Keystone
by CloudVoro
Try the sandboxTalk to us →
Compliance & trust

Privacy policy.

How CloudVoro (Ireland) — the company behind Keystone — collects, stores and processes your personal data. This notice applies to keystone.cloudvoro.com and the Keystone product.

Last updated: 1 February 2026 · Effective immediately

1. Who we are

CloudVoro is an Irish-registered business. We build and operate Keystone, a production-operations platform for food manufacturers. CloudVoro is the data controller for personal data collected via this website. For Keystone customers, CloudVoro is a data processor acting on behalf of the customer organisation.

Contact our DPO

Designated Data Protection Officer: dpo@cloudvoro.com
Postal: CloudVoro, Ireland (full address available on request)

2. What we collect

From website visitors

  • IP address, user agent, referrer and visited paths (visitor logs, kept for 90 days)
  • Form submissions on the contact page (name, company, email, phone, current system, message)
  • Strictly necessary cookies for session state — no advertising or analytics trackers

From Keystone customers

  • Account identifiers (name, email, role) for users granted access to a tenant
  • Operational data your team enters into Keystone (batches, orders, dispatches, COAs, labels)
  • Audit-log entries: who changed what, when, and from which IP — for the lifetime of the tenant

3. How we use it

Personal data is processed on the lawful bases of legitimate interest (running the site, preventing abuse), contract (delivering Keystone to paying customers), and consent (where you explicitly opt in, e.g. for a reference call introduction).

  • Respond to enquiries you send via the contact form or email
  • Operate, maintain and secure the Keystone product for paying customers
  • Detect and investigate misuse (visitor logs, bot detection)
  • Meet our legal, tax and regulatory obligations in Ireland and the EU

We do not sell personal data. We do not run ad networks. We do not share data with brokers.

4. Where it's hosted

All production data is hosted on AWS Ireland (eu-west-1, Dublin). Each Keystone tenant runs on a dedicated server with an isolated database. Data is encrypted at rest with KMS-managed keys and in transit with TLS 1.3.

5. Who we share it with

Limited, named sub-processors with EU-or-equivalent data protection guarantees:

  • AWS (Amazon Web Services EMEA SARL) — infrastructure hosting (Ireland)
  • CloudVoro SMTP relay — outbound email (mail.cloudvoro.com)
  • Stripe — payment processing for paid licences (only when applicable)
  • Calendly — scheduling discovery calls (only when you choose to book)

A current sub-processor list is published at /legal/sub-processors.

6. How long we keep it

  • Visitor logs (IP, paths): 90 days, then purged
  • Contact form submissions: 24 months from last contact, then archived or deleted
  • Customer tenant data: for the life of the contract + 30 days post-termination (then irreversibly deleted unless legally required to retain)
  • Encrypted backups: 30 days rolling, then overwritten

7. Your rights (GDPR)

If you are in the EU/UK you have the right to:

  • Request a copy of the personal data we hold about you
  • Ask us to correct inaccurate data, or delete data we are not legally required to retain
  • Object to processing based on legitimate interest
  • Withdraw consent at any time where consent is the basis
  • Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie)

Email privacy@cloudvoro.com and we'll respond within 30 days.

8. Cookies

We use strictly necessary cookies only — for session state and your cookie-consent choice. We do not run Google Analytics, Facebook Pixel, or any advertising tracker by default. If we ever add optional analytics, you will be asked to opt in first.

9. Security posture

  • Hosted in the EU / Ireland — no data leaves the EU without written consent
  • GDPR — internal Data Protection Lead (privacy@cloudvoro.com); below Art. 37(1) threshold for formal DPO appointment
  • Building toward NIS2 readiness — tenant isolation, MFA roadmap, audit trails — CloudVoro is below the NIS2 size threshold and holds no NIS2 attestation
  • Encrypted at rest (AES-256, KMS) and in transit (TLS 1.3)
  • ISO/IEC 27001:2022 — control framework alignment in progress; not yet third-party certified (2026 roadmap)
  • UK Cyber Essentials — planned (assessing body to be confirmed)

10. Changes to this notice

We will post any material changes here and update the “Last updated” date above. For customers, we will also email the primary tenant contact at least 30 days before substantive changes take effect.

Questions?

Email privacy@cloudvoro.com or reach the founder directly at hello@cloudvoro.com.

Compliance & trust

How we keep your
data and your audits safe.

We are honest about what's certified and what's in progress. Anything marked "in progress" reflects active work towards a recognised standard — never marketing decoration. Privacy queries go to privacy@cloudvoro.com. Sub-processor list at /legal/sub-processors. Full security posture at /site/security.

Live
Hosted in EU / Ireland
Customer data resides on AWS Ireland (eu-west-1) — never leaves the EU.
Live
GDPR · Privacy Contact named
Internal Data Protection Lead handles subject access requests. Owner is ADPO Ireland member.
In progress
NIS2 · building toward readiness
Tenant isolation, audit trails and MFA support customers in NIS2 scope. CloudVoro itself is below the size threshold; not yet certified.
In progress
ISO 27001 · alignment
We map our controls to Annex A but hold no third-party certificate. Formal certification on the 2026 roadmap.
In progress
Cyber Essentials · planned
UK Cyber Essentials assessment is on our roadmap. We will name the assessing body (IASME) and a confirmed date here once scoped.
Live
Encryption · at rest & in transit
TLS 1.3 in transit, industry-standard symmetric ciphers at rest, KMS-managed keys.