Privacy Policy
Last updated: 2026-04-19
This Privacy Policy explains how Cermus ("we", "us", "our") collects, uses, stores, and protects personal data of visitors to our website www.cermus.com and prospective or existing clients. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Dutch implementation act (UAVG).
1. Data controller
Cermus IT B.V.
KVK 89607988 · VAT NL865038697B01
The Netherlands
For any data protection question, exercise of rights, or complaint, please contact us through our legal inquiry form. We respond within 30 days in line with Art. 12 GDPR.
2. What data we collect and why
2.1 Strictly necessary (no consent required)
A minimum set of technical data is processed on the basis of our legitimate
interest to operate and secure the website (Art. 6(1)(f) GDPR): server
access logs (IP address, user-agent, request path, timestamp) retained for
up to 14 days for security monitoring, and your cookie-consent preference
stored in your browser's localStorage under the key
cermus-consent.
2.2 Anonymous analytics — PostHog (no consent required)
On the basis of our legitimate interest to understand which pages visitors find useful (Art. 6(1)(f) GDPR) and in line with the CNIL "exempt measurement" criteria, we use PostHog (hosted on EU Cloud, Frankfurt, by PostHog Inc.) in cookieless mode: no cookies are set, no persistent identifiers are stored in your browser, no cross-site tracking occurs, IP addresses are truncated before storage, and only aggregate page-level statistics are retained. Data is kept for up to 12 months, never sold, and never enriched with personal data you submit. Because no personal data leaves your browser beyond truncated, non-identifying signals, this processing does not require your consent. You can still object at any time through our legal inquiry form. See PostHog privacy policy.
2.3 Marketing — Meta Pixel (consent required)
With your consent (Art. 6(1)(a) GDPR) we use the Meta Pixel
(Meta Platforms Ireland Ltd.) to measure the effectiveness of our
advertising on Meta platforms (Facebook, Instagram) and to build
audiences for retargeting. The Meta Pixel sends pseudonymised identifiers
(_fbp, _fbc) to Meta along with the URL of the
page you visited. Retention and further processing are governed by Meta.
See Meta privacy policy.
Transfers to Meta may involve a transfer to the United States. Meta participates in the EU-US Data Privacy Framework; where additional safeguards are required we rely on the European Commission's Standard Contractual Clauses.
2.4 Forms and direct contact
If you fill in a form (e.g. "Get started") we process the data you provide (name, email, company, message) on the basis of either your request for pre-contractual steps (Art. 6(1)(b) GDPR) or your explicit consent (Art. 6(1)(a) GDPR). We keep it only as long as needed for the purpose, and in any case no longer than 24 months after the last contact unless a contract requires otherwise.
3. Cookies and similar technologies
PostHog anonymous analytics (section 2.2) set no cookies and store nothing in your browser. The only non-essential technology that places cookies is the Meta Pixel, and it is blocked by our consent manager until you explicitly allow it. You can give, refuse, or change your consent at any time via the "Cookie settings" link in the footer.
| Service | Purpose | Category | Provider |
|---|---|---|---|
| PostHog (cookieless) | Anonymous page-level measurement — no cookies | Exempt measurement | PostHog Inc. (EU Cloud, Frankfurt) |
| Meta Pixel | Ad attribution, retargeting | Marketing (consent required) | Meta Platforms Ireland Ltd. |
4. Your rights under GDPR
Under Articles 15–22 GDPR you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten") where applicable.
- Restriction of processing.
- Data portability in a structured, machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, submit a request through our legal inquiry form. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority.
5. Data retention
We keep personal data only as long as necessary for the purposes for which it was collected and in line with the retention periods described above. After that period the data is deleted or irreversibly anonymised.
6. Security
We apply technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest on our cloud provider, least-privilege access controls, and regular security monitoring. No method of transmission or storage is 100% secure, but we strive to protect your data to industry standards.
7. Changes to this policy
We may update this Privacy Policy to reflect changes in our services or applicable law. Material changes will be communicated via the website. The date at the top of this page indicates the most recent revision.
8. Manage your cookie preferences
You can update your cookie consent at any time:
This document is provided for transparency and GDPR compliance. For tailored legal advice consult qualified counsel.
For privacy or GDPR-related requests, please use our legal inquiry form.