Privacy Policy

Version 1.0  |  Effective Date: 1 June 2026

IMPORTANT NOTICE

This Privacy Policy applies to personal data processed by Kyzen Group Limited in its capacity as a data controller. Where KYZEN processes personal data on behalf of its B2B clients as a data processor (in the context of service delivery), that processing is governed by the applicable Data Processing Agreement with the relevant client. End-users of KYZEN’s clients whose data is processed in service delivery contexts should direct privacy enquiries to the relevant client.

1. Introduction and Who We Are

Kyzen Group Limited (“KYZEN”, “we”, “us”, “our”) is a company incorporated under the laws of the Republic of Cyprus. Our registered office is at Marathovounou 15A, 3071, Limassol, Cyprus. We operate commercially under the trading name KYZEN.

KYZEN is a specialist business-to-business (“B2B”) managed services provider. For more information about our services please refer our Terms and Conditions at: https://kyzen.services/terms-conditions/

We are committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data of 2018 (Law 125(I)/2018, Cyprus), and all other applicable data protection legislation (collectively, “Data Protection Laws”).

This Privacy Policy explains:

(a) what personal data we collect and process;

(b) the purposes for which we process it and the lawful basis for each;

(c) with whom we share it;

(d) how long we retain it;

(e) your rights as a data subject; and

(f) how to contact us.

2. Scope of This Policy

This Privacy Policy applies to:

  • Visitors to our website at kyzen.services and all related sub-pages
  • Individuals who contact us by email, telephone, or through our website
  • Representatives of existing and prospective B2B clients, partners, and vendors
  • Any other individuals whose personal data KYZEN processes in its capacity as data controller

This Policy does NOT cover personal data processed by KYZEN in its capacity as a data processor on behalf of its B2B clients. In those contexts, KYZEN acts solely under client instructions, and processing is governed by the applicable Data Processing Agreement (“DPA”). Individuals whose data is processed by KYZEN on behalf of a client should direct their enquiries to that client.

3. Our Role: Data Controller and Data Processor

KYZEN operates in two distinct data protection capacities, and it is important to understand the distinction:

3.1 When KYZEN Acts as Data Controller

KYZEN is the data controller when it determines the purposes and means of processing personal data — for example, when operating its website, managing business development activities, or maintaining records of client representatives and vendors. This Privacy Policy addresses KYZEN’s processing activities in this capacity.

3.2 When KYZEN Acts as Data Processor

Where KYZEN processes personal data on behalf of its B2B clients as part of service delivery — including payment orchestration, fraud management, KYC verification, and customer support — it does so exclusively as a data processor under the instructions of the relevant client. All such processing is governed by the individual Data Processing Agreement (“DPA”) executed with that client pursuant to Article 28 GDPR. Data subjects whose personal data is processed in this context should direct any privacy-related requests to the relevant client as data controller.

For the avoidance of doubt, KYZEN does not hold, control, or transmit client or end-user funds at any time, and is not a Payment Service Provider, Electronic Money Institution, Money Services Business, or Virtual Asset Service Provider.

4. Personal Data We Collect (as Data Controller)

4.1 Data You Provide Directly

When you contact us, submit an enquiry, or engage with our business, we may collect:

  • Identity and contact information: full name, job title, company name, email address, telephone number
  • Enquiry and communication content: the substance of messages, queries, meeting notes, and correspondence
  • Business information: company registration details, jurisdiction, sector of operation

4.2 Data Collected Automatically (Website)

When you visit our website, we automatically collect:

  • Technical identifiers: IP address, browser type and version, operating system, device type
  • Usage data: pages visited, time spent on pages, referring URLs, click paths, and interaction data
  • Cookie data: identifiers and information collected via cookies and similar tracking technologies — see our Cookie Policy at kyzen.services/cookie-policy

4.3 Data from Third-Party Sources

We may collect business contact information from publicly available sources (such as professional networks and company websites) for the purpose of legitimate B2B outreach in accordance with our lawful basis as described in Section 5 below.

5. Purposes and Lawful Bases for Processing (as Data Controller)

The GDPR requires that every processing activity be grounded in one of the lawful bases set out in Article 6(1). The table below identifies each processing purpose, the categories of data involved, and the applicable lawful basis.

PurposeCategories of DataLawful Basis (GDPR Article 6)
Responding to website enquiries and pre-contractual communicationsName, email, phone, company name, enquiry contentArt. 6(1)(b) — pre-contractual measures; or Art. 6(1)(f) — legitimate interests in engaging with prospective clients
Managing ongoing client and vendor relationshipsContact details, communications, business informationArt. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interests in effective relationship management
Website analytics and performance monitoringIP address, usage data, cookie identifiersArt. 6(1)(f) — legitimate interests in maintaining and improving our website; Art. 6(1)(a) — consent (non-essential cookies)
Website security and fraud preventionIP address, technical data, access logsArt. 6(1)(f) — legitimate interests in protecting our systems and users
B2B marketing and business development communicationsProfessional contact details, business informationArt. 6(1)(f) — legitimate interests in promoting our services to relevant business contacts; Art. 6(1)(a) — consent where required by applicable law
Compliance with legal and regulatory obligationsContact details, records, correspondence, financial dataArt. 6(1)(c) — compliance with a legal obligation
Establishment, exercise, or defence of legal claimsRelevant personal data as required by the circumstancesArt. 6(1)(f) — legitimate interests in protecting KYZEN’s legal rights and position

6. Special Categories of Personal Data

As a general rule, KYZEN does not seek to collect special categories of personal data (as defined in Article 9 GDPR) from visitors to its website or from business contacts in its capacity as data controller.

However, in the course of delivering certain services to its B2B clients, KYZEN may process, as a data processor, personal data that falls within the following special categories on behalf of and under the instructions of the relevant client (data controller):

Where KYZEN processes such data as a processor, the applicable lawful basis under Article 9(2) GDPR is determined and maintained by the client (data controller), and may include:

  • Article 9(2)(b) — necessary for compliance with obligations and rights in the field of employment and social security and social protection law
  • Article 9(2)(g) — necessary for reasons of substantial public interest (including AML and financial crime prevention obligations)
  • Article 9(2)(a) — explicit consent obtained by the client from the data subject

KYZEN implements enhanced technical and organisational safeguards when processing special category data. Such processing — including the categories of special category data processed, the purpose and duration of processing, and the applicable security measures — is governed by the Data Processing Agreement (“DPA”) entered into between KYZEN and the relevant client.

7. Data Retention

KYZEN retains personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable law. The following retention schedule applies:

Category of DataRetention PeriodBasis
Website enquiries and pre-contractual correspondence2 years from last contactLegitimate interests; applicable limitation periods
Website analytics data (cookie-based)13 months from collectionEDPB/supervisory authority guidance on cookie data
Security and access logs90 daysLegitimate interests in IT security and incident investigation
B2B marketing and business development contacts3 years from last engagement, or until objectionLegitimate interests; right to object honoured immediately
Legal claims correspondence and related recordsDuration of proceedings + applicable limitation period (up to 10 years under Cypriot law)Legal obligation; legitimate interests in defending claims

At the end of the applicable retention period, personal data is securely deleted or anonymised in accordance with KYZEN’s data lifecycle management procedures.

8. Sharing Personal Data — Recipients

KYZEN does not sell personal data to third parties under any circumstances. We may share personal data with the following categories of recipients, in each case only to the extent necessary and subject to appropriate contractual safeguards:

Category of RecipientPurpose and Safeguards
IT infrastructure and cloud service providersHosting, security, and analytics services. Bound by data processing agreements under Article 28 GDPR.
Professional advisers (lawyers, auditors, accountants)Legal, tax, and audit services. Subject to professional duties of confidentiality.
Regulatory and supervisory authoritiesCompliance with legal obligations, regulatory orders, and supervisory requests.
Law enforcement and public authoritiesWhere required by applicable law, court order, or lawful governmental request.
Successor entities (M&A)In the context of a merger, acquisition, or corporate restructuring, subject to equivalent data protection obligations and advance notice where required.

All third-party processors engaged by KYZEN are bound by contractual data processing agreements meeting the requirements of Article 28 GDPR, including confidentiality obligations, security requirements, limitations on sub-processing, and data deletion upon contract termination.

9. International Data Transfers

Given KYZEN’s international operations, personal data may be transferred to and processed in countries outside the European Economic Area. Where such transfers occur, KYZEN ensures that appropriate safeguards are in place in accordance with Articles 44–49 GDPR, including the use of Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms. Where such international transfers occur, KYZEN ensures that appropriate safeguards are in place in accordance with Chapter V GDPR (Articles 44–49).

10. Data Security

KYZEN implements technical and organisational measures designed to ensure a level of security appropriate to the risk posed by its processing activities, in accordance with Article 32 GDPR. These measures are reviewed and adapted on an ongoing basis having regard to the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, and may include measures such as encryption, access controls, system monitoring, and incident response procedures. KYZEN also imposes appropriate security obligations on third-party processors engaged on its behalf.

11. Your Rights as a Data Subject

Under the GDPR and applicable Data Protection Laws, you have the following rights in respect of personal data that KYZEN processes in its capacity as data controller. All rights may be exercised by contacting us at legal@kyzen.services.

RightDescriptionGDPR Article
Right of AccessRequest confirmation that we are processing your personal data and receive a copy of it, together with supplementary information about how and why it is processedArticle 15
Right to RectificationRequest correction of personal data that is inaccurate, or completion of data that is incompleteArticle 16
Right to Erasure (“Right to be Forgotten”)Request deletion of your personal data where it is no longer necessary for the purposes collected, where consent is withdrawn (and no other basis applies), where you have objected and there are no overriding legitimate grounds, or where processing is unlawfulArticle 17
Right to Restriction of ProcessingRequest that we limit our processing of your data in certain circumstances (e.g., while you contest the accuracy of data, or pending the outcome of an objection)Article 18
Right to Data PortabilityReceive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller, where processing is based on consent or contract and carried out by automated meansArticle 20
Right to ObjectObject at any time to processing of your data based on legitimate interests, including profiling, or for direct marketing purposes. Where you object to direct marketing, processing will cease immediately. Where you object on other grounds, we will cease unless we demonstrate compelling legitimate groundsArticle 21
Rights Related to Automated Decision-MakingNot to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you, except where necessary for a contract, authorised by law, or based on explicit consentArticle 22
Right to Withdraw ConsentWhere processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawalArticle 7(3)

To exercise any of the above rights, please submit a written request to legal@kyzen.services. We will:

  • Acknowledge receipt of your request promptly
  • Respond within one (1) month of receipt
  • Where a request is complex or numerous, extend the response period by a further two (2) months, with notification within the initial one-month period
  • Request proof of identity where necessary to prevent unauthorised disclosure

There is no charge for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, with written explanation.

The above rights apply only to processing by KYZEN as data controller. For personal data processed by KYZEN on behalf of a client (as processor), please contact the relevant client directly.

12. Right to Lodge a Complaint

If you are dissatisfied with KYZEN’s response to a privacy enquiry or exercise of rights, or if you believe that KYZEN is processing your personal data in breach of the GDPR or applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

The supervisory authority with jurisdiction over KYZEN Group Limited is:

Office of the Commissioner for Personal Data Protection (Cyprus)

1 Iasonos Street, 1082 Nicosia, Cyprus

Website: www.dataprotection.gov.cy

Email: commissioner@dataprotection.gov.cy

Telephone: +357 22 818 456

You may also lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or the place of the alleged infringement, if different from Cyprus. This right is without prejudice to any other administrative or judicial remedy available to you.

13. Cookies

Our website uses cookies and similar tracking technologies to enhance functionality, analyse usage, and support security. Cookies are small text files placed on your device by websites you visit.

We use the following categories of cookies:

  • Strictly necessary cookies: required for the website to function and cannot be switched off. No consent is required for these cookies
  • Analytics and performance cookies: allow us to measure and improve the performance of our website. These are only set with your consent
  • Functionality cookies: enable enhanced features and personalisation. Only set with your consent

For detailed information about which cookies we use, their purposes, duration, and how to control or withdraw your consent, please refer to our Cookie Policy at kyzen.services/cookie-policy. By continuing to use our website after being presented with a cookie consent banner, you consent to our use of non-essential cookies as described in the Cookie Policy.

14. Third-Party Links

Our website may contain hyperlinks to third-party websites, resources, or services. These links are provided for informational convenience only and do not constitute an endorsement or approval of those websites or their operators. KYZEN is not responsible for the privacy practices, terms of use, or content of any third-party website. We recommend reviewing the privacy policy and terms of any third-party site before use.

15. Changes to This Privacy Policy

KYZEN may update this Privacy Policy from time to time to reflect changes in our business practices, applicable law, or regulatory guidance. The revised Policy will be published on this page with an updated version number and effective date.

Where changes are material — including changes that affect the lawful basis for processing, the categories of data collected, or your rights — we will take reasonable steps to bring those changes to your attention. This may include prominent notice on our website or, where we hold your contact details, direct communication. Material changes that affect the processing of personal data will be notified in accordance with applicable Data Protection Laws and our obligations under the GDPR.

We recommend reviewing this Policy periodically to remain informed of how we protect your personal data.

16. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact us:

Kyzen Group Limited

Marathovounou 15A, 3071 Limassol, Cyprus

Data Protection Enquiries:  legal@kyzen.services

General Enquiries:  info@kyzen.services

Website:  kyzen.services

How can we help?
Scroll to Top