Privacy Policy

Data Controller

Company: UPC Digital Infrastructure SRL (a Liberty Global company) Data Centers: Ploiesti and Brasov, Romania Website: www.cloudxedge.com Email: sales@cloudxedge.com Data Protection Officer (DPO): sales@cloudxedge.com

UPC Digital Infrastructure SRL ("CloudXEdge", "we", "us", "our") is a Romanian company operating as part of the Liberty Global group. CloudXEdge acts as a data controller with respect to personal data collected through its website (cloudxedge.com) and, in certain circumstances, through the provision of cloud infrastructure services.

As a cloud infrastructure provider, CloudXEdge also acts as a data processor on behalf of its business customers ("Clients") who store and process personal data on CloudXEdge infrastructure. In those cases, the Client remains the data controller and a separate Data Processing Agreement (DPA) governs that relationship.

This Privacy Policy applies to:

– Visitors to the CloudXEdge website (cloudxedge.com) – Prospective and existing customers who contact CloudXEdge or register for services – Individuals whose personal data is submitted to CloudXEdge through contact forms, newsletters, or support channels

CloudXEdge complies with the following legal framework:

– Regulation (EU) 2016/679 of the European Parliament — General Data Protection Regulation (GDPR) – Romanian Law no. 190/2018 on measures to implement GDPR – Romanian Law no. 506/2004 on the processing of personal data and privacy in electronic communications – Directive 2002/58/EC (ePrivacy Directive) as implemented in Romania – NIS2 Directive (EU) 2022/2555, applicable to CloudXEdge as a cloud computing service provider – EU Data Act (Regulation 2023/2854) — provisions applicable to cloud service providers

3.1 Website Visitors

When you visit cloudxedge.com we may collect:

– Technical identifiers: IP address, browser type and version, operating system, referring URL, pages viewed, time and date of visit – Cookie-related data: session identifiers, preference settings, analytics data (see our Cookie Policy for details)

3.2 Contacts, Leads and Prospective Customers

When you submit a contact form, request a demo, or register interest in services, we collect:

– Identity data: first name, last name, job title, company name – Contact data: business email address, telephone number – Communication data: the content of your inquiry or message

3.3 Registered Service Customers

When you or your company purchase or use CloudXEdge services, we collect:

– Account data: username, billing contact details, company registration number (for Romanian VAT purposes) – Financial data: invoicing and payment records (payment card data is processed by our PCI-DSS-certified payment processor; we do not store full card numbers) – Service usage data: resource consumption metrics, API call logs, support ticket records – Technical logs: access logs, error logs, and system events associated with your account

3.4 Data We Do Not Collect

CloudXEdge does not intentionally collect special categories of personal data (i.e. health, biometric, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation data) through its website or service registration processes. If such data is uploaded by a Client onto CloudXEdge infrastructure, CloudXEdge processes it as a data processor in accordance with the applicable DPA.

We rely on the following legal bases under GDPR Article 6:

Contractual necessity (Art. 6(1)(b)) Processing account, billing, and service delivery data necessary to perform our contract with you or to take steps at your request before entering into a contract.

Legitimate interests (Art. 6(1)(f)) Processing website analytics, security monitoring, fraud prevention, and service improvement activities. Our legitimate interests are balanced against your rights and freedoms.

Consent (Art. 6(1)(a)) Marketing communications and non-essential cookies. You may withdraw consent at any time without affecting processing carried out before withdrawal.

Legal obligation (Art. 6(1)(c)) Retaining invoices and tax records as required by Romanian fiscal law (Law 227/2015 on the Fiscal Code).

Vital interests (Art. 6(1)(d)) Used only in exceptional emergency circumstances.

– Providing, operating, and maintaining our cloud infrastructure services – Creating and managing customer accounts – Billing, invoicing, and financial administration – Responding to inquiries, support requests, and technical issues – Sending service-related communications (e.g. maintenance notices, security alerts) – Marketing communications about CloudXEdge products and services (with consent) – Website analytics to improve user experience and service performance – Security monitoring, intrusion detection, and prevention of unauthorized access – Compliance with legal and regulatory obligations – Exercising or defending legal claims

CloudXEdge does not sell personal data. We may share personal data with:

6.1 Liberty Global Group

As part of the Liberty Global group, CloudXEdge may share data with affiliated entities for internal administrative purposes, IT system management, and consolidated financial reporting. All intra-group transfers are governed by binding intra-group data transfer agreements aligned with GDPR.

6.2 Service Providers (Sub-processors)

We engage trusted third-party service providers who process data on our behalf under GDPR Article 28 agreements, including:

– Payment processing providers (PCI-DSS compliant) – Customer relationship management (CRM) platform providers – Email and communications platform providers – Website analytics providers – Security and threat intelligence services – Legal, audit, and professional advisory services

6.3 Legal Disclosure

We may disclose personal data to competent public authorities, courts, or regulatory bodies when required by applicable law, judicial order, or to protect the rights and safety of CloudXEdge, its customers, or the public.

CloudXEdge's primary data centers are located in Romania (Ploiesti and Brasov), within the European Economic Area (EEA). Data is stored within the EEA by default.

Where CloudXEdge or its sub-processors transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

– EU Standard Contractual Clauses (SCCs) as adopted by European Commission Decision 2021/914 – Adequacy decisions issued by the European Commission – Binding Corporate Rules (applicable within the Liberty Global group)

You may request a copy of the applicable transfer safeguards by contacting our DPO at dpo@cloudxedge.com.

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law:

Website analytics logs — 13 months from collection, then aggregated or deleted Contact form / inquiry data — 24 months from last interaction, or upon request for erasure Customer account data — Duration of contractual relationship + 5 years (fiscal and legal compliance) Invoices and financial records — 10 years (Romanian fiscal law — Law 227/2015) Security and access logs — 12 months from generation (extendable in case of active security incident) Support tickets — 3 years from ticket closure Marketing consent records — Until consent is withdrawn + 3 years for compliance evidence

After retention periods expire, personal data is securely deleted or anonymised.

Under the GDPR and Romanian Law 190/2018, you have the following rights:

Right of access (Art. 15) You may request confirmation of whether we process your data and receive a copy of that data.

Right to rectification (Art. 16) You may request correction of inaccurate or incomplete personal data.

Right to erasure (Art. 17) You may request deletion of your data where it is no longer necessary for its original purpose, where consent is withdrawn, or where processing is unlawful. This right may be limited where processing is required by law or for legal claims.

Right to restriction (Art. 18) You may request temporary suspension of processing in specific circumstances (e.g. while accuracy is contested).

Right to portability (Art. 20) Where processing is based on consent or contract and carried out automatically, you may receive your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21) You may object to processing based on legitimate interests, including profiling. You have an absolute right to object to direct marketing.

Right to withdraw consent Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

Right to lodge a complaint You have the right to lodge a complaint with the Romanian data protection supervisory authority (ANSPDCP) — see Section 11.

To exercise any of these rights, contact us at: privacy@cloudxedge.com or write to our registered office. We will respond within 30 days of receipt of your request (extendable by a further two months in complex cases, with notice).

We may request proof of identity before processing your request.

CloudXEdge implements technical and organisational security measures appropriate to the risk, including:

– ISO 27001-aligned security management practices – Encryption of data in transit (TLS 1.2/1.3) and encryption of data at rest – Role-based access controls and multi-factor authentication for all administrative systems – Network segmentation, intrusion detection systems (IDS), and 24/7 security monitoring – Regular penetration testing and vulnerability assessments – Incident response and data breach notification procedures (72-hour notification to ANSPDCP per GDPR Art. 33) – Physical security controls at both data center locations (Ploiesti and Brasov) – Data backup and disaster recovery capabilities

As a cloud infrastructure provider, CloudXEdge is also subject to the NIS2 Directive obligations for digital infrastructure providers, including risk management and incident reporting requirements.

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)

Website: www.dataprotection.ro Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti 010336, Romania Phone: +40.318.059.211 Email: anspdcp@dataprotection.ro

You have the right to lodge a complaint with ANSPDCP at any time if you believe CloudXEdge has not complied with applicable data protection law. We encourage you to contact us first so we can address your concern directly.

CloudXEdge does not subject website visitors or customers to fully automated decisions that produce legal or similarly significant effects (within the meaning of GDPR Article 22). We may use automated tools for resource usage analysis and anomaly detection, but these are used only to inform human decision-making.

CloudXEdge services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Please contact sales@cloudxedge.com if you have concerns.

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory guidance. We will notify registered customers of material changes by email. The "Last updated" date at the top of this document will always reflect the most recent version. We encourage you to review this Policy periodically.

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices:

CloudXEdge Privacy Contact General privacy inquiries: sales@cloudxedge.com Data Protection Officer: sales@cloudxedge.com Website: www.cloudxedge.com