The data controller is Ferox Systems BV, a company incorporated under the laws of Belgium with company number BE 0767.392.140, registered office in Oostende, Belgium, trading as Kubeforge.

Kubeforge does not have a designated Data Protection Officer. For any data-protection matter, contact info@kubeforge.io.

This policy covers:

• Your interactions with the kubeforge.io website.
• Email correspondence sent to Kubeforge.
• Personal data processed about individual contacts at current, former or prospective client organisations during the ordinary course of a consulting engagement (for example, a project sponsor's name and email).

Where Kubeforge is engaged to process personal data on behalf of a client (for example, during a security audit that touches production data), that processing is governed by a separate data-processing agreement signed with the client, not by this policy.

3.1 Information you send to us

When you email info@kubeforge.io, we receive your email address, your name (if provided), the content of your message and any attachments.

3.2 Website usage

The kubeforge.io website does not use tracking cookies, advertising technology, or third-party analytics. No identifier is set in your browser by Kubeforge, and no usage data is sent to a third-party analytics service.

3.3 Server logs

Our hosting provider (Azure Static Web Apps) keeps standard technical logs that may include IP address, timestamp, request path, HTTP status and user-agent. These logs are retained for a short operational window by the hosting provider and are used only for security, abuse prevention and service operation.

3.4 No automated decision-making

Kubeforge does not perform automated decision-making or profiling with legal or similarly significant effects on individuals.

3.5 Source of contact data

Some contact data is provided to us directly by you (for example, when you email info@kubeforge.io). Other contact data is provided to us by the Client organisation in the course of setting up or running an engagement (for example, when a Client identifies a project sponsor in a Statement of Work). Where we receive your contact details from the Client rather than from you, the source of the data is the Client organisation, the categories are limited to identifying and business contact information (name, role, business email and phone number), and the processing purposes and legal bases are those described in section 4.

We process personal data for the following purposes and on the following legal bases (GDPR Article 6):

• Responding to enquiries and negotiating engagements — legal basis: steps taken at the request of the data subject prior to entering into a contract (Art. 6(1)(b)), or legitimate interest in responding to business enquiries (Art. 6(1)(f)).
• Delivering consulting engagements and communicating with client contacts — legal basis: performance of the contract with the client organisation and legitimate interest in operating the business (Art. 6(1)(b) and 6(1)(f)).
• Issuing and collecting invoices, and complying with accounting and tax obligations — legal basis: legal obligation (Art. 6(1)(c)) and legitimate interest in managing the business (Art. 6(1)(f)).
• Maintaining website security and preventing abuse — legal basis: legitimate interest in operating a secure service (Art. 6(1)(f)).

The kubeforge.io website does not set any cookies, whether first-party or third-party, for analytics, advertising or personalisation. The only browser storage used is `localStorage`, limited to remembering your chosen light/dark theme on your own device. That preference is not transmitted to Kubeforge or to any third party.

Your personal data is not sold, rented or made available to any third party for marketing purposes. We share data only with the following categories of recipient, under confidentiality and where applicable data-processing agreements:

• Hosting: Microsoft Azure (Azure Static Web Apps). Hosting region is within the EU where technically possible.
• Email: Google Workspace, used to send and receive correspondence from info@kubeforge.io. Google may process email data on infrastructure outside the EEA; such transfers are covered by the EU Standard Contractual Clauses under Google's data-processing terms.
• Calendar booking: Google Calendar appointments, used for scheduling 30-minute scoping calls. Google may process scheduling data on infrastructure outside the EEA; such transfers are covered by the EU Standard Contractual Clauses under Google's data-processing terms.
• Accounting and tax advisors, where required to meet statutory obligations in Belgium.
• Professional advisors (for example, counsel) where reasonably required to protect Kubeforge's legal interests.
• Public authorities, where disclosure is required by law or court order.

Where possible, personal data is processed within the European Economic Area. Where a sub-processor processes data outside the EEA, transfers are covered by an adequacy decision of the European Commission, by the EU Standard Contractual Clauses, or by another lawful transfer mechanism under GDPR Chapter V. Details are available on request.

We keep personal data only for as long as needed for the purpose for which it was collected, unless a longer period is required by law. Indicative retention periods:

• Enquiry correspondence that does not lead to an engagement: up to 24 months, to allow follow-up and to avoid losing context if the enquirer returns.
• Engagement correspondence and Statement of Work materials: for the duration of the engagement plus 10 years, to satisfy Belgian accounting-record retention requirements (Article III.86 of the Belgian Code of Economic Law).
• Invoices and accounting records: 10 years.
• Calendar booking data: retained while the booking is active and for a short operational window thereafter, in line with Google Calendar's defaults.
• Server logs at the hosting layer: retained for a short operational window by the hosting provider.

When a retention period ends, personal data is deleted or irreversibly anonymised.

Under the GDPR you have the following rights in respect of your personal data:

• Access — to obtain a copy of the personal data we hold about you.
• Rectification — to have inaccurate or incomplete data corrected.
• Erasure — to have your personal data deleted, subject to the exceptions in GDPR Article 17(3) (for example, where retention is required by law).
• Restriction of processing — to limit how we use your data in certain circumstances.
• Data portability — to receive the personal data you have provided in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means.
• Objection — to object, on grounds relating to your particular situation, to processing based on legitimate interest.
• Withdrawal of consent — where processing is based on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email info@kubeforge.io. We will respond within one month, extendable by a further two months for complex requests, and will explain any delay.

We may ask for information to verify your identity before acting on a request, proportionate to the nature of the request.

If you believe your personal data has been mishandled, please contact info@kubeforge.io so we can look into it. Without prejudice to any other remedy, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):

Rue de la Presse 35, 1000 Brussels — contact@apd-gba.be — www.dataprotectionauthority.be.

If you are based in another EU/EEA country, you may also contact your local supervisory authority.

Kubeforge uses proportionate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. Measures include, where applicable: encryption in transit (HTTPS for the website; encrypted transport for email), access restricted to personnel who need it for the engagement, hardened laptop configurations, multi-factor authentication on business-critical accounts, and the minimum-access principle when accessing client systems.

No system is fully secure. In the event of a personal-data breach likely to result in a risk to the rights and freedoms of affected individuals, Kubeforge will notify the Belgian Data Protection Authority within 72 hours of becoming aware of the breach, and will notify affected individuals where the breach is likely to result in a high risk, in each case in line with GDPR Articles 33 and 34.

Kubeforge provides B2B services and does not knowingly collect personal data from children under the age of 16. The website is not directed to children.

We may update this policy from time to time, for example to reflect changes in the services we use or in applicable law. The "Last updated" date at the top of the page indicates when the policy was last revised. Material changes will be highlighted on this page.

Questions about this Privacy Policy or about how your personal data is handled: info@kubeforge.io.

Ferox Systems BV, trading as Kubeforge, Oostende, Belgium. BTW BE 0767.392.140.