1. Introduction

We at CRA Evidence are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our platform.

CRA Evidence is designed to help manufacturers of Products with Digital Elements (PDEs) achieve and maintain compliance with the EU Cyber Resilience Act.

2. Data Controller

The data controller responsible for your personal data is:

CRA Evidence Team Spain-based individual developers (beta phase product) Email: privacy@craevidence.com

Note: Full legal entity details will be provided upon commercial launch.

3. Data We Collect

3.1 Account Information

  • Email address
  • Name
  • Company name
  • Password (stored securely hashed)

3.2 Usage Data

  • Log data (IP address, browser type, pages visited)
  • Feature usage patterns
  • Session information

3.3 CRA Compliance Data

  • Product and version information
  • SBOM (Software Bill of Materials) files
  • Vulnerability reports
  • Technical documentation

4. How We Use Your Data

We use your data for the following purposes:

  • Providing and maintaining our services
  • Account management and authentication
  • Customer support
  • Improving our services
  • Compliance with legal obligations

We process your personal data based on:

  • Contract Performance: To provide the services you have requested
  • Legitimate Interests: To improve our services and ensure security
  • Consent: For optional marketing communications
  • Legal Obligation: To comply with applicable laws

6. Data Retention

We retain your data for the following periods:

  • Account data: Retained while your account is active, plus 30 days after deletion
  • CRA compliance data: Retained for 10 years to comply with CRA documentation requirements
  • Usage logs: Retained for 90 days

7. Your Rights

Under GDPR, you have the following rights:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ('right to be forgotten')
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

To exercise these rights, contact us at privacy@craevidence.com

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest (AES-256)
  • Secure password hashing (Argon2)
  • Automated security reviews
  • Access controls and authentication

9. Subprocessors

We use third-party service providers (subprocessors) to help deliver our services. These subprocessors may process personal data on our behalf in accordance with GDPR Article 28.

A complete list of our current subprocessors, including their purposes and data processing locations, is available on our Subprocessors page.

We will notify customers at least 30 days before adding or replacing a subprocessor.

10. Contact Us

For privacy-related inquiries, contact our Privacy Contact:

Email: privacy@craevidence.com

11. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes.

Last updated: January 2, 2026

Document Version: