Privacy Policy

Cueva Control is registered in the Netherlands (Chamber of Commerce: 99917920, VAT: NL869186632B01), with its registered office at Leeuwenhoekstraat 98, 2652 XL Berkel en Rodenrijs, the Netherlands.

We are the data controller for the personal data described in this policy. If you have any questions, contact us at legal@cuevacontrol.com.

This policy applies to all Cueva Control products and services, including: cuevacontrol.com (this corporate website), store.cuevacontrol.com (our online store), my.cuevacontrol.com (the customer portal), cuevahorizon.com (the Horizon cloud dashboard), and the Cueva Control Desktop App distributed as a downloadable installer (.dmg, .exe, .AppImage).

The Cueva Control Desktop App is designed to run entirely on your computer and your local network. When used in this local-only mode, it does not collect, transmit, or process any personal data on our infrastructure. See our End User License Agreement at cuevacontrol.com/legal/eula for details.

Account data: when you create a Cueva Control account we collect your name, email address, and password hash. For business accounts we also collect company name and VAT number.

Order and billing data: when you purchase through our store we collect your billing address, shipping address, and payment method details. Card details are processed by our payment provider and are never stored on our servers.

Device data: when you register a Cueva Control device or connect one to Horizon we collect the device serial number, firmware version, configuration, and optional location name.

Operational data (Horizon only): when devices are connected via the cloud gateway, we relay operational commands and telemetry between your client and your devices. We do not store the content of these messages beyond what is necessary to deliver them, and we do not inspect them.

Communication data: if you contact our support team we retain records of that communication for up to three years.

Aggregate analytics: we collect cookieless, aggregated usage statistics on our public websites (page views, referrers, country-level geography) using a self-hosted analytics service. No individual users are tracked and no IP addresses are stored.

To provide and maintain our services, including software updates, device management, and Horizon dashboard access.

To process orders, manage your account, and issue invoices.

To send transactional emails (order confirmations, shipping notifications, license renewal reminders, security alerts). We do not send marketing emails without your explicit consent.

To diagnose errors, improve reliability, and prevent abuse.

To comply with our legal obligations under Dutch and EU law.

Contract performance (Art. 6(1)(b) GDPR): processing necessary to fulfil your order or provide the service you signed up for.

Legitimate interests (Art. 6(1)(f) GDPR): aggregate website analytics, security monitoring, and abuse prevention.

Legal obligation (Art. 6(1)(c) GDPR): tax record keeping and other statutory requirements.

Consent (Art. 6(1)(a) GDPR): marketing communications, where applicable. You may withdraw consent at any time.

We do not sell your personal data. We share data only with the following sub-processors, each bound by a Data Processing Agreement and processing data only on our documented instructions:

Supabase Inc. — authentication, database, and storage for our customer portal and Horizon services. Data is stored in the EU (Frankfurt region) where available.

Coolify hosting infrastructure — used to host our web applications, located in the EU.

Stripe Inc. — payment card processing and subscription billing for the Cueva Control store and customer portal. Stripe is certified to PCI DSS Level 1.

Resend Inc. — delivery of transactional emails (account, security, order, license).

We may disclose data to law enforcement or regulatory authorities when required by applicable law.

The following systems are operated by Cueva Control on infrastructure under our direct control. They are not third-party sub-processors:

gateway.cueva.cloud — the cloud transport that relays operational commands and telemetry between Horizon clients and IoT devices, located in the EU.

Self-hosted Plausible Analytics — privacy-friendly aggregate website analytics for our public web properties, located in the EU. No cookies are used and no IP addresses are stored.

Most of our processing is performed in the EU. Where a sub-processor (such as Stripe or Resend) processes data outside the European Economic Area, we rely on European Commission adequacy decisions or EU Standard Contractual Clauses (Art. 46 GDPR) to ensure an equivalent level of data protection.

Account data is retained for as long as your account is active plus up to 90 days after deletion to handle billing and dispute resolution.

Invoice and financial records are retained for 7 years as required by Dutch tax law (Article 52 AWR).

Support communications are retained for 3 years.

Server logs are typically retained for 30 days, longer for security-relevant events.

Backups are rolling and overwritten within 35 days.

We do not use AI or large language model services to process your personal data, your device data, or the operational telemetry that flows through the Horizon cloud gateway.

We do not perform decisions that produce legal or similarly significant effects based solely on automated processing.

Under the GDPR you have the right to access the personal data we hold about you; to request correction of inaccurate data; to request erasure where there is no legitimate reason to continue processing; to object to processing based on legitimate interests; to request restriction of processing; and to data portability.

To exercise any of these rights, email legal@cuevacontrol.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Our customer-facing applications use only strictly necessary cookies — for authentication (session and refresh tokens), security (CSRF protection), and saving your interface preferences (theme, language). Stripe.js sets limited cookies for fraud prevention during payment processing.

We do not use third-party tracking, advertising, or analytics cookies. Our analytics provider (self-hosted Plausible) is cookieless. Strictly necessary cookies do not require consent under the ePrivacy Directive.

We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, hashed passwords (bcrypt), role-based access controls, secrets stored in encrypted vaults, and regular security reviews. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

If you become aware of a security issue, please report it to legal@cuevacontrol.com.

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data to us, please contact us so we can delete it.

We may update this policy from time to time. Material changes will be communicated by email to registered users or by a prominent notice on this website at least 14 days before the change takes effect. The "last updated" date at the top of this page will always reflect the most recent revision.