Privacy Policy

Last updated: March 2, 2026

1. Who We Are

Cust is the trading name of UAB "Autonominiai pardavimai", company code 306362685, registered in Lithuania, EU ("Cust", "we", "our").

We act as the Data Controller for account creation and billing data. For content processed within the Cust Workspaces (e.g., CRM data, emails), we act as the Data Processor, and the DPA applies.

2. Scope

This Policy describes how we collect, use, share and secure personal data when you:

• visit cust.co or any sub-domain;
• create or use a Cust workspace;
• connect Cust to your e-mail, CRM or other systems;
• communicate with us by any channel.

It does not cover third-party sites or services you access via Cust.

3. The Data We Process

Category	Examples
Identity & Contact Data	Names, job titles, email addresses, phone numbers, and internal User IDs.
Commercial Data	Subscription details, contract value (ARR/MRR), renewal dates, and billing status (excluding sensitive payment card details or bank account numbers).
Technical & Usage Data	Information on how individuals are using products and/or services.
Communication Data	Records of customer interactions, such as support ticket history, email, calendar events, call transcripts and notes entered by Customer Success Managers.

4. Purposes & Legal Bases

Purpose	Legal basis (Art. 6 GDPR)
Provide and secure the service	Contract performance
Billing & fraud prevention	Legal obligation / Legitimate interest
Product analytics (aggregated)	Legitimate interest (opt-out available)
Optional e-mail delivery on your behalf	Contract performance
Compliance with legal duties & dispute defence	Legal obligation / Legitimate interest

5. Automated Processing & Profiling

Cust's AI suggests and, if you enable "Autonomous mode", executes customer-success actions (e.g., sending follow-up e-mails). These do not create legal or similarly significant effects on individuals within the meaning of GDPR Art. 22.

6. Cookies & Similar Technologies

Essential cookies (sign-in, CSRF protection) are always active. Analytics cookies (PostHog): placed only after consent; retention 12 months.

7. How We Share Personal Data

We never sell your data. We disclose it only:

• to vetted sub-processors under enterprise agreements;
• to competent authorities when legally obliged;
• with your explicit consent.

Current sub-processors:

• Heroku / Salesforce - cloud hosting - EU / US
• OpenAI - AI inference
• Google - AI inference
• Postmark - transactional e-mails

8. International Transfers

Where data leaves the European Economic Area (EEA) - we rely on the European Commission's Standard Contractual Clauses (2021 edition) and have performed Transfer Impact Assessments.

Additional safeguards include encryption in transit and at rest, data-minimisation, and a strict prohibition on AI model training with customer data.

9. Retention

Data type	Retention period
Workspace Content (e-mails, CRM data, AI artefacts)	Deleted within 30 days after removal or account closure; backups deleted within 90 days
User Account Data	30 days after account closure
Billing & Tax Records	7 years (statutory requirement)
Usage & Analytics Logs	Aggregated/pseudonymised after 12 months
Support Records	3 years after ticket resolution

10. Security Measures

• AES-256 encryption at rest; TLS 1.2+ in transit
• SOC 2 Type 2
• ISO 27001-certified data-centre (AWS via Heroku)
• Mandatory MFA for Cust personnel; least-privilege access
• Third-party penetration testing at least annually
• Continuous logging & intrusion detection
• Incident-response policy including 72-hour breach notification

11. Your Rights

You may: (i) access your data, (ii) correct inaccuracies, (iii) request erasure, (iv) restrict or object to processing, (v) obtain a portable copy, (vi) withdraw any consent you have given.

How to Exercise Your Rights: To ensure your request is tracked and processed securely, please submit all data deletion or access requests via the Privacy Request Form below.

12. Specific Third-Party Disclosures

Google APIs: Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including Limited-Use requirements.

Microsoft APIs: Our use and transfer of information received from Microsoft APIs complies with Microsoft API Terms of Use.

OpenAI: We use OpenAI Enterprise endpoints; model weights are never trained or fine-tuned on your data.

Stripe: Payment card details are handled exclusively by Stripe and never stored on Cust servers.

13. AI Governance & Stakeholder Information

We utilize third-party Artificial Intelligence (AI) models (from OpenAI and Google) to provide our services. We do not train, fine-tune, or improve these models using your Customer Data.

In alignment with ISO 42001 standards, we address our stakeholders as follows:

• Customers (You): You retain full ownership of your inputs and the output generated by the AI on your behalf. We ensure that your data is not shared with third-party model providers for their own model training purposes.
• Regulators: We maintain comprehensive logs of AI decision-making processes and sub-processor agreements, which are available to competent authorities upon lawful request to demonstrate accountability.
• Society: We evaluate our use of AI to ensure it does not reinforce bias or cause harm. Since we use "frozen" pre-trained models, we rely on the safety filters and alignment work of our providers (OpenAI/Google) while implementing our own acceptable use policies to prevent misuse.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be e-mailed to workspace owners at least 15 days before they take effect.

15. Contact

Questions, concerns or requests:

E-mail: dpo@cust.co

Post: Privacy Team, UAB "Autonominiai pardavimai", Nemencines pl. 4e-10, LT-10109 Vilnius, Lithuania