Privacy Policy

Last updated: January 2025

1. Introduction

Enigma One BV ("Tributr", "we", "our", or "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our CBAM compliance platform and services.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Enigma One BV
Brasschaat, Belgium
Email: [email protected]
VAT: BE 0806 199 959

3. Personal Data We Collect

3.1 Information You Provide

  • Account Information: name, email address, company name, job title, phone number
  • Company Information: company registration number, VAT number, EORI number, business address
  • Authentication Data: username, password (encrypted)
  • Communication Data: messages, support tickets, feedback
  • Business Documents: customs documents, invoices, and other trade-related documents you upload

3.2 Information We Collect Automatically

  • Usage Data: features used, actions taken, time spent on platform
  • Technical Data: IP address, browser type, device information, operating system
  • Log Data: access times, pages viewed, errors encountered
  • Cookie Data: as described in our Cookie Policy

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: To provide our services and fulfill our contractual obligations
  • Legitimate Interests: To improve our services, ensure security, and conduct business operations
  • Legal Obligations: To comply with applicable laws and regulations
  • Consent: For marketing communications and certain cookies (where applicable)

5. How We Use Your Data

We use your personal data to:

  • Provide and maintain our CBAM compliance services
  • Process your documents and generate compliance reports
  • Manage your account and authenticate users
  • Communicate about services, updates, and support
  • Improve our platform and develop new features
  • Ensure security and prevent fraud
  • Comply with legal and regulatory requirements
  • Send marketing communications (with consent)

6. Data Sharing and Disclosure

We may share your personal data with:

  • Service Providers: Third parties who help us operate our platform (cloud hosting, analytics, support)
  • Professional Advisors: Lawyers, accountants, auditors bound by confidentiality
  • Regulatory Authorities: When required by law or to protect our rights
  • Business Transfers: In connection with mergers, acquisitions, or asset sales

We do not sell your personal data to third parties. All data sharing is subject to appropriate safeguards and data processing agreements.

7. International Data Transfers

Your data is primarily stored within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses
  • Adequacy decisions by the European Commission
  • Your explicit consent (where applicable)

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security assessments and audits
  • Employee training on data protection
  • Incident response procedures

9. Data Retention

We retain your personal data for as long as necessary to:

  • Provide our services and maintain your account
  • Comply with legal obligations (typically 7-10 years for financial records)
  • Resolve disputes and enforce agreements
  • Maintain business records for legitimate purposes

When data is no longer needed, we securely delete or anonymize it.

10. Your Rights

Under GDPR, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data (subject to legal obligations)
  • Restriction: Limit processing of your data
  • Portability: Receive your data in a structured format
  • Objection: Object to certain processing activities
  • Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or platform notification. Your continued use of our services after changes indicates acceptance.

13. Contact Information

For privacy-related questions or to exercise your rights:

Email: [email protected]
Data Protection Officer: [email protected]
Address: Brasschaat, Belgium

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit/Autorité de protection des données) or your local supervisory authority.