Privacy Policy

Cryptlex LLP (“Cryptlex”, “we”, “our”, or “us”) provides software licensing, entitlement, and release management services through a cloud-based Software-as-a-Service platform. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our websites or web portals, create or use an account, interact with us, or when personal data is processed within our services on behalf of our customers.

This Privacy Policy is intended to comply with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws, including UK GDPR, the Swiss Federal Act on Data Protection, Canada’s PIPEDA, Brazil’s LGPD, South Africa’s POPIA, and relevant US state privacy laws such as the CCPA/CPRA and similar legislation. Where local law grants additional rights or imposes additional obligations, we will comply to the extent applicable.

Protecting your personal data (hereafter referred to as “data”) is one of our primary concerns. In this Privacy Policy, we explain in detail what data is collected when you visit our websites or use our web portals and their features, and how we process and use that data. We also describe the technical and organisational measures we have implemented to protect your data.

Please note that this Privacy Policy may be updated from time to time to reflect new technologies and/or changes in applicable law. Where appropriate, we will draw your attention to such updates. When making any changes, we will take your interests into account. You can find the current version on our website at any time.

1. Roles

A Visitor is someone who visits our websites. A User is someone who uses our services on behalf of a Cryptlex customer. An End User is an individual whose personal data is stored or processed within Cryptlex by one of our customers.

For certain data, we act as a data controller, meaning we determine the purposes and means of processing. For other data, we act as a data processor, meaning we process data only in accordance with our customers' documented instructions.

2. Personal data we collect (controller role)

This section describes personal data that Cryptlex collects and uses for its own business purposes, such as operating our websites, managing customer accounts, and providing the services.

a. Website visitors

When you visit our websites, we may collect your

IP address,
browser type,
device information,
general location derived from your IP address,
pages visited,
referring URLs,
and similar usage information.

Our systems temporarily store your IP address to enable the website to be delivered to your computer. Other than as specified above, we do not store this data together with personal data.

Processing the aforementioned data is necessary for us to provide you with the website (in accordance with Article 6(1)(f) GDPR), so that we can display it to you correctly. We store log files containing your anonymised IP address for up to 60 days to prevent threats, ensure IT security, and detect possible attacks. No personal evaluation of the data takes place, particularly for marketing purposes. The legal basis under the GDPR for this is Article 6(1)(f) GDPR.

Our services and website are hosted on Amazon Web Services (AWS). The legal basis for this is our legitimate interest in efficiently and securely providing the services and website (in accordance with Article 6(1)(f) GDPR). We have concluded a data processing agreement in accordance with Article 28 GDPR with Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210. Further information about AWS can be found at https://aws.amazon.com/compliance/data-protection/

If personal data is transferred to the United States, such transfers are carried out based on the adequacy decision of the European Commission for the EU-US Data Privacy Framework in accordance with Article 45 GDPR, where applicable. If no adequacy decision applies in a particular case, transfers are based on the EU Standard Contractual Clauses to ensure an adequate level of data protection.

b. Analysis of the website

We use PostHog for website and product analytics. PostHog processes usage data such as pages visited, interactions, and device information to help us understand and improve our services. The legal basis for this is your consent, which you can withdraw at any time with effect for the future (in accordance with Article 6(1)(a) GDPR).

We have concluded a data processing agreement in accordance with Article 28 GDPR with PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114. Further information about PostHog can be found at https://posthog.com/privacy

c. Contact

When you contact us via email, chat, or a contact form (such as a contact or demo request), we process the personal data you provide, including your name, email address, company name, and message content.

The processing of your personal data is based on our legitimate interest in providing effective customer service (pursuant to Art. 6(1)(f) GDPR) or, insofar as the contact relates to contractual or pre-contractual service obligations, on the necessity for the performance of a contract or to take steps at your request prior to entering into a contract (pursuant to Art. 6(1)(b) GDPR) or if you consent to the collection and processing (Art. 6(1)(a) GDPR).

Your contact details and communication are stored by our service providers (as described below) for the purpose of responding to your query and maintaining customer relationships. You can object to processing at any time with future effect.

We retain this data for as long as necessary to fulfil the purposes described above, including maintaining ongoing business relationships. Where legal retention obligations apply (e.g., commercial or tax regulations), the data will be retained accordingly and its processing restricted until the obligation expires, after which it will be permanently deleted.

Processors:

Chat:

Contact data submitted via the chat function or support email is processed and stored by Gleap GmbH, Am Dorfplatz 3, 6858 Schwarzach, Austria. Further information about Gleap can be found at https://www.gleap.io/legal/privacy-policy

CRM:

Contact data from all channels (chat, email, and forms) may also be stored in our customer relationship management system, provided by Zoho Corporation Pvt. Ltd., Estancia IT Park, Plot No. 140, 151, GST Road, Vallancheri, Chengalpattu District – 603 202, India. Further information about Zoho can be found at https://www.zoho.com/privacy.html

We have concluded data processing agreements in accordance with Article 28 GDPR with both processors.

Where personal data is transferred to a third country, such transfers are carried out on the basis of the EU Standard Contractual Clauses pursuant to Article 46 GDPR to ensure an adequate EU data protection level.

d. Customer users and administrators

When a user signs up for Cryptlex through our web portal, we collect information required to create and administer the account and provide access to our web portals and services. This includes names and email addresses of user accounts, company name, authentication credentials, account configuration information, and service usage information. We also maintain logs relating to security and access, which may include IP addresses and login events.

Processing the data provided during account registration is necessary for the performance of a contract with you or your organization, or for taking steps prior to entering into a contract (Article 6(1)(b) GDPR). Where you voluntarily provide additional information beyond what is required for registration, processing is based on your consent (Article 6(1)(a) and Article 7 GDPR).

e. Payment Service

Subscription payments are processed by our payment provider, and we do not store payment card numbers ourselves. We collect this information directly from you, from your organization, and automatically through your use of the services.

We use Paddle.com Market Ltd., Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom, for processing these payments.

This service is used to process payments on the website and service. The legal basis is the performance of a contract (Article 6(1)(b) GDPR), as this service is necessary to complete the purchase process. When using this service, data such as payment information (including payment card information), purchase information, and the IP address may be processed.

If personal data is transferred to the United Kingdom, such transfers are carried out based on the adequacy decision of the European Commission.

For more information about how Paddle collects, uses, and protects your personal information, please visit https://www.paddle.com/legal/privacy.

f. Third-Party Single Sign-On Services

Our web portals offer users the option to log in using third-party services instead of logging in directly. The prerequisite is that you are already registered with the third-party provider. Therefore, an additional registration on our website and web portals is not necessary. For this purpose, you will find the corresponding symbols of the respective providers of the supported third-party authentication providers on the registration or login page. You will then be redirected to the third-party provider's site, where you can enter your login credentials. This will result in some of your profile data with the third-party provider being transmitted to us. You can find out which information is transmitted to us in the third-party provider's privacy policy. We never receive the password you use with the third-party provider. We use only your name and e-mail address from this data to assign and identify you in our system. These will then be combined with the data listed under section 2.d, provided you choose to provide them. The legal basis for using third-party services is based on your consent (Article 6 (1) (a) GDPR); you have the right to withdraw your consent at any time.

We currently support the following third-party authentication provider(s). Further information about how your personal data is processed, including details on your rights and how to exercise them, can be found in the respective provider’s privacy policy:

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

https://policies.google.com/privacy

3. Personal data we process on behalf of our customers (processor role)

In providing the services, we process personal data that is submitted by our customers or generated through their use of the services.

For this data, the customer is the data controller. Cryptlex acts only as a data processor and processes the data solely in accordance with the customer’s documented instructions and our Data Processing Addendum. We do not determine what data is collected, how it is used, or how long it is retained.

The types of data that may be processed on behalf of customers can include end-user identifiers, names or email addresses, license and activation details, device identifiers or hashed fingerprints, hostnames, operating system information, IP addresses, approximate location derived from IP address, and license usage event logs. The exact data processed depends on how each customer configures and uses the Cryptlex services.

This personal data is collected by our customers, not by Cryptlex. End Users should therefore consult the privacy policy of the relevant customer for information about how their personal data is used. Cryptlex does not use customer end-user data for its own independent purposes.

4. How we use personal data

We use personal data that we collect as a controller to operate and provide our services, administer customer accounts, authenticate users, respond to inquiries, provide customer support, enforce licensing terms, maintain service security, improve functionality, and comply with legal obligations. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

Personal data that we process on behalf of customers is used only to provide the services to that customer and in accordance with their instructions. We do not use personal data for advertising or profiling purposes.

5. Legal bases for data processing

We process your personal data when you use our website or services. We only do so when there is a legal basis for processing your data. The legal basis is specified in the data processing sections, but generally, we can process your personal data if one of the following conditions applies:

The data subject has given consent for the processing of their personal data (Article 6 (1) (a) and Article 7 GDPR).
Processing personal data is necessary for the fulfilment of a contract, whether it is performed in return for payment or free of charge (Article 6 (1) (b) GDPR). This also applies to processing operations necessary for implementing pre-contractual measures.
The processing is necessary for us to fulfil a legal obligation (Article 6 (1) (c) GDPR).
The processing is necessary to safeguard the legitimate interests of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override these interests (Article 6(1)(f) GDPR).

6. Cookies and similar technologies

We use cookies and similar technologies when operating our website and web portals.

Cookies are small text files that are stored in the memory of your browser or mobile device. They are assigned to the browser that you are using, and certain information flows to the website that sets the cookie. You can delete cookies in your browser's security settings at any time. Please note that disabling cookies may limit certain functionality of our website and web portals.

These cookies may contain data that enables us to identify your device/ browser. However, it should be noted that cookies can also contain information about specific settings that are not personally identifiable. It is important to note that cookies cannot directly identify a user.

Please note that there is a difference between session cookies, which are deleted as soon as the browser is closed, and permanent cookies, which are stored beyond the individual session.

Regarding their function, the cookies we use are divided into the following categories:

a. Strictly Necessary cookies:

These cookies are essential for navigating our website and web portals, using basic functions, and ensuring the security of our website. They do not collect information about you for marketing purposes or store which websites you have visited.

b. Analytics cookies:

These tools collect information about how you use our website, which pages you visit, and whether errors occur when using our website. They do not collect any information that could identify you. All information collected is anonymous and is only used to improve our website and find out what interests our users.

We use the consent management platform Enzuzo to manage cookie preferences. The legal basis for this is Article 6 (1) (c) GDPR. Where required by applicable law, non-essential cookies are activated only after you provide consent through the cookie banner. In other jurisdictions, you may have the ability to opt out of certain cookies through the banner or your browser settings. You may change or withdraw your preferences at any time.

Legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is Art. 5(3) of the ePrivacy Directive in conjunction with the respective implemented national standard (e.g., for Germany, Section 25(2) no. 2 Telecommunications Digital Services Data Protection Act - TDDDG).

The use of cookies that are not technically necessary is only permitted with your express and active consent in accordance with Article 5(3) of the ePrivacy Directive, in conjunction with the respective implemented national standard (e.g., for Germany, Section 25(1) TDDDG), in conjunction with Article 6 (1) (a) GDPR. We will only disclose your personal data processed by cookies to third parties if you have explicitly consented to it.

For additional information about which cookies we use and how you can manage them, please see our Cookie Policy.

We do not sell personal data. We may share personal data with carefully selected external service providers who assist us in operating our services, such as cloud hosting providers, analytics providers, email and customer support tools, public authorities (provided a justified request), external accountants, auditors, legal counsel, and payment service providers. These providers act under contractual confidentiality and data protection obligations. These service providers have been carefully selected and authorised and are regularly monitored. The authorisations are based on data processing agreements. The processors do not perform any independent processing for their own purposes.

We may also disclose personal data where required by law, in response to lawful requests from public authorities, to protect our rights or the safety of others, or in connection with a merger, acquisition, or other business transaction.

A current list of subprocessors is available at: https://trust.cryptlex.com/subprocessors

10. International data transfers

Because Cryptlex operates globally, personal data may be transferred to countries outside of your jurisdiction.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to third countries, this is done in accordance with the following legal requirements:

Subject to express consent or transfer required by contract or law (Article 49 GDPR), we only process data in third countries with a recognized level of data protection (Article 45 GDPR),
in the presence of and compliance with contractual obligations through so-called EU standard contractual clauses of the EU Commission (Article 46 GDPR) or in the presence of certifications or legally binding internal data protection regulations (Article 44 to 49 GDPR).

11. Data retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, such as providing our services, complying with legal obligations, resolving disputes, and enforcing agreements. For example, a statutory retention obligation exists due to documentation obligations under tax and corporate law. Retention periods are determined by the specific purpose, legal requirements, and regular reviews. Server log files are retained for up to 60 days and are automatically deleted thereafter. Personal data is securely deleted or anonymized (Art. 5(1)(e), 17, 18 GDPR) once the retention period expires or the purpose no longer applies, unless further processing is necessary for archiving in the public interest, scientific research, or overriding legal grounds.

The data processed by us will be deleted or restricted in their processing in compliance with the statutory provisions, in particular in accordance with the GDPR (Articles 17 and 18 GDPR).

Customer end-user data processed on behalf of our customers is retained according to the customer’s instructions, including secure deletion (including from backups) within 60 days of instruction expiry, contract termination, or request.

12. Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorized access. These measures include encryption in transit and at rest, access controls, logging and monitoring, secure development practices, and incident response procedures. Our information security management program is aligned with ISO/IEC 27001.

13. Individual rights

Depending on your location, you may have rights under applicable data protection laws, including the right to access, correct, or delete personal data, to object to or restrict certain processing, to request data portability, to withdraw consent where processing is based on consent, and to lodge a complaint with a supervisory authority. US state privacy laws may also provide the right to opt out of certain processing and to appeal decisions regarding privacy requests.

You have the following rights free of charge against any person responsible for the processing of your personal data:

Right to withdraw your consent (Article 7 (3) GDPR);
Right of access by the data subject (Article 15 GDPR);
Right to rectification and erasure (Article 16 and Article 17 GDPR);
Right to restriction of processing on the processing of your personal data (Article 18 GDPR);
Right to data portability (Article 20 GDPR);
Right to object to the processing of your personal data at any time for reasons relating to your special situation (Article 21 GDPR).

You can assert claims under the GDPR against the individual controllers. Should you wish to contact us by e-mail, please use an address used to access our system so that we can identify you.

You also have the right to lodge a complaint with a supervisory authority, Article 77 GDPR.

Requests to exercise these rights may be submitted to privacy@cryptlex.com. We may take reasonable steps to verify your identity before responding. Where we process data on behalf of a customer, we may direct you to contact that customer, who is the controller for that data.

14. Children’s privacy

Our services are not directed to children under 16 (or a lower age where permitted by applicable law), and we do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us so that we can delete it where required by law.

15. Data Processing Addendum

When Cryptlex processes personal data on behalf of customers, that processing is governed by a Data Processing Addendum that complies with Article 28 of the GDPR and other applicable laws.

16. Automated decision making

Automated decision-making, which has legal or similarly significant effects on you, does not take place.

17. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the end of the policy indicates the most recent revision. Material changes will be communicated through our website or services.

18. Contact us

If you have questions about this Privacy Policy or our privacy practices, you may contact us at: privacy@cryptlex.com

For company information, GDPR representative details, and DSA contact information, please see our Legal Notice.

Last updated: 5/6/2026