Privacy Policy
Version 1.0 | Effective Date: 1 June 2026
IMPORTANT NOTICE This Privacy Policy applies to personal data processed by Kyzen Group Limited in its capacity as a data controller. Where KYZEN processes personal data on behalf of its B2B clients as a data processor (in the context of service delivery), that processing is governed by the applicable Data Processing Agreement with the relevant client. End-users of KYZEN’s clients whose data is processed in service delivery contexts should direct privacy enquiries to the relevant client. |
1. Introduction and Who We Are
Kyzen Group Limited (“KYZEN”, “we”, “us”, “our”) is a company incorporated under the laws of the Republic of Cyprus. Our registered office is at Marathovounou 15A, 3071, Limassol, Cyprus. We operate commercially under the trading name KYZEN.
KYZEN is a specialist business-to-business (“B2B”) managed services provider. For more information about our services please refer our Terms and Conditions at: https://kyzen.services/terms-conditions/
We are committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data of 2018 (Law 125(I)/2018, Cyprus), and all other applicable data protection legislation (collectively, “Data Protection Laws”).
This Privacy Policy explains:
(a) what personal data we collect and process;
(b) the purposes for which we process it and the lawful basis for each;
(c) with whom we share it;
(d) how long we retain it;
(e) your rights as a data subject; and
(f) how to contact us.
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors to our website at kyzen.services and all related sub-pages
- Individuals who contact us by email, telephone, or through our website
- Representatives of existing and prospective B2B clients, partners, and vendors
- Any other individuals whose personal data KYZEN processes in its capacity as data controller
This Policy does NOT cover personal data processed by KYZEN in its capacity as a data processor on behalf of its B2B clients. In those contexts, KYZEN acts solely under client instructions, and processing is governed by the applicable Data Processing Agreement (“DPA”). Individuals whose data is processed by KYZEN on behalf of a client should direct their enquiries to that client.
3. Our Role: Data Controller and Data Processor
KYZEN operates in two distinct data protection capacities, and it is important to understand the distinction:
3.1 When KYZEN Acts as Data Controller
KYZEN is the data controller when it determines the purposes and means of processing personal data — for example, when operating its website, managing business development activities, or maintaining records of client representatives and vendors. This Privacy Policy addresses KYZEN’s processing activities in this capacity.
3.2 When KYZEN Acts as Data Processor
Where KYZEN processes personal data on behalf of its B2B clients as part of service delivery — including payment orchestration, fraud management, KYC verification, and customer support — it does so exclusively as a data processor under the instructions of the relevant client. All such processing is governed by the individual Data Processing Agreement (“DPA”) executed with that client pursuant to Article 28 GDPR. Data subjects whose personal data is processed in this context should direct any privacy-related requests to the relevant client as data controller.
For the avoidance of doubt, KYZEN does not hold, control, or transmit client or end-user funds at any time, and is not a Payment Service Provider, Electronic Money Institution, Money Services Business, or Virtual Asset Service Provider.
4. Personal Data We Collect (as Data Controller)
4.1 Data You Provide Directly
When you contact us, submit an enquiry, or engage with our business, we may collect:
- Identity and contact information: full name, job title, company name, email address, telephone number
- Enquiry and communication content: the substance of messages, queries, meeting notes, and correspondence
- Business information: company registration details, jurisdiction, sector of operation
4.2 Data Collected Automatically (Website)
When you visit our website, we automatically collect:
- Technical identifiers: IP address, browser type and version, operating system, device type
- Usage data: pages visited, time spent on pages, referring URLs, click paths, and interaction data
- Cookie data: identifiers and information collected via cookies and similar tracking technologies — see our Cookie Policy at kyzen.services/cookie-policy
4.3 Data from Third-Party Sources
We may collect business contact information from publicly available sources (such as professional networks and company websites) for the purpose of legitimate B2B outreach in accordance with our lawful basis as described in Section 5 below.
5. Purposes and Lawful Bases for Processing (as Data Controller)
The GDPR requires that every processing activity be grounded in one of the lawful bases set out in Article 6(1). The table below identifies each processing purpose, the categories of data involved, and the applicable lawful basis.
| Purpose | Categories of Data | Lawful Basis (GDPR Article 6) |
| Responding to website enquiries and pre-contractual communications | Name, email, phone, company name, enquiry content | Art. 6(1)(b) — pre-contractual measures; or Art. 6(1)(f) — legitimate interests in engaging with prospective clients |
| Managing ongoing client and vendor relationships | Contact details, communications, business information | Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interests in effective relationship management |
| Website analytics and performance monitoring | IP address, usage data, cookie identifiers | Art. 6(1)(f) — legitimate interests in maintaining and improving our website; Art. 6(1)(a) — consent (non-essential cookies) |
| Website security and fraud prevention | IP address, technical data, access logs | Art. 6(1)(f) — legitimate interests in protecting our systems and users |
| B2B marketing and business development communications | Professional contact details, business information | Art. 6(1)(f) — legitimate interests in promoting our services to relevant business contacts; Art. 6(1)(a) — consent where required by applicable law |
| Compliance with legal and regulatory obligations | Contact details, records, correspondence, financial data | Art. 6(1)(c) — compliance with a legal obligation |
| Establishment, exercise, or defence of legal claims | Relevant personal data as required by the circumstances | Art. 6(1)(f) — legitimate interests in protecting KYZEN’s legal rights and position |
6. Special Categories of Personal Data
As a general rule, KYZEN does not seek to collect special categories of personal data (as defined in Article 9 GDPR) from visitors to its website or from business contacts in its capacity as data controller.
However, in the course of delivering certain services to its B2B clients, KYZEN may process, as a data processor, personal data that falls within the following special categories on behalf of and under the instructions of the relevant client (data controller):
Where KYZEN processes such data as a processor, the applicable lawful basis under Article 9(2) GDPR is determined and maintained by the client (data controller), and may include:
- Article 9(2)(b) — necessary for compliance with obligations and rights in the field of employment and social security and social protection law
- Article 9(2)(g) — necessary for reasons of substantial public interest (including AML and financial crime prevention obligations)
- Article 9(2)(a) — explicit consent obtained by the client from the data subject
KYZEN implements enhanced technical and organisational safeguards when processing special category data. Such processing — including the categories of special category data processed, the purpose and duration of processing, and the applicable security measures — is governed by the Data Processing Agreement (“DPA”) entered into between KYZEN and the relevant client.
7. Data Retention
KYZEN retains personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable law. The following retention schedule applies:
| Category of Data | Retention Period | Basis |
| Website enquiries and pre-contractual correspondence | 2 years from last contact | Legitimate interests; applicable limitation periods |
| Website analytics data (cookie-based) | 13 months from collection | EDPB/supervisory authority guidance on cookie data |
| Security and access logs | 90 days | Legitimate interests in IT security and incident investigation |
| B2B marketing and business development contacts | 3 years from last engagement, or until objection | Legitimate interests; right to object honoured immediately |
| Legal claims correspondence and related records | Duration of proceedings + applicable limitation period (up to 10 years under Cypriot law) | Legal obligation; legitimate interests in defending claims |
At the end of the applicable retention period, personal data is securely deleted or anonymised in accordance with KYZEN’s data lifecycle management procedures.
8. Sharing Personal Data — Recipients
KYZEN does not sell personal data to third parties under any circumstances. We may share personal data with the following categories of recipients, in each case only to the extent necessary and subject to appropriate contractual safeguards:
| Category of Recipient | Purpose and Safeguards |
| IT infrastructure and cloud service providers | Hosting, security, and analytics services. Bound by data processing agreements under Article 28 GDPR. |
| Professional advisers (lawyers, auditors, accountants) | Legal, tax, and audit services. Subject to professional duties of confidentiality. |
| Regulatory and supervisory authorities | Compliance with legal obligations, regulatory orders, and supervisory requests. |
| Law enforcement and public authorities | Where required by applicable law, court order, or lawful governmental request. |
| Successor entities (M&A) | In the context of a merger, acquisition, or corporate restructuring, subject to equivalent data protection obligations and advance notice where required. |
All third-party processors engaged by KYZEN are bound by contractual data processing agreements meeting the requirements of Article 28 GDPR, including confidentiality obligations, security requirements, limitations on sub-processing, and data deletion upon contract termination.
9. International Data Transfers
Given KYZEN’s international operations, personal data may be transferred to and processed in countries outside the European Economic Area. Where such transfers occur, KYZEN ensures that appropriate safeguards are in place in accordance with Articles 44–49 GDPR, including the use of Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms. Where such international transfers occur, KYZEN ensures that appropriate safeguards are in place in accordance with Chapter V GDPR (Articles 44–49).
10. Data Security
KYZEN implements technical and organisational measures designed to ensure a level of security appropriate to the risk posed by its processing activities, in accordance with Article 32 GDPR. These measures are reviewed and adapted on an ongoing basis having regard to the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, and may include measures such as encryption, access controls, system monitoring, and incident response procedures. KYZEN also imposes appropriate security obligations on third-party processors engaged on its behalf.
11. Your Rights as a Data Subject
Under the GDPR and applicable Data Protection Laws, you have the following rights in respect of personal data that KYZEN processes in its capacity as data controller. All rights may be exercised by contacting us at legal@kyzen.services.
| Right | Description | GDPR Article |
| Right of Access | Request confirmation that we are processing your personal data and receive a copy of it, together with supplementary information about how and why it is processed | Article 15 |
| Right to Rectification | Request correction of personal data that is inaccurate, or completion of data that is incomplete | Article 16 |
| Right to Erasure (“Right to be Forgotten”) | Request deletion of your personal data where it is no longer necessary for the purposes collected, where consent is withdrawn (and no other basis applies), where you have objected and there are no overriding legitimate grounds, or where processing is unlawful | Article 17 |
| Right to Restriction of Processing | Request that we limit our processing of your data in certain circumstances (e.g., while you contest the accuracy of data, or pending the outcome of an objection) | Article 18 |
| Right to Data Portability | Receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller, where processing is based on consent or contract and carried out by automated means | Article 20 |
| Right to Object | Object at any time to processing of your data based on legitimate interests, including profiling, or for direct marketing purposes. Where you object to direct marketing, processing will cease immediately. Where you object on other grounds, we will cease unless we demonstrate compelling legitimate grounds | Article 21 |
| Rights Related to Automated Decision-Making | Not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you, except where necessary for a contract, authorised by law, or based on explicit consent | Article 22 |
| Right to Withdraw Consent | Where processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal | Article 7(3) |
To exercise any of the above rights, please submit a written request to legal@kyzen.services. We will:
- Acknowledge receipt of your request promptly
- Respond within one (1) month of receipt
- Where a request is complex or numerous, extend the response period by a further two (2) months, with notification within the initial one-month period
- Request proof of identity where necessary to prevent unauthorised disclosure
There is no charge for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, with written explanation.
The above rights apply only to processing by KYZEN as data controller. For personal data processed by KYZEN on behalf of a client (as processor), please contact the relevant client directly.
12. Right to Lodge a Complaint
If you are dissatisfied with KYZEN’s response to a privacy enquiry or exercise of rights, or if you believe that KYZEN is processing your personal data in breach of the GDPR or applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.
The supervisory authority with jurisdiction over KYZEN Group Limited is:
Office of the Commissioner for Personal Data Protection (Cyprus) 1 Iasonos Street, 1082 Nicosia, Cyprus Website: www.dataprotection.gov.cy Email: commissioner@dataprotection.gov.cy Telephone: +357 22 818 456 |
You may also lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or the place of the alleged infringement, if different from Cyprus. This right is without prejudice to any other administrative or judicial remedy available to you.
13. Cookies
Our website uses cookies and similar tracking technologies to enhance functionality, analyse usage, and support security. Cookies are small text files placed on your device by websites you visit.
We use the following categories of cookies:
- Strictly necessary cookies: required for the website to function and cannot be switched off. No consent is required for these cookies
- Analytics and performance cookies: allow us to measure and improve the performance of our website. These are only set with your consent
- Functionality cookies: enable enhanced features and personalisation. Only set with your consent
For detailed information about which cookies we use, their purposes, duration, and how to control or withdraw your consent, please refer to our Cookie Policy at kyzen.services/cookie-policy. By continuing to use our website after being presented with a cookie consent banner, you consent to our use of non-essential cookies as described in the Cookie Policy.
14. Third-Party Links
Our website may contain hyperlinks to third-party websites, resources, or services. These links are provided for informational convenience only and do not constitute an endorsement or approval of those websites or their operators. KYZEN is not responsible for the privacy practices, terms of use, or content of any third-party website. We recommend reviewing the privacy policy and terms of any third-party site before use.
15. Changes to This Privacy Policy
KYZEN may update this Privacy Policy from time to time to reflect changes in our business practices, applicable law, or regulatory guidance. The revised Policy will be published on this page with an updated version number and effective date.
Where changes are material — including changes that affect the lawful basis for processing, the categories of data collected, or your rights — we will take reasonable steps to bring those changes to your attention. This may include prominent notice on our website or, where we hold your contact details, direct communication. Material changes that affect the processing of personal data will be notified in accordance with applicable Data Protection Laws and our obligations under the GDPR.
We recommend reviewing this Policy periodically to remain informed of how we protect your personal data.
16. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact us:
Kyzen Group Limited Marathovounou 15A, 3071 Limassol, Cyprus Data Protection Enquiries: legal@kyzen.services General Enquiries: info@kyzen.services Website: kyzen.services |