Privacy Policy
Last updated: 2026-03-07
1. Data Controller
Cresly SRL ("we", "us", "Subvio") is the data controller responsible for your personal data.
- Company: Cresly SRL
- Country: Belgium
- Email: privacy@subvio.eu
- Website: subvio.eu
2. What Data We Collect
We collect the following personal data:
- Account data: email address, password (hashed)
- Company profile: company name, type, country, region, sectors, VAT number, address, website, and other business details you provide
- Usage data: grant shortlists, application drafts, AI conversation history
- Technical data: IP address, browser type (via server logs, not tracked)
3. Why We Process Your Data (Legal Basis)
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| Grant matching & AI analysis | Contract performance (Art. 6(1)(b)) |
| Application drafting & collaboration | Contract performance (Art. 6(1)(b)) |
| Email notifications (service-related) | Legitimate interest (Art. 6(1)(f)) |
| Security & abuse prevention | Legitimate interest (Art. 6(1)(f)) |
4. Data Processors & International Transfers
We use the following third-party services to operate Subvio:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) |
| Vercel | Hosting, serverless functions | EU |
| Anthropic (Claude AI) | AI analysis & text generation | US* |
| Resend | Transactional emails | US* |
* For US-based processors, data transfers are protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. AI prompts contain only business data (company profile, grant details) — never sensitive personal data.
5. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion
- AI conversation history: retained while your account is active
- Application drafts: retained while your account is active
- Server logs: automatically deleted after 30 days
6. Your Rights
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Port your data to another service
- Restrict processing
- Object to processing based on legitimate interest
- Withdraw consent at any time (where consent is the legal basis)
To exercise any of these rights, email us at privacy@subvio.eu. We will respond within 30 days.
7. Cookies
We only use strictly necessary cookies for authentication. No tracking, analytics, or advertising cookies are used. See our Cookie Policy for details.
8. Children
Subvio is a business tool and is not intended for individuals under 16 years of age. We do not knowingly collect data from children.
9. Supervisory Authority
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA):
- Autorité de protection des données / Gegevensbeschermingsautoriteit
- Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels
- contact@apd-gba.be
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The "last updated" date at the top of this page indicates when it was last revised.