Privacy Policy

1. Introduction

These Privacy Policy terms (“Privacy Policy”) describe how CP3 B.V. (“CP3”, “we”, “us”, “our”) processes personal data when you use the CP3 brand intelligence platform at app.cp3.ai and our website at cp3.ai.

This Privacy Policy applies to CP3 B.V., Nieuw Leliestraat 133, 1015 SN Amsterdam, the Netherlands. It explains what data we collect, why we collect it, how we use, store, and share it, and your rights under the General Data Protection Regulation (GDPR) and Dutch privacy law (AVG).

Last updated: 8 June 2026

2. About CP3 Platform Services

CP3 is a SaaS platform that helps brands understand, monitor, and improve their market presence. When you create an account and use CP3, we may:

• ·Scan and analyse your brand identity, website, and public or connected social presence
• ·Identify market trends and generate strategic recommendations
• ·Support content planning, campaigns, and calendar workflows within your dashboard
• ·Authenticate your account and, where you choose, connect third-party services such as Google and Instagram

3. Data We Collect

We may collect and process the following categories of personal data:

• ·Identity Data (e.g., name, company or brand name, job role)
• ·Contact Data (e.g., email address, phone number, billing address)
• ·Account & Authentication Data (e.g., login credentials, OAuth provider identifiers, encrypted OAuth tokens, session tokens)
• ·Google User Data (see Section 5 – only when you sign in with Google or connect Google Calendar)
• ·Instagram Account Data (see Section 6 – only when you connect Instagram)
• ·Brand & Marketing Content (e.g., website URLs, brand assets, social handles, campaign inputs, generated insights)
• ·Technical Data (e.g., IP address, browser type, device information, server logs)
• ·Usage Data (e.g., feature usage, dashboard interactions, preferences)
• ·Financial Data (e.g., subscription and payment details processed by our payment provider)

4. How We Collect Your Data

• ·Direct interactions when you register, sign in, complete onboarding, connect integrations, contact support, or subscribe
• ·Third-party sign-in and connected accounts when you choose Google Sign-In, Google Calendar, or Instagram (Sections 5–6)
• ·Automated technologies such as cookies, server logs, and analytics tools
• ·Public and authorised brand sources you provide or connect for brand analysis
• ·Service providers acting on our instructions (e.g., hosting, email, payments)

5. Google User Data Disclosure

CP3's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Google user data only after you initiate Google Sign-In or choose to connect Google Calendar in CP3.

5.1 Google user data we access

• ·Sign-in scopes (openid, email, profile): your Google account identifier, name, email address, and basic profile information needed to authenticate you and display your account in CP3.
• ·Google Calendar scope (https://www.googleapis.com/auth/calendar.events): only when you connect Google Calendar, we access calendar event data such as event titles, descriptions, dates, times, locations, attendees metadata, and event identifiers needed to display and sync your content calendar in CP3.

5.2 How we use Google user data

• ·To create, authenticate, and secure your CP3 account
• ·To identify you within your organisation's CP3 workspace
• ·To maintain your login session and OAuth connection status
• ·To read, create, update, and delete calendar events solely for content calendar and scheduling features you enable
• ·To provide customer support related to your Google connection
• ·To comply with legal obligations and protect the security of the Services

We do not use Google user data for advertising, selling data, creditworthiness determination, or training generalized AI/ML models unrelated to providing CP3 features you request.

5.3 How we store Google user data

• ·Google OAuth access and refresh tokens are stored encrypted in our application database within the European Economic Area (EEA).
• ·Your name and email from Google Sign-In are stored in your user profile record while your account is active.
• ·Calendar event data retrieved from Google is stored in CP3 only as needed to power calendar views, sync state, and scheduling workflows you use.
• ·Short-lived OAuth state values may be stored temporarily in our Redis cache during the authorisation flow.

5.4 How we share Google user data

• ·We do not sell or rent Google user data.
• ·We do not share Google user data with third parties except:
•     ·Google, when necessary to complete OAuth authentication or Calendar API requests you initiate;
•     ·Infrastructure processors (e.g., cloud hosting) that store or process data strictly on our behalf under GDPR-compliant contracts and only to operate CP3;
•     ·Legal authorities, if required by applicable law or to protect rights, safety, and security.
• ·Other users in your CP3 organisation may see your name and email as part of normal workspace collaboration; calendar content is shared only within features and permissions you enable.

5.5 Retention and deletion of Google user data

• ·Google OAuth tokens and calendar connection data are retained while your Google connection remains active.
• ·When you disconnect Google Calendar or revoke CP3's access in your Google Account settings, we stop accessing Google Calendar data and delete or de-identify stored tokens and synced calendar data within a reasonable period, subject to backup and legal retention requirements.
• ·When you delete your CP3 account, we delete or anonymise associated Google user data within the timelines described in Section 11, unless retention is required by law.

5.6 Your controls

• ·Disconnect Google Calendar in CP3 Settings or revoke CP3's access at https://myaccount.google.com/permissions.
• ·Contact r2@cp3.ai to request access, correction, or deletion of Google user data we hold.

6. Instagram and Other Connected Accounts

If you connect Instagram to a brand in CP3, we may request permissions such as user_profile and user_media to verify the account, analyse brand presence, and display connected metrics. We access Instagram data only when you initiate the connection. You can disconnect Instagram at any time in CP3 or through Meta/Instagram account settings.

7. Legal Basis for Processing

• ·Consent (e.g., connecting Google Calendar or Instagram, optional cookies where required)
• ·Contractual necessity (e.g., account creation, delivering CP3 features, subscriptions)
• ·Legal obligations (e.g., tax, accounting, regulatory requirements)
• ·Legitimate interest (e.g., securing the platform, preventing abuse, improving services), where not overridden by your rights

8. How We Use Personal Data

• ·Provide, operate, and maintain the CP3 platform and your account
• ·Authenticate users and manage secure sessions
• ·Perform brand scans, trend analysis, and generate insights
• ·Sync content calendar events when you connect Google Calendar
• ·Process subscriptions and billing
• ·Improve security, reliability, and customer support
• ·Comply with legal and regulatory obligations

9. Data Sharing & Third Parties

We may share personal data with service providers that host, secure, or support CP3 under data processing agreements, with integration partners when you authorise a connection, and with authorities when required by law. We do not sell or rent personal data. Google user data sharing is limited as described in Section 5.4.

10. Data Storage & Security

We implement technical and organisational measures to protect personal data from unauthorised access, loss, misuse, or alteration. Data is primarily stored within the EEA. If transferred outside the EEA, we use GDPR-compliant safeguards. OAuth tokens and credentials are encrypted and access-controlled.

11. Data Retention

We retain personal data only as long as necessary for the purposes in this Privacy Policy or as required by law. Account data is kept while your account is active. Connected integration data is retained while the connection remains enabled and for a limited period thereafter. Google user data retention is described in Section 5.5.

12. Your Rights

Under GDPR and Dutch law, you may have the right to access, rectify, erase, restrict, object to, or port your personal data, and to withdraw consent where processing is consent-based. To exercise these rights, contact r2@cp3.ai. You may lodge a complaint with the Autoriteit Persoonsgegevens.

13. Cookies & Tracking Technologies

Our website and application use cookies and similar technologies to maintain sessions, secure accounts, remember preferences, and collect analytics. You can manage cookie preferences in your browser. Where required, we request consent before non-essential cookies.

14. Updates to This Policy

We may update this Privacy Policy from time to time. We will post changes on this page and update the “Last updated” date. If we materially change how CP3 accesses, uses, stores, or shares Google user data, we will provide additional notice in the CP3 application and/or by email to the address associated with your account before the change takes effect, where required by law or Google policy.

15. Contact Information

Questions about this Privacy Policy, Google user data, or your privacy rights:

CP3® B.V.
Nieuw Leliestraat 133
1015 SN Amsterdam
The Netherlands
020-6811545
r2@cp3.ai