← Back to Citadel

Privacy Policy

Last updated: April 2026

1. Introduction

Eveleone LTD ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use Citadel ("the Service").

Citadel is designed differently: Your business documents and data are stored on your dedicated server. We do not have access to your files, documents, or content except as described in this policy.

2. Data Controller

Data Controller: Eveleone LTD

• Registered in: Cyprus (European Union)
• Registration Number: [To be added]
• Registered Address: Address available on request (contact legal@citadel.eu)
• Contact: privacy@citadel.eu

3. What Data We Collect

We collect the following types of information:

3.1. Account Information

• Email address
• Full name
• Company name
• Billing address
• Phone number (optional)

3.2. Billing Information

• Payment card details (processed securely by Stripe — we never see your full card number)
• Invoices and payment history
• Tax ID or VAT number (if provided)

3.3. Usage Data

• Login timestamps and IP addresses
• Service feature usage (for support and improvement)
• Error logs and crash reports
• Storage consumption metrics

3.4. Communication Data

• Support email content
• Email marketing preferences (you can opt out anytime)

3.5. What We DO NOT Collect

Important: We do NOT access, collect, or process:

• Your document content (files stored on your server)
• Your business data (contacts, financial records, etc.)
• Your team's private communications
• Any content created within Citadel modules (stored on your server)

All content data remains on your dedicated server under your control.

4. How We Use Your Data

We use the collected data for the following purposes:

4.1. Service Provision

• Creating and managing your account
• Processing payments and subscriptions
• Providing technical support
• Sending service notifications and updates

4.2. Security and Fraud Prevention

• Verifying your identity
• Detecting and preventing fraudulent activity
• Securing the Service against attacks

4.3. Legal Compliance

• Complying with legal obligations
• Responding to lawful requests from authorities
• Enforcing our Terms of Service

4.4. Improvement

• Analyzing usage patterns to improve Service performance
• Identifying and fixing bugs
• Planning new features (based on anonymized usage data)

5. Legal Basis for Processing

Under GDPR, we rely on the following legal bases:

• Contract Performance: Processing necessary to provide the Service under our subscription agreement
• Legitimate Interest: Security monitoring, fraud prevention, and service improvement
• Legal Obligation: Compliance with tax, accounting, and other legal requirements
• Consent: Marketing communications (can be withdrawn anytime)

6. Data Storage and Location

Your data is stored and processed as follows:

6.1. Account and Billing Data

• Stored on secure servers in Germany (Hetzner Falkenstein/Nuremberg) (Hetzner)
• Within the European Union
• Encrypted at rest (AES-256) and in transit (TLS 1.3)

6.2. Your Content Data

• Stored on your dedicated server in Germany (Hetzner Falkenstein/Nuremberg)
• Accessible only by you and your authorized users
• We do NOT have access unless explicitly requested for support

7. Data Retention

We retain your data as follows:

• Account Data: Duration of contract + 30 days (for final billing and support)
• Billing Records: 7 years (legal requirement in Cyprus/EU)
• Support Emails: 2 years from last interaction
• Usage Logs: 90 days
• Your Content: Determined by your retention policy on your server

Upon account termination, account data is deleted within 30 days, except billing records which are retained for legal compliance.

8. Your Rights

Under GDPR, you have the following rights:

8.1. Right of Access

You can request a copy of all data we hold about you. Contact privacy@citadel.eu.

8.2. Right to Rectification

You can correct inaccurate or incomplete data. Login to your account or contact us.

8.3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your account data, subject to legal retention requirements (e.g., tax records). Your content data can be deleted at any time from your server.

8.4. Right to Portability

You can export your account data in a structured, machine-readable format.

8.5. Right to Object

You can object to processing based on legitimate interest (e.g., marketing emails).

8.6. Right to Restrict Processing

In certain circumstances, you can request we limit how we use your data.

8.7. Right to Lodge a Complaint

You have the right to complain to a data protection authority:

• Office of the Commissioner for Personal Data Protection (Cyprus)
• Website: www.dataprotection.gov.cy

9. Cookies and Tracking

Citadel uses minimal cookies:

• Session Cookies: Essential for login and Service functionality
• Preference Cookies: Remember your language and display settings

We do NOT use:

• Advertising trackers
• Third-party analytics (Google Analytics, etc.)
• Cross-site tracking pixels

10. Third-Party Services

We use the following trusted third parties:

10.1. Hetzner Online GmbH (Germany)

• Purpose: Server infrastructure hosting
• Data: Account metadata only (no content access)
• Location: Germany (EU)
• Privacy: hetzner.com/de/rechtliches/datenschutz

10.2. Stripe Inc. (USA)

• Purpose: Payment processing
• Data: Payment card details (we never see full card numbers)
• Location: USA — EU data protected via Standard Contractual Clauses (SCCs)
• Privacy: stripe.com/privacy

10.3. Let's Encrypt (USA)

• Purpose: SSL/TLS certificate authority
• Data: Domain names only (no personal data)
• Privacy: letsencrypt.org/privacy

Important: No third party has access to your content data on your server.

11. Data Transfers Outside EU

We minimize data transfers outside the EU:

• Account and billing data: Stored in the EU (Germany)
• Payment data: Processed by Stripe (USA) under SCCs — your card data never leaves Stripe's secure environment
• Your content: Never leaves your server (in the EU)

12. Security Measures

We implement appropriate security measures including:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Regular security audits and updates
• Access logging and monitoring
• Two-factor authentication (2FA) available

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

13. Children's Privacy

Citadel is intended for business use and is not directed to children under 16. We do not knowingly collect data from children under 16. If we become aware of such collection, we will delete it immediately.

14. International Users

If you are located outside the European Union, your information may be transferred to and processed in the EU in accordance with this Privacy Policy.

We comply with the EU-US Data Privacy Framework for applicable data transfers.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be:

• Posted on this page
• Emailed to all account holders
• Effective 30 days after notification

Your continued use of the Service after changes constitutes acceptance.

16. Contact

For privacy-related questions, requests, or complaints:

• Email: privacy@citadel.eu
• Data Protection Officer: dpo@citadel.eu
• Company: Eveleone LTD
• Address: Address available on request (contact legal@citadel.eu)

We will respond to all inquiries within 30 days.

17. Data Processing Agreement

For business customers requiring a Data Processing Agreement (DPA), please refer to our DPA or contact privacy@citadel.eu.