Privacy

Last updated: 9 September 2025

Who we are

Cresco Cybersecurity SRL (“Cresco”, “we”) is a cybersecurity company registered in Belgium (BE 0754.730.571). Address: Avenue Henri de Brouckère 103, 1160 Auderghem, Brussels, Belgium.
This policy explains how we handle personal data when you use https://www.cresco.be or work with us in a business context.
If anything here is unclear, contact us at [email protected]; we want this simple and understandable.

Our role

Controller: for our own business (website, marketing, contracts, billing, internal security).
Processor: when we process limited data during client work (e.g., penetration tests). In that case, the client is the controller, and our Data Processing Addendum (DPA) applies.

What we collect

We only collect what we need:

• Contact info: name, job, company, email, phone, address.
• Website data: IPs, pages, logs, cookies.
• Service info: what you send us in forms, meetings, or scan requests.
• Account data: login details if you access our portals.
• Commercial data: contracts, proposals, invoices (no full card numbers).
• Event data: registrations, attendance, recordings (if we tell you).
• Supplier/partner info: for people we work with.
• Public/provided data: professional contact info from trusted sources.

We may create anonymized stats, but if re-identifiable, we treat it as personal data.

Why we use it

Our legal bases under GDPR

When we use personal data, we always make sure we have a valid legal reason (a “lawful basis” in GDPR terms). Here’s how it works for us:

• To provide services and run contracts
  When you’re our client, we need some data (like contact details, system info, billing data) to deliver the service, run the contract, and communicate with you.
  (Legal basis: contract necessity - Art. 6(1)(b) GDPR)
• To handle billing and legal duties
  We keep invoices, tax info, and certain records because the law requires it.
  (Legal basis: legal obligation - Art. 6(1)(c) GDPR)
• To keep our systems and clients secure
  We log activity, monitor for threats, and investigate incidents to protect systems and data.
  (Legal basis: legitimate interests - Art. 6(1)(f) GDPR, our interest in security and fraud prevention)
• To answer your questions and support you
  If you contact us, we use the details you give us to respond.
  (Legal basis: legitimate interests - Art. 6(1)(f) GDPR, our interest in communicating with you and solving issues)
• To improve our website and services
  We use analytics cookies only if you consent, and we may use feedback or logs (in a minimal, aggregated way) to improve.
  (Legal basis: consent for cookies - Art. 6(1)(a); legitimate interests for service improvement - Art. 6(1)(f))
• To send B2B updates and event invites
  Sometimes we send professional contacts information about our services or events.
  In countries where legitimate interest is enough (under GDPR and ePrivacy), we rely on that basis, and you can opt out at any time.
  In countries where consent is required (for example, Belgium), we will only send electronic marketing communications if you have given us your prior consent.
  (Legal basis: legitimate interests - Art. 6(1)(f) GDPR, balanced with your right to unsubscribe; or consent - Art. 6(1)(a) GDPR, where required by local law)
• To manage suppliers and partners
  We process supplier/partner data to work together smoothly.
  (Legal basis: contract necessity - Art. 6(1)(b); legitimate interests - Art. 6(1)(f))
• When you give us consent
  For anything extra (like recordings, newsletter signups, optional cookies), we’ll ask first. You can withdraw consent at any time.
  (Legal basis: consent - Art. 6(1)(a) GDPR)

Security testing

We don’t test systems without permission. If personal data shows up in scope (e.g., logs), we handle it minimally, securely, and delete it when done.

Cookies

• Essential cookies: required for the site.
• Analytics cookies: only with your consent (via banner).

You can change choices anytime. See our Cookie Policy.

Sharing

We don’t sell data. We only share when needed:

• With Cresco staff/contractors under confidentiality.
• With service providers (hosting, CRM, email, accounting).
• With partners/sub-consultants for projects (under strict agreements).
• With authorities if legally required.
• In case of merger/sale, new owners must respect this policy.

Transfers outside the EEA

We mainly process data in Belgium and the wider European Economic Area (EEA).
Sometimes, data may be stored or accessed outside the EEA, for example, if we use a trusted service provider (like a secure cloud or CRM tool) that is based abroad.

When that happens, we make sure your rights are still protected by using GDPR-approved safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Providers with extra security commitments (encryption, access limits, audits).
• Data minimization so only what’s necessary goes outside the EEA.

If you’d like more details or a copy of the safeguards we use, just ask us at [email protected].

How long we keep it

• Inquiries: ~ 3 years.
• Client engagement data: contract + up to 10 years.
• Financial records: 7–10 years (legal).
• Testing artefacts: only as per contract, then securely deleted.
• HR data (employees, candidates, contractors):
  Job applications: we keep them during the hiring process and up to 2 years after the last contact (unless you ask us to delete them sooner).
  Employee and contractor files: we keep them while you work with us and up to 10 years after you leave, because of labor, social security, and tax rules.
  Payroll and tax records: we keep them as long as the law requires (usually 7–10 years).
  Backups may keep data briefly before purge.

Security

We practice what we preach: TLS, encryption, access controls, MFA, patching, monitoring, secure coding, staff training, incident response. If a breach risks your rights, we’ll tell you quickly and notify the authority within 72h if required.

Your rights

You can ask us anytime to:

• Access, correct, or delete your data.
• Limit or stop how we use it.
• Get a copy (portability).
• Withdraw consent (if that’s the basis).
• Say no to marketing (always free, always respected).

How we handle requests

When you send us a request about your personal data (access, correction, deletion, etc.):

• We may ask for information to confirm it’s really you (for example, the email address you used with us or an ID if needed).
• We reply within a month (may extend by 2 months if complex; but we’ll let you know why and keep you updated).
• If you ask for a copy of your data (portability or access), we’ll provide it in a common digital format (usually PDF, CSV, or similar).
• Requests are free. If they are excessive or repeated, the GDPR allows us to charge a small fee or refuse but we’ve never had to do that.
• If your data has been shared with partners or processors and you ask for correction, erasure, or restriction, we’ll do our best to inform them too.
• We keep a log of requests so we can prove compliance to regulators if asked.

Children

We work with professionals, not kids. We don’t knowingly collect under-16 data. If it happens, tell us and we’ll delete it.

Contact us

Cresco Cybersecurity SRL – Privacy Contact (Christophe Mazzola, CISO)
📧 [email protected]
📮 Avenue Henri de Brouckère 103, 1160 Brussels (Auderghem), Belgium

If you have concerns, please contact us first.
You also have the right to complain to:

• Belgian Data Protection Authority (APD/GBA) – Rue de la Presse 35, 1000 Brussels, [email protected], www.dataprotectionauthority.be
• Or your local authority.
  You can also go to court if needed.

Changes

If we change this policy, we’ll update the date at the top. For major changes, we’ll give you a clear heads-up (e.g., banner, email).