Privacy policy

Last updated: 2026-04-14

1. Controller

Crevix is operated by DSA Consulting, Babbelaarstraat 46b, 9308 Hofstade, Belgium — BTW BE1027574547 (the "Controller"). Contact: privacy@crevix.io.

2. Personal data we process

To provide the Service we process:

  • Account data: e-mail address, full name, optional company
  • Authentication: bcrypt hash of your password (never the plaintext)
  • Usage data: audit summaries (hostname, PAN-OS version, severity counts, score, timestamp), IP address of each audit
  • Security log: login events, password changes, account deletion
  • Billing: Stripe customer ID and subscription status (billing details are held by Stripe, not by us)

What we never process: the contents of your firewall configuration files. Parsing happens entirely in your browser.

3. Purposes & legal basis (GDPR Art. 6)

  • Contract performance — operating the Service you subscribed to
  • Legitimate interest — security logging, abuse detection, product improvement
  • Legal obligation — billing records, tax

4. Sharing

We share data only with strictly necessary processors:

  • Stripe (billing)
  • Our infrastructure provider (hosting)
  • Our e-mail delivery provider (transactional e-mails only)

All processors are bound by a Data Processing Agreement.

5. Retention

Account & audit data is retained for the duration of your subscription plus 30 days. Security logs are retained for 12 months. Billing records are retained for 7 years to meet tax-law requirements.

6. Your rights

You may exercise the following rights at any time:

  • Access & portability — export your data as JSON from your account page
  • Rectification — update your profile from your account page
  • Erasure — delete your account from your account page
  • Restriction & objection — contact us at privacy@crevix.io
  • Complaint — lodge a complaint with your national Data Protection Authority (Belgium: Data Protection Authority)

7. International transfers

Where processors are located outside the EEA, we rely on EU Standard Contractual Clauses.

8. Cookies

We use a single strictly-necessary session cookie (cg.sid) to keep you signed in. No analytics or advertising cookies.

9. Security

See our Security page for technical measures.

10. Changes

We may update this policy; material changes will be announced by e-mail at least 14 days in advance.

This document is provided as a starting template and must be reviewed and adapted by qualified legal counsel before use in production.