Privacy Policy
Last updated: March 28, 2026
1. Introduction
CPAM ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our contract price adjustment management platform ("Service").
This policy applies to all users of the Service worldwide. For users in the European Economic Area (EEA) and United Kingdom, we comply with the General Data Protection Regulation (GDPR) and UK GDPR respectively. For California residents, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
2. Data Controller
CPAM acts as the data controller for personal data collected through the Service. For the purposes of GDPR, the data controller is:
For B2B customers, CPAM acts as a data processor with respect to personal data you upload or generate within the Service on behalf of your organisation. In this capacity, we process data only on your documented instructions, as set out in our Data Processing Agreement (DPA), available on request.
3. Information We Collect
Account and Identity Data
Information you provide when registering or using the Service:
- Name and email address
- Company name, job title, and team membership
- Phone number (optional)
- Profile avatar (optional)
- Password (stored as a one-way hash; we never store plaintext passwords)
Billing and Payment Data
Payment card details are collected and stored directly by our payment processor, Stripe Inc. We receive only a tokenised representation of your card and high-level billing information (last four digits, expiry, billing address). We never have access to your full card number.
Business and Operational Data
Data you create or upload to operate the Service:
- Price adjustment mechanisms (PAMs), formulas, and configurations
- Commodity index series, values, and data points
- Approval workflow records and decisions
- Audit logs and calculation histories
- API provider credentials (stored encrypted at rest)
Usage and Technical Data
Collected automatically when you use the Service:
- IP address, browser type and version, operating system
- Pages visited, features used, time spent, click interactions
- Error logs and performance metrics
- Authentication events (login times, session tokens)
- Cookies and similar technologies (see our Cookie Policy)
4. Legal Basis for Processing (GDPR)
For EEA and UK users, we process personal data only where we have a valid legal basis under Article 6 GDPR:
Contract performance (Article 6(1)(b))
Processing your account data, business data, and billing information to deliver the Service, process transactions, and fulfil our contractual obligations to you.
Legitimate interests (Article 6(1)(f))
Analysing usage patterns to improve the Service, detecting fraud and security threats, maintaining audit logs, and sending product updates. Our legitimate interests are balanced against your rights; you may object at any time.
Legal obligation (Article 6(1)(c))
Retaining financial and transaction records to comply with tax, accounting, and regulatory requirements.
Consent (Article 6(1)(a))
For non-essential cookies and analytics tracking where required by law. You may withdraw consent at any time without affecting the lawfulness of prior processing.
5. How We Use Your Information
- Provide, operate, and maintain the Service
- Create and manage your account and team workspace
- Process payments and send billing-related communications
- Send transactional emails (password resets, security alerts, approval notifications)
- Respond to support requests and communicate about your account
- Send product updates and feature announcements (you may unsubscribe at any time)
- Monitor for security threats, fraud, and abuse
- Analyse aggregate usage patterns to improve the Service
- Comply with applicable legal obligations
- Enforce our Terms of Service
We will never use your business data (pricing formulas, index data, PAM configurations) to train machine learning models, sell to third parties, or for any purpose other than delivering the Service.
6. Information Sharing and Sub-Processors
We do not sell your personal information. We share data only in the following limited circumstances:
Sub-Processors
We use the following third-party service providers to operate the Service. Each is bound by data processing agreements and may only process data on our instructions:
| Provider | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing and billing | USA |
| Vercel Inc. | Application hosting and delivery | USA / Global CDN |
| Amazon Web Services | Database and storage infrastructure | USA / EU (configurable) |
| Postmark / SendGrid | Transactional email delivery | USA |
Other Disclosure Scenarios
- Index data providers: When you connect a third-party data provider (e.g. FRED, EIA, BLS), your API key and query parameters are transmitted to that provider on your behalf.
- Legal requirements: We may disclose data if required by law, court order, or to protect the rights, property, or safety of CPAM, our users, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.
7. Data Security
We implement industry-standard technical and organisational security measures to protect your data against unauthorised access, loss, or disclosure:
- AES-256 encryption for data at rest
- TLS 1.3 for all data in transit
- API credentials encrypted using envelope encryption with per-tenant keys
- Role-based access controls and principle of least privilege
- Multi-factor authentication (MFA) support for all accounts
- Comprehensive audit logging of all data access and changes
- Regular security reviews and vulnerability assessments
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in high risk to your rights, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR.
8. Data Retention
We retain your data only for as long as necessary for the purposes described in this policy, or as required by law:
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of account + 30 days after deletion request |
| Business data (PAMs, formulas, index series) | Duration of subscription + 90 days post-termination |
| Billing and transaction records | 7 years (tax and accounting compliance) |
| Security and audit logs | 7 years |
| Anonymised analytics data | Indefinitely (cannot be re-linked to individuals) |
9. International Data Transfers
CPAM is operated from the United States. If you are located in the EEA, UK, or other jurisdictions with data transfer restrictions, your data may be transferred to and processed in countries that may not provide the same level of data protection as your home country.
Where we transfer EEA or UK personal data to third countries, we rely on appropriate safeguards including:
- European Commission Standard Contractual Clauses (SCCs) for EEA transfers
- UK International Data Transfer Agreements (IDTAs) for UK transfers
- Adequacy decisions where applicable
Enterprise plan customers may request data residency options to keep data within specific geographic regions. Contact us at privacy@cpam.io for details.
10. Your Rights
Depending on your location, you have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data, subject to legal retention obligations.
Right to Data Portability
Receive your data in a structured, machine-readable format (CSV/JSON).
Right to Restriction of Processing
Request that we limit processing of your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority. For UK residents: the Information Commissioner's Office (ICO) at ico.org.uk. For EEA residents: your national Data Protection Authority.
To exercise any of these rights, contact us at privacy@cpam.io. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing certain requests.
California residents (CCPA/CPRA): You have additional rights including the right to know what personal information we collect, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.
11. Cookies
We use cookies and similar technologies to keep you logged in, remember your preferences, and understand how you use the Service. See our Cookie Policy for full details and instructions on how to manage your preferences.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email at least 14 days before the change takes effect
- Display a notice in the application for active users
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you do not agree to material changes, you may terminate your account before they take effect.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your rights, or have a concern about our data practices, please contact us:
Privacy enquiries: privacy@cpam.io
Data Protection Officer: dpo@cpam.io
Data Processing Agreement requests: legal@cpam.io