cyan AG

Privacy Policy

  1. WHO WE ARE

Thank you for your interest in cyan (“we”, “us”, “Company”).

The controller within the meaning of the General Data Protection Regulation (“GDPR”) is:

cyan AG
(HRB 232764)
Josephspitalstraße 15
80331 Munich
Germany
[email protected]

This Privacy Policy applies to data processing in connection with our products and our website. Unless otherwise stated in this Privacy Policy, personal data is processed under the own responsibility of cyan AG as controller within the meaning of the GDPR.

  1. PURPOSE OF THIS PRIVACY POLICY

We provide you with transparent information about which personal data we process, for what purposes this processing takes place, and which rights you have.

  1. DEFINITIONS

To ensure that this Privacy Policy remains understandable, we explain the most important terms below:

“Personal data” means any information relating to an identified or identifiable natural person. This includes, for example, name, email address, IP address, telephone number or location data.

“Data subject” means any natural person whose personal data is processed.

“Processing” means any operation performed on personal data, for example collecting, storing, using, transmitting, deleting or destroying.

“Restriction of processing” means that stored personal data is marked so that it will only be processed in a restricted manner in the future.

“Profiling” means automated processing of personal data in which personal aspects are evaluated or predicted, for example interests, behavior or location.

“Anonymization” means that personal data is altered in such a way that it can no longer be attributed to a specific person.

“Controller” means the person or entity that decides why and how personal data is processed.

“Processor” means a person or entity that processes personal data on behalf of a controller.

“Recipient” means a person or entity to whom personal data is disclosed.

“Third party” means any person or entity other than the data subject, the controller, the processor and the persons authorized to process the data.

“Consent” means a voluntary, informed and unambiguous declaration by which a person agrees to the processing of his or her personal data.

  1. WHICH DATA WE PROCESS

        4.1 WHEN VISITING OUR WEBSITE

When you visit our website, we automatically collect:

  • date and time of the page access;
  • truncated (anonymized) IP address;
  • browser, device and technical information;
  • origin/referrer, i.e. the page from which you came;
  • your usage behavior, for example clicks and duration of visit;
  • approximate location, such as country/city;
  • cookies; see also our Cookie Policy available at https://www.cyansecurity.com/cookie-policy/.

Purpose of processing

These data help us to operate the website securely and in a user-friendly manner.

Legal basis

  • 6(1)(f) GDPR (legitimate interest). The controller’s legitimate interest lies in ensuring system security, error analysis and improving user-friendliness. A balancing of interests has shown that there are no overriding interests or fundamental rights of the data subjects, as the processing is limited to what is technically necessary and no comprehensive profiling takes place.

Disclosure

For the provision and operation of our website, we use an external hosting service provider that acts as a processor pursuant to Art. 28 GDPR. Hosting is carried out by a processor in the EEA. The hosting service provider processes personal data exclusively on our instructions and on the basis of a corresponding data processing agreement. Data processing generally takes place within the European Union or in Switzerland. For Switzerland, there is an adequacy decision by the European Commission pursuant to Art. 45 GDPR, which ensures an adequate level of data protection.

Retention period

The technical data and log files processed in connection with the use of our website are generally stored for a period of 90 days and are then deleted or anonymized, unless longer storage is required for the investigation of security incidents or for compliance with legal obligations.

        4.2 WHEN YOU CONTACT US

If you contact us via our contact form on our website or by email, we process the following data:

  • first and last name;
  • email address;
  • telephone number;
  • your message;
  • selected reason for the inquiry, for example sales, demo or investor relations.

Purpose of processing

Processing your inquiry and communicating with you, and, where applicable, forwarding it to the responsible department within our group of companies.

Legal basis

  • 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures); and
  • 6(1)(f) GDPR (legitimate interest in communication, efficient handling of inquiries, customer support and sales through authorized distribution partners).

Disclosure

Depending on the region, sales channel or contractual structure, it may be necessary for us to disclose your contact details to an authorized distribution partner in order to process your inquiry and provide you with an offer.

Transfer to third countries

Where applicable, these distribution partners may also be located outside the EU/EEA. In such cases, we ensure that appropriate safeguards pursuant to Art. 44 et seq. GDPR are in place, for example by concluding Standard Contractual Clauses.

Right to object

You have the right to object to this processing at any time pursuant to Art. 21 GDPR. You may exercise this right already when submitting your inquiry or at any time thereafter. The objection does not affect the lawfulness of the processing carried out up to that point.

Retention period

Your data will be stored for 6 months after final processing of your inquiry, unless statutory retention obligations or legitimate interests in longer storage exist.

        4.3 NEWSLETTER / INVESTOR RELATIONS UPDATES

If you subscribe to our newsletter or our investor relations updates, we process the following data:

  • first and last name;
  • email address;
  • time of registration and confirmation;
  • technical data in the context of the double opt-in procedure, for example IP address and timestamp.

Purpose of processing

Sending newsletter or investor relations information and proving your consent.

Double opt-in

Registration takes place using the so-called double opt-in procedure. This means that after registering you will receive an email in which you must confirm your registration. Only after this confirmation will your email address be added to our mailing list. This ensures that no one can register using another person’s email address. Our newsletters may contain functions for analyzing usage behavior, for example opening and click rates. This evaluation is carried out to improve our content and is based on your consent. The analysis is carried out in pseudonymized form insofar as this is technically possible.

Legal basis

  • 6(1)(a) GDPR (your consent). Processing is based on your voluntary consent to receive the newsletter or investor relations communications, including optional analysis of usage behavior, for example opening and click rates. You may withdraw your consent at any time with effect for the future.

Withdrawal

You may withdraw your consent at any time with effect for the future, for example via the unsubscribe link in each email or by notifying us at: [email protected]. After unsubscribing, your data will be deleted unless statutory retention obligations exist.

Disclosure

For sending the newsletter, we use EQS Group AG, Munich, Germany, as processor pursuant to Art. 28 GDPR. Processing generally takes place within the European Union.

        4.4 DIRECTMARKETING

As part of our business activities, we carry out direct marketing, in particular for initiating and maintaining business relationships.

The following data may be processed in this context:

  • business contact details, for example name, position and company;
  • publicly accessible data, for example from platforms such as LinkedIn;
  • contact details from databases of external service providers.

Purpose of processing

  • contacting potential business partners;
  • presenting our products and services;
  • establishing and maintaining business relationships.

Disclosure

We use carefully selected service providers within the European Union who support us in particular with telephone contact. They act as processors pursuant to Art. 28 GDPR and are contractually obliged to process data only in accordance with our instructions.

Legal basis

  • 6(1)(f) GDPR (processing for the purposes of legitimate interests, in particular promoting our business activities and initiating and developing business relationships). The processing is carried out in compliance with the applicable legal provisions, in particular Section 107 of the Austrian Telecommunications Act 2021 (TKG 2021) and relevant European provisions.

Information on your rights and objection options

You have the right to object at any time to the processing of your data for direct marketing purposes.

In addition, you have the option of registering with the so-called Robinson List of the Austrian Broadcasting and Telecommunications Regulatory Authority (RTR) in order to reduce unwanted advertising contacts.

        4.5 USE OF OUR PRODUCTS AND SERVICES

cyan AG cybersecurity products and services for companies, business customers and end users.

Depending on the specific design of the product, the sales channel and the respective contractual relationship, cyan may act either as controller or as processor within the meaning of the GDPR.

In this context, we process the following personal data:

  • IP addresses;
  • security-relevant network and connection data, for example DNS requests;
  • protocol data/log files;
  • device and system information;
  • email addresses;
  • support data, for example contact information, error descriptions, tickets and communication content.

Purpose of processing

Our products analyze network traffic for IT security purposes in order to detect and prevent potential security risks. The analysis is not carried out for the purpose of creating personal profiles. Data is not used for marketing purposes or to create personal usage profiles.

  • ensuring IT security and protection against cyber threats;
  • detection, analysis and defense against malware and attacks;
  • provision, operation and optimization of our products;
  • preparation of statistical evaluations;
  • customer support, error analysis and system maintenance.

Role under data protection law

cyan’s data protection role depends on the sales and usage channel through which the product is obtained:

  1. a) Purchase through an authorized partner

If our product is provided through a distribution partner:

  • that partner acts as controller within the meaning of the GDPR;
  • we act as processor pursuant to Art. 28 GDPR.

This means that we process personal data exclusively on the documented instructions of the respective partner acting as controller. Corresponding data processing agreements (“DPAs”) are in place.

  1. b) Purchase through a marketplace or directly from cyan

If our product is obtained directly from us or, for example, through an authorized marketplace, different data protection roles may be possible depending on the specific structure of the contractual relationship:

  • If payment processing or other services are provided through third parties, for example payment service providers or authorized distribution partners, these third parties process personal data under their own responsibility under data protection law.
  • Insofar as we ourselves are responsible for contract processing, including payment processing, the corresponding processing of personal data is also carried out under our own responsibility.

In none of these cases is there joint controllership within the meaning of Art. 26 GDPR.

Purpose of processing

Processing is carried out for the purposes stated above.

Legal basis

  • 6(1)(b) GDPR (processing necessary for the performance of a contract and the provision of the requested cybersecurity services)
  • 6(1)(f) GDPR (legitimate interests in ensuring the security, stability, functionality and improvement of our products and services, as well as in detecting and preventing cyber threats and misuse).

Retention period

Personal data is stored only for as long as this is necessary for the respective purposes.

  • Security and protocol data, for example log files and DNS requests, are generally stored only for a limited period and are then deleted or anonymized unless they are needed for a longer period to investigate specific security incidents.
  • Data processed in the context of contract processing and support is stored for the duration of the contractual relationship and beyond this in accordance with statutory retention and limitation periods.
  • Statistical evaluations are generally carried out in anonymized form.

Acceptance in the dashboard

During initial use of our products, users may be required to actively confirm certain contractual and data protection documents, for example a service description or data processing agreement, by means of an active confirmation such as a checkbox in the dashboard. This acceptance is a prerequisite for the use of the product.

The confirmation is logged, for example with time, user and technical metadata, in order to be able to prove proper acceptance and conclusion of the contract.

Legal basis

  • 6(1)(b) GDPR (performance of a contract); and
  • 6(1)(f) GDPR (evidentiary purposes and documentation of consents/confirmations).

Retention period

The logging of the confirmation is stored for the duration of the contractual relationship and beyond this in accordance with statutory limitation and retention periods. Longer storage only takes place insofar as this is necessary for the establishment, exercise or defense of legal claims.

Who is responsible for handling your rights under the GDPR?

Insofar as third parties process personal data under their own responsibility under data protection law, in particular in the cases described in Section 4.5 lit. a) and b), they are each responsible for handling data subject rights and for fulfilling data protection obligations, in particular pursuant to Art. 12 and 13 GDPR. Insofar as we act as processor, we support the respective controller in fulfilling data subject rights pursuant to Art. 28 GDPR. Processing of personal data for our own purposes outside the instructions of a controller takes place exclusively in the cases described in Section 8.

        4.5.1 USE OF OUR MOBILE APPLICATIONS

When using our mobile applications, in particular “cyan guard 360”, the following personal data may be processed depending on the specific use:

  • IP addresses;
  • DNS requests and filter data;
  • protocol data/log files;
  • email addresses;
  • telephone numbers;
  • technical device and usage information.

Purpose of processing

  • provision and operation of the cybersecurity services;
  • detection and defense against cyber threats and malicious content;
  • DNS filtering to protect against risks and inappropriate content;
  • error analysis, maintenance and technical support;
  • preparation of aggregated statistical evaluations for the respective controller.

Processing for advertising purposes or for the creation of personal usage profiles does not take place.

Legal basis

Depending on the specific contractual and role allocation, processing is carried out on the basis of:

  • 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures);
  • 6(1)(f) GDPR (legitimate interest in ensuring IT security, error analysis and the provision and optimization of the services).

Transfer to third countries

Personal data is generally processed within the European Union or the European Economic Area. Where transfers of data to third countries are necessary, they are carried out exclusively in compliance with the requirements of Art. 44 et seq. GDPR.

Your rights

Insofar as cyan acts as processor, we support the respective controller in handling data subject rights pursuant to Art. 28 GDPR. Corresponding requests are forwarded without undue delay to the responsible controller.

        4.6 APPLICATIONS

If you apply to us, we process:

  • contact details, for example name, email address and telephone number;
  • application documents, for example CV, cover letter and certificates;
  • information on qualifications, professional experience and education;
  • communication data, for example email correspondence and interview notes;
  • where applicable, further information provided by you during the application process.

Purpose of processing

  • carrying out the application process.

Legal basis

  • Art. 6(1)(b) GDPR (implementation of pre-contractual measures in the context of the application process).

Retention period

A maximum of 6 months after completion of the application procedure, unless consent has been given for longer storage, for example for future job offers.

Specific aspects in employment relationships

In connection with employment relationships, longer storage periods may apply beyond the general retention periods.

In addition to the seven-year retention obligation for tax and social security documents pursuant to Section 132(1) of the Austrian Federal Fiscal Code (BAO), employment law claims may be subject to a general limitation period of up to 30 years pursuant to Section 1478 of the Austrian Civil Code (ABGB).

Corresponding storage of personal data may therefore be necessary in order to establish, exercise or defend legal claims. Processing takes place within the EU.

Disclosure

For handling the application process, we use the software of Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, Germany, as processor pursuant to Art. 28 GDPR.

Applicant data in Personio is generally anonymized after 90 days, unless longer storage is required due to statutory retention obligations, for the establishment, exercise or defense of legal claims, or on the basis of separate consent.

  1. WEB ANALYTICS (MATOMO)

We use Matomo to understand how our website is used. In doing so, we process:

  • truncated/anonymized IP address;
  • usage behavior;
  • device and browser data.

Legal basis

  • 6(1)(a) GDPR (consent via cookie banner); processing takes place within the EU.

Retention period

The data collected in the context of web analytics is stored for a period of 6 months and is then deleted or anonymized.

  1. LINKEDIN ADS

We use advertising services of LinkedIn Ireland Unlimited Company on our website. LinkedIn enables us to display targeted advertisements and to analyze the success of our campaigns.

In particular, the following data may be processed:

  • online identifiers, for example cookie IDs;
  • IP address;
  • device and browser information;
  • usage and interaction data.

Purpose of processing

  • displaying target-group-based advertising;
  • analyzing and optimizing our marketing measures.

Legal basis

  • Art. 6(1)(a) GDPR (processing on the basis of your freely given consent). Use takes place exclusively after your consent via our cookie/consent banner. You may withdraw your consent at any time with effect for the future.

Responsibility

LinkedIn also processes personal data in connection with the advertising services partly for its own purposes and under its own responsibility under data protection law. LinkedIn’s privacy policy can be found here: https://www.linkedin.com/legal/privacy-policy.

Transfer to third countries

It cannot be excluded that personal data may be transferred to the USA. The transfer takes place on the basis of the European Commission’s Standard Contractual Clauses.

  1. USE OF COOKIES AND SIMILAR TECHNOLOGIES

We use cookies to:

  • technically provide the website;
  • improve content;
  • generate usage statistics.
  • Cookies that are not technically necessary are only set with your consent.

Further information can be found in our Cookie Policy: https://www.cyansecurity.com/cookie-policy/.

  1. PROCESSING UNDER OUR OWN RESPONSIBILITY

Irrespective of any processing as processor (see Section 4.5), we also process personal data under our own responsibility under data protection law where this is necessary to safeguard our own legitimate interests or to comply with legal obligations.

This concerns in particular the following processing activities:

  • billing and contract processing, including the processing of data in connection with the use of our products, for example license billing and final billing after contract termination;
  • documentation and proof of services provided, in particular in the context of support requests, ticket systems and services;
  • storage and processing for the establishment, exercise or defense of legal claims;
  • compliance with legal obligations, in particular retention obligations pursuant to Section 132 BAO and Section 212 UGB;
  • ensuring the security of our own IT systems, including the processing of log data for the detection and defense against security incidents;
  • product improvement and quality assurance, insofar as this is carried out on the basis of aggregated or anonymized data;
  • termination of contractual relationships, including deactivation of accounts, data deletion and final documentation.

Legal bases

  • 6(1)(b) GDPR (processing necessary for the performance of contractual obligations and the handling of contractual relationships and support services);
  • 6(1)(c) GDPR (processing necessary for compliance with legal obligations, in particular statutory retention, accounting and documentation obligations under commercial, corporate and tax law);
  • 6(1)(f) GDPR (legitimate interests in proper business operations, ensuring IT and product security, documentation and evidentiary purposes, improving our services, and the establishment, exercise or defense of legal claims).
  1. SOCIAL MEDIA LINKS

On our website you will find links to our profiles or content on:

  • LinkedIn;
  • Instagram;
  • YouTube;

Our website may contain both external links to our social media profiles and embedded content from third-party providers.

Data processing

  • Content and links to third-party providers, for example YouTube, are integrated on our website.
  • Without your consent, no data is transmitted to these third-party providers. In particular, no connection to the servers of these providers is established.
  • Only if you consent to the use of third-party services in the cookie banner can a connection to the servers of the respective provider be established and personal data, for example your IP address, be transmitted.
  • If you click on a corresponding content item or link, you will be redirected directly to the respective platform. From that point on, data processing is carried out by the respective provider under its own responsibility.

Further information on data processing by the respective providers can be found in the privacy policies of the respective platforms.

Legal bases

  • 6(1)(a) GDPR (consent to the use of third-party services and embedded content);
  • 6(1)(f) GDPR (legitimate interest in maintaining an online presence and communicating with users and interested parties).
  1. GOOGLE RECAPTCHA

We use the “reCAPTCHA” service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on our website.

reCAPTCHA is intended to verify whether data entered on our website, for example in forms, is entered by a human or by an automated program.

For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as reCAPTCHA is loaded. In particular, the following data may be processed:

  • IP address;
  • referrer URL;
  • information about the operating system and browser;
  • mouse movements and interactions;
  • where applicable, further data provided by Google.

Purpose of processing

Processing is carried out to detect and prevent automated access and to protect our website against misuse, spam and attacks by bots.

Legal basis

  • Art. 6(1)(a) GDPR (consent via the cookie/consent banner).

Disclosure

The data is transmitted to Google servers and processed there. This may also involve a transfer to the USA.

The use of reCAPTCHA takes place exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR. Google also processes personal data in connection with reCAPTCHA partly for its own purposes. Further information on data processing by Google can be found in Google’s Privacy Policy: https://policies.google.com/privacy.

  1. DISCLOSURE OF YOUR DATA

We only disclose data where this is necessary and permitted:

  • within our group of companies;
  • to service providers, for example IT and hosting providers;
  • to authorities where legally required;
  • in anonymized form.

We conclude data processing agreements with service providers pursuant to Art. 28 GDPR.

  1. DATA TRANSFERS TO THIRD COUNTRIES

Data processing generally takes place in Austria or within the European Union.

However, in the context of our services, we also use IT service providers, in particular cloud and hosting providers such as Amazon Web Services and Microsoft. In individual cases, this may result in a transfer of personal data to these service providers and to their affiliated companies or sub-processors in third countries, in particular the USA.

In such cases, we ensure that appropriate safeguards pursuant to Art. 44 et seq. GDPR are in place in order to guarantee an adequate level of data protection. This is done in particular by:

  • concluding the European Commission’s Standard Contractual Clauses;
  • implementing additional technical and organizational safeguards where applicable;
  • and, where applicable, certification of the data recipient under the EU-US Data Privacy Framework.

In exceptional cases, a data transfer may also take place on the basis of Art. 49 GDPR, for example on the basis of your explicit consent. Where data transfers to the USA take place, a fully equivalent level of data protection to that within the EU cannot be guaranteed despite existing safeguards.

  1. RETENTION PERIOD

We store your personal data only to the extent and for as long as all purposes of data processing have been fully fulfilled. Log files are deleted after 90 days. Thereafter, your data is deleted or anonymized so that it is no longer possible to draw conclusions about your person. Due to statutory provisions, this may generally amount to up to 7 years. Corresponding retention obligations can be found, for example, in the Austrian Federal Fiscal Code and the Austrian Commercial Code. In addition, statutory limitation and warranty periods may be relevant for determining the storage period. If we carry out processing based on your consent, we generally store your data until you withdraw the consent you have given.

  1. YOUR RIGHTS

You have the following rights:

  • right of access (Art. 15 GDPR);
  • right to rectification (Art. 16 GDPR);
  • right to erasure (Art. 17 GDPR);
  • right to restriction of processing (Art. 18 GDPR);
  • right to data portability (Art. 20 GDPR);
  • right to object (Art. 21 GDPR);
  • right to withdraw your consent.

Contact: [email protected]

You also have the right to lodge a complaint with a competent data protection supervisory authority. Further information is available at: https://www.bfdi.bund.de.

  1. NO AUTOMATED DECISION-MAKING

No automated decision-making within the meaning of Art. 22 GDPR takes place.

  1. DATA SECURITY

We use appropriate technical, organizational and physical measures to protect your personal data. These measures serve in particular to protect your data against:

  • unauthorized access;
  • loss or destruction;
  • alteration;
  • unauthorized disclosure.

Our security measures are regularly reviewed and adapted to the current state of the art.

In addition, we ensure through contractual agreements that our service providers also process personal data exclusively in accordance with the applicable data protection regulations and implement appropriate security measures.

Note

Despite all measures taken, complete security during data transmission over the internet cannot be guaranteed.

  1. CHANGES TO THIS PRIVACY POLICY

We reserve the right to amend this Privacy Policy where necessary.

The current version is available on our website.

 

Last updated: April 2026