Privacy Policy
Last updated: May 2026
1. Information We Collect
EFROS collects information you provide directly when you use our services, fill out forms, or communicate with us. This may include your name, email address, phone number, company name, and details about your IT infrastructure needs.
We also automatically collect certain technical information when you visit our website, including your IP address, browser type, operating system, referring URLs, and pages viewed.
2. How We Use Your Information
- To provide, maintain, and improve our IT and cybersecurity services
- To respond to your inquiries and provide customer support
- To send you technical notices, updates, and security alerts
- To communicate about services, offers, and events relevant to your business
- To monitor and analyze usage trends to improve our website and services
- To comply with legal obligations and protect our rights
3. Lawful Basis for Processing (GDPR Article 6)
Where the EU GDPR, UK GDPR, or Swiss FADP applies, EFROS processes personal data on one or more of the following lawful bases:
- Contract (Art. 6(1)(b)) — to deliver the services you have engaged us for and to perform pre-contractual steps at your request.
- Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve our services and to communicate with prospective clients in a business-to-business context, balanced against your rights and freedoms.
- Consent (Art. 6(1)(a)) — for non-essential cookies, marketing communications where required, and any optional processing.
- Legal obligation (Art. 6(1)(c)) — to comply with applicable tax, accounting, and regulatory obligations.
4. Data Protection & Security
EFROS operates an information security management system aligned to recognised frameworks (ISO/IEC 27001:2022 and AICPA SOC 2 Trust Services Criteria). Trust documentation and audit evidence are released to qualified clients and reviewers under NDA via the Trust Center. We use encryption (AES-256 at rest, TLS 1.2+ in transit with HSTS and MTA-STS), least-privilege access controls, and ongoing security review to safeguard data at rest and in transit.
5. Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, to comply with applicable law, to resolve disputes, and to enforce our agreements. Engagement evidence is retained under encryption for the contractually agreed period (default 12 months) and then destroyed with verifiable sign-off. You may request earlier destruction at any time, subject to legal retention obligations.
6. Data Sharing
We do not sell your personal information to third parties. We may share information with trusted service providers (sub-processors) who assist us in operating our website and conducting our business, provided they are bound by written contracts containing the obligations set out in GDPR Article 28 (or the equivalent under UK GDPR / Swiss FADP). See Section 9 for our current sub-processor list.
7. Cookies & Tracking
Our website uses cookies and similar technologies to enhance your browsing experience, analyze site traffic, and understand where our visitors come from. Non-essential cookies are set only with your consent, where applicable. You can control cookie preferences through your browser settings.
8. Your Rights (GDPR Articles 15-22; UK GDPR; Swiss FADP)
If the EU GDPR, UK GDPR, or Swiss FADP applies to the processing of your personal data, you have the following rights:
- Right of access (Art. 15) — to obtain confirmation of whether we process your data and a copy of it.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (Art. 17)— the “right to be forgotten” in the circumstances set out by law.
- Right to restriction (Art. 18) — to limit our processing pending verification or objection.
- Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — to object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making (Art. 22) — EFROS does not make solely automated decisions producing legal or similarly significant effects.
- Right to lodge a complaint — with a supervisory authority (see below).
To exercise any of these rights, contact [email protected]. We will respond within one month of receipt of your request, in line with Article 12(3) GDPR.
Supervisory authority contacts:
- EU residents — your national Data Protection Authority. The list of EDPB members is published at edpb.europa.eu/about-edpb/about-edpb/members_en.
- UK residents— Information Commissioner’s Office (ICO), ico.org.uk/global/contact-us/.
- Swiss residents — Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.
9. Sub-processors
EFROS engages the following sub-processors to deliver our services. Each is bound by a written agreement containing the obligations of GDPR Article 28, including confidentiality, security, sub-processor controls, and assistance with data subject requests.
| Sub-processor | Purpose | Data location | Transfer mechanism |
|---|---|---|---|
| Microsoft (M365, Azure) | Email, identity, hosted infrastructure | EU + US | SCCs + UK IDTA |
| Amazon Web Services | Cloud infrastructure | EU + US | SCCs |
| Cloudflare | CDN, edge security | Global edge | SCCs |
| Additional sub-processors disclosed on request | — | — | — |
Last updated: May 2026. To subscribe to sub-processor change notifications (30 days’ notice before onboarding any new sub-processor), email [email protected].
10. Data Processing Agreement (DPA)
EFROS offers a standard Data Processing Agreement (DPA), compliant with GDPR Article 28, to all controllers who process personal data of EU, UK, or Swiss data subjects through our services. The DPA incorporates the European Commission’s Standard Contractual Clauses (Module 2 or 3, as applicable), the UK International Data Transfer Addendum, and the Swiss-FDPIC-compliant SCCs where applicable.
To request our DPA, email [email protected] (or [email protected]). A redacted sample DPA can be made available under NDA via the Trust Center.
11. Cross-Border Transfer Mechanism
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries, EFROS relies on:
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller to processor) or Module 3 (processor to processor) as applicable.
- UK International Data Transfer Addendum (UK IDTA) — for transfers subject to the UK GDPR.
- Swiss SCCs — the Swiss FDPIC-recognised SCCs for transfers from Switzerland.
EFROS does not currently rely on the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF, or the Swiss-U.S. DPF as a transfer mechanism.
A Transfer Impact Assessment (TIA) template, covering the Schrems II analysis, supplementary measures, and recipient country surveillance-law review, is available on request to enterprise customers via [email protected].
12. Data Protection Officer / Privacy Contact
EFROS is not required to designate a Data Protection Officer under GDPR Article 37(1). Our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, nor do they consist of large-scale processing of special categories of personal data referred to in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10. We are not a public authority.
For all privacy inquiries, including the exercise of any of the rights set out in Section 8, please contact:
- Email: [email protected]
- Alternative: [email protected]
13. California (CCPA / CPRA) and Other U.S. State Privacy Rights
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the right to:
- Know what personal information we have collected;
- Request deletion of personal information we have collected;
- Correct inaccurate personal information;
- Opt out of the “sale” or “sharing” of personal information (EFROS does not sell or share personal information as those terms are defined under CCPA);
- Limit the use of sensitive personal information; and
- Be free from retaliation for exercising your privacy rights.
To exercise these rights, email [email protected] with the subject line “CCPA Request”. Residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah, Texas) have analogous rights and may exercise them via the same address.
14. Compliance Frameworks
EFROS operates against the EU GDPR, the UK GDPR, the Swiss FADP, the California CCPA / CPRA, HIPAA (where a BAA is in place), and PIPEDA. Data handling practices are aligned to recognised frameworks (AICPA SOC 2 Trust Services Criteria, ISO/IEC 27001:2022). Audit attestations and compliance evidence are released to qualified clients and reviewers under NDA via the Trust Center.
15. Contact
If you have questions about this Privacy Policy, please contact us:
- Privacy inquiries: [email protected]
- DPA requests: [email protected]
- General: [email protected]
- Phone: +1 (765) 888-8888