Privacy Policy

1. Data controller

The controller responsible for the processing of personal data described in this policy is:

Cadenza UG
Steinenbronner Straße 12, 70597 Stuttgart, Deutschland
Telefon: +49 176-59010-491
E-Mail: dataprotection@cadenza-alm.com

For all questions regarding data protection, please contact us at dataprotection@cadenza-alm.com.

2. Scope of this policy

This policy applies to:

• The public marketing website cadenza-alm.com (the "Website")
• The Cadenza web application accessed at app.cadenza-alm.com (the "Service")
• Any communications you exchange with us by email, contact form, or scheduled call

Where the Service is deployed in your own infrastructure (Private VPC or On-Premise), the data controller for personal data processed inside the Service is your organisation, not Cadenza. We act only as a software vendor in those deployments.

3. Categories of personal data we process

3.1 Website visitors

• Server logs: IP address (truncated after 7 days), user agent, page URL, referrer, timestamp.
• Contact form submissions: name, email, company, message — only the fields you provide.
• No tracking cookies, no analytics scripts are loaded by default on this Website.

3.2 Service customers (SaaS deployment)

• Account data: name, business email, password (bcrypt hashed), role.
• ALM connection credentials: URL, username, token. Encrypted at rest with Fernet.
• Usage telemetry: feature events, error logs, AI request counts — for billing, support, and product improvement.
• Customer content (transient): requirements, test cases, and work-item metadata fetched from your ALM on demand. Cached for performance; the canonical store is always your ALM.

4. Legal basis for processing (Art. 6 GDPR)

• Performance of a contract (Art. 6(1)(b)): processing your account data and customer content to deliver the Service.
• Legitimate interests (Art. 6(1)(f)): server logs for security, usage telemetry for product reliability, contact-form processing for sales follow-up.
• Consent (Art. 6(1)(a)): any optional newsletter or marketing communication you explicitly opt in to.
• Legal obligation (Art. 6(1)(c)): retention of invoicing data per German commercial law (§ 257 HGB, § 147 AO).

5. Processors and sub-processors

We engage the following processors under Art. 28 GDPR Data Processing Agreements:

• Hetzner Online GmbH — application and database hosting in Falkenstein, Germany (EU).
• Cloudflare, Inc. — CDN, DDoS protection, and DNS. EU data-residency configured. DPA.
• Microsoft Ireland Operations Ltd. — Azure OpenAI inference for AI features. On Entry and Pro tiers, AI calls run on your Azure tenant under your own API key (BYOK) — Cadenza never sees the prompt or response.
• Web3Forms (Cynder Studio Ltd.) — contact-form delivery from cadenza-alm.com. Privacy policy.
• GitHub, Inc. — source-code hosting and container registry (no customer data).

A current list of sub-processors is available on request. We give 30 days' notice before adding a new sub-processor that handles customer data.

6. International data transfers

Cadenza primary infrastructure is in the European Union. Where a sub-processor (e.g. Cloudflare, Microsoft, GitHub) may transfer personal data to a third country, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures as appropriate.

7. Retention

• Server logs: 30 days, IP addresses truncated after 7 days.
• Contact-form messages: retained until the sales conversation concludes, then up to 12 months for follow-up.
• Account data: for the lifetime of the subscription, plus 30 days for restoration.
• Customer content (cache): 1-hour TTL for online cache, deleted on subscription end.
• Billing records: 10 years (German tax law).

8. Your rights under the GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15 GDPR).
• Rectify inaccurate data (Art. 16).
• Erase your data, where applicable (Art. 17).
• Restrict processing (Art. 18).
• Receive your data in a portable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with a supervisory authority. The competent authority for our registered office is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (baden-wuerttemberg.datenschutz.de).

To exercise any of these rights, email dataprotection@cadenza-alm.com. We respond within one month.

9. Cookies and similar technologies

The marketing Website (cadenza-alm.com) loads no third-party tracking cookies and no analytics scripts. The only client-side storage we use is a session cookie inside the Service (app.cadenza-alm.com) for authentication. It is strictly necessary under § 25(2) TTDSG and does not require consent.

10. Security

• TLS 1.3 for all connections.
• Fernet encryption at rest for ALM credentials and other secrets.
• bcrypt for user passwords.
• Role-based access control inside the Service.
• Full audit logging of administrative and AI-related actions.
• Backups encrypted; restore procedures tested.

11. Children

Cadenza is a B2B product and is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy as the Service evolves. Material changes are announced at least 30 days before they take effect, by email to active customers and a notice on this page. The "Last updated" date above always reflects the most recent revision.

13. Contact

For privacy-related enquiries: dataprotection@cadenza-alm.com.