	EU/US (SCCs)
Hetzner Online GmbH	Cloud hosting	Germany (EU)
Mailgun / Postmark	Transactional email	EU/US (SCCs)

All international transfers are governed by Standard Contractual Clauses (SCCs) or adequacy decisions as required by GDPR Chapter V.

We may disclose data if required by law, court order, or to protect the safety of our users.

7. Security measures

Encryption at rest (AES-256) and in transit (TLS 1.3)
Passwords hashed with bcrypt (cost factor ≥ 12)
Two-factor authentication (2FA) available for all accounts
Multi-tenant isolation — your data is never accessible to other companies
Role-based access control with deny-by-default policy
Immutable audit log of all data access and modifications
Rate limiting and brute-force protection on all endpoints
Regular security assessments and dependency audits
PostgreSQL Row-Level Security for database-level isolation

8. Your rights under GDPR

Under the General Data Protection Regulation, you have the following rights:

Right of Access — Request a copy of all personal data we hold about you.
Right to Rectification — Request correction of inaccurate or incomplete data.
Right to Erasure — Request deletion of your personal data ('right to be forgotten').
Right to Restrict Processing — Request that we limit how we use your data.
Right to Data Portability — Receive your data in a structured, machine-readable format (JSON/CSV).
Right to Object — Object to processing based on legitimate interest or direct marketing.
Right to Withdraw Consent — Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, contact us at info@cubixone.pt. We will respond within 30 days.

You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD): www.cnpd.pt

9. Cookies

CubixOne uses only essential cookies required for the application to function:

Cookie	Purpose	Duration
`sessionid`	Session management	Session / 24h
`csrftoken`	CSRF protection	1 year
`django_language`	Language preference	1 year

We do not use advertising, tracking, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies (ePrivacy Directive Art. 5(3) exemption).

10. Children's privacy

CubixOne is a business-to-business service. We do not knowingly collect data from individuals under 16 years of age. If we become aware that we have collected data from a minor, we will delete it immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

Update the 'Last updated' date at the top of this page
Notify active users by email for material changes
Provide a 30-day notice period before changes take effect

Continued use of CubixOne after the notice period constitutes acceptance of the updated policy.

12. Contact and DPO

For any questions about this Privacy Policy or to exercise your data protection rights:

Email: info@cubixone.pt
General inquiries: info@cubixone.pt
Contact form: cubixone.pt/contact

If you are not satisfied with our response, you may lodge a complaint with the CNPD (Comissão Nacional de Proteção de Dados) at www.cnpd.pt.

Questions about your data?

We take your privacy seriously. Get in touch if you have any concerns.