How we handle your data.
Effective date: March 1, 2026. This privacy policy describes how cramio (“we”, “us”, “our”) collects, uses, and protects information when you use our platform and services.
1. Information we collect
Account information
When you create an account, we collect your name, email address, organization name, and password (stored as a bcrypt hash). If you sign up through an OAuth provider, we receive your name, email, and provider identifier.
Product and compliance data
We process SBOM metadata (component names, versions, package URLs, and CPE identifiers), vulnerability scan results, incident records, compliance reports, and evidence vault entries that you submit through the platform. Raw SBOM payloads are encrypted at rest with AES-256.
Usage data
We collect standard web analytics: IP addresses, browser type, pages visited, and feature usage patterns. This data is used to improve the platform and is not shared with third parties for advertising.
What we do not collect
We never collect or transmit your source code, build artifacts, proprietary algorithms, or trade secrets. Our architecture ensures that only SBOM metadata and vulnerability findings leave your infrastructure.
2. How we use your information
3. Data sharing and subprocessors
We do not sell, rent, or trade your personal data or compliance information. We share data only in the following circumstances:
Regulatory submissions
When you initiate a CRA report submission, the report payload is transmitted to ENISA's Single Reporting Platform as required by EU Regulation 2024/2847.
Infrastructure providers
We use EU-based hosting providers for compute, database, and storage services. All subprocessors are contractually bound to GDPR-compliant data processing agreements.
Email delivery
Transactional emails (alerts, notifications, supplier notifications) are sent through our email service provider. Only the minimum necessary recipient information is shared.
Error monitoring
Application errors are reported to our monitoring service for reliability improvement. Error reports may include request metadata but never SBOM content or vulnerability details.
4. Data retention
Account data is retained for the duration of your active subscription and deleted within 90 days of account termination, unless retention is required by law.
Evidence Vault entries are retained for a minimum of 10 years to meet CRA regulatory requirements for product lifecycle documentation. This retention period cannot be shortened at the account level.
Audit logs are retained for 7 years in accordance with EU regulatory expectations for compliance documentation.
5. Your rights under GDPR
If you are located in the EU/EEA, you have the following rights regarding your personal data:
Access
Request a copy of the personal data we hold about you.
Rectification
Request correction of inaccurate or incomplete data.
Erasure
Request deletion of your personal data, subject to legal retention obligations.
Portability
Receive your data in a structured, machine-readable format.
Restriction
Request limited processing of your data in certain circumstances.
Objection
Object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@cramio.eu. We will respond within 30 days.
6. Security measures
We implement technical and organizational measures to protect your data, including TLS 1.3 encryption in transit, AES-256 encryption at rest, tenant isolation, role-based access control, and continuous vulnerability monitoring of our own infrastructure. For full details, see our Security page.
8. Contact & DPO
For privacy-related inquiries, data subject requests, or to request our Data Processing Addendum (DPA), contact:
cramio Privacy Team
Email: privacy@cramio.eu
Berlin, Germany
You also have the right to lodge a complaint with your local data protection supervisory authority.