This Privacy Policy explains how Custena processes personal data under the EU General Data Protection Regulation (2016/679) and the Danish Data Protection Act. It applies to the websites at custena.com and app.custena.com, our REST API, SDKs, and dashboards (together, the "Service").
1. Who we are
The data controller is Genesis Software Group ApS, a Danish limited company registered under CVR 45033139, with its registered office in Copenhagen, Denmark. You can reach us at contact@genesissoftware.io. We are not required to appoint a Data Protection Officer under Article 37 GDPR, but the same address can be used for all data-protection enquiries.
2. Data we collect
The personal data we process is limited to what the Service needs to authenticate users, route payments, and keep the audit trail required by financial and AI-governance rules. We do not process special-category data, and we do not collect IP addresses, device fingerprints, or geolocation beyond what is strictly necessary for abuse prevention.
| Category | Examples | Source |
|---|---|---|
| Account identity | Email, full name, hashed password (held by our identity provider), account role (buyer / seller), account status | You, at registration |
| Organisation details | Company name, country, VAT / CVR (for invoicing), seller slug | You |
| Payout / payment details | Stripe Connect account identifier, crypto wallet address(es) you configure - we do not store full card numbers | You, your processor |
| Spending-governance config | Per-agent budgets, approval thresholds, allow / deny domain lists | You |
| Transaction and ledger records | Buyer, seller, agent, service and route identifiers, amount, currency, protocol, status, timestamps, external settlement reference | Generated by the Service |
| Support correspondence | Email content and attachments when you contact us | You |
3. Why we process it (legal bases)
- Performance of a contract (Art. 6(1)(b) GDPR). Account creation, authentication, payment routing, settlement, invoicing, and customer support.
- Legal obligation (Art. 6(1)(c) GDPR). Bookkeeping and tax records under the Danish Bookkeeping Act, anti-fraud obligations, and minimum log retention under Article 26(6) of the EU AI Act for deployer evidence.
- Legitimate interests (Art. 6(1)(f) GDPR). Platform security, abuse prevention, audit trails, aggregated product analytics, and communicating essential service changes. We balance these interests against your rights; contact us if you want to object.
- Consent (Art. 6(1)(a) GDPR). Only where separately collected - for example, marketing emails or optional cookies - and you can withdraw it at any time.
4. Who we share data with
We self-host our entire infrastructure in Copenhagen, Denmark, on servers we operate directly - including the backend, the PostgreSQL database, the Redis cache, and the Keycloak identity store. Personal data held inside these systems stays in the EU and is not shared with a third-party cloud provider. We do share personal data with service providers that act as processors on our behalf, with payment networks that are independent controllers for the settlement leg of a transaction, and where required by law. Our current subprocessors are:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd. | Fiat top-ups and Stripe Connect payouts | Ireland / EU |
| OpenNode Inc. | Lightning Network invoicing (L402 protocol, future phase) | United States |
| Blockchain networks (Base, Solana, Stellar, Bitcoin Lightning) | Independent public networks for settlement of crypto payments | Global / decentralised |
| Cloudflare, Inc. | DNS, CDN, and DDoS protection for our websites | Global (EU peering) |
We do not sell personal data and we do not share it with advertising networks. Where a subprocessor is outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses or an applicable adequacy decision. A current list of subprocessors is available on request.
5. How long we keep it
- Account data. While your account is active and for a reasonable period after closure to resolve disputes and enforce our agreements.
- Transaction and ledger records. Retained on an append-only basis for as long as required by accounting law (currently five years under the Danish Bookkeeping Act) and by Article 26(6) of the EU AI Act (minimum six months for deployer evidence; longer where accounting obligations apply).
- Support emails. Typically twenty-four months, then deleted.
- Server logs. Thirty days for operational logs, longer where they document a security event.
- Agent activity logs (custena-connect CLI). Thirteen months, purged nightly. See section 6 for scope, lawful bases, and the exact data points we collect and exclude.
6. Agent activity logs (custena-connect CLI)
If you install the custena-connect CLI, a Claude Code hook forwards a narrow set of agent events to the Custena backend so that we can produce the EU AI Act Article 26 deployer evidence and the payment audit trail that regulators and our financial-institution obligations require. This is a separate category of processing from the account data described above and is disclosed here so you can decide whether to install the CLI.
What we log when the CLI is running:
- Custena MCP tool calls. Calls to
custena_*tools (currentlycustena_pay_challengeandcustena_balance) and their arguments, including the seller service URL, the tool name, the payment amount, and the payment method. These arguments are the payment record - they are what we are legally required to retain as a financial institution. - Session identifier and timestamps. A per-session ID and event timestamps, used to group events into a coherent audit trail.
- Keycloak
preferred_username. Links the event to the authenticated buyer account. - Up to the first 200 characters of the user prompt as session context - the full prompt is never forwarded or stored.
What we explicitly do NOT log:
- Bash commands, grep patterns, or shell history.
- Local file paths or file contents.
- Inputs or outputs of any tool whose name does not start with
custena_. - The full user prompt text.
The CLI filters these categories at source before anything leaves your machine, and the Custena backend drops them as a second line of defence if an older CLI version forwards them by mistake. This is the GDPR Art. 5(1)(c) data-minimisation principle applied at both ends of the connection.
Lawful bases for what we do collect are mapped article-by-article below. The table is designed to match the implementation one-to-one, so the disclosure and the code agree.
| Data point | Lawful basis | GDPR article |
|---|---|---|
| Which Custena service was paid (seller service URL, tool name) | Legitimate interest - payment audit trail | Art. 6(1)(f) |
| Payment amount, payment method (for pay_challenge events) | Legal obligation - financial-institution record keeping | Art. 6(1)(c) |
| Session identifier, event timestamps | Legitimate interest - audit trail integrity | Art. 6(1)(f) |
| Keycloak preferred_username | Performance of a contract - account authentication | Art. 6(1)(b) |
| First 200 characters of the user prompt | Legitimate interest - session context for audit investigations | Art. 6(1)(f) |
| Bash commands, file paths, non-custena tool arguments | No lawful basis - NOT collected | - |
Why we collect this.The EU AI Act applies from 2 August 2026 and requires deployers of general-purpose and high-risk AI agents to keep human-oversight evidence and continuous-monitoring logs under Article 26, with a minimum retention of six months under Article 26(6) for high-risk AI system logs. Custena is the compliance layer that produces this evidence on the buyer's behalf. Separately, as a payment intermediary we are required to keep records of payment authorisations under the Danish Bookkeeping Act and EU 6AMLD for at least five years.
Retention. The hook_events table (the agent activity log) is purged nightly once rows are older than 13 months. Thirteen months clears the six-month EU AI Act minimum, covers a full annual audit cycle plus a one-month buffer, and is defensible under the GDPR Art. 5(1)(e) storage-limitation principle as proportionate to the purpose. Separately, rows in the payments table (financial records under Art. 6(1)(c) legal obligation) are retained for at least five years per the Danish Bookkeeping Act and EU 6AMLD. Uninstalling the custena-connect CLI stops new activity logs from being created but does not retroactively purge either table.
Your rights. Access, rectification, and erasure requests under Articles 15–17 apply to the hook_events table and we will honour early-deletion requests unless a specific investigation or legal hold applies. Erasure under Article 17 does not override the Article 6(1)(c) legal obligation that keeps financial records in the payments table for at least five years - those rows stay.
7. Your rights
Under the GDPR you have the right to: access your personal data; ask us to rectify inaccurate data; ask us to erase data we no longer need to retain; restrict or object to our processing; receive a machine-readable copy of certain data (portability); and withdraw consent where processing is based on consent. Exercising these rights is free; we will respond within one month and, if we cannot act on your request (for example where accounting law requires us to keep the data), we will explain why.
Send requests to contact@genesissoftware.io. We may ask for information to verify your identity before acting.
8. Complaints
If you are unhappy with how we handle your personal data you can lodge a complaint with the Danish Data Protection Authority (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark, or with the supervisory authority in your EU member state of residence.
9. Security
We apply technical and organisational measures appropriate to the risk, including TLS encryption in transit, encrypted storage for sensitive fields (such as payout details), hashed password storage via our identity provider, API-key hashing (we never store the full key), principle-of-least-privilege access controls, and an immutable ledger that prevents back-dated modification of financial records.
10. Cookies and tracking
We use only the strictly necessary cookies needed to keep you signed in and to protect the Service from abuse. We do not run third-party analytics, advertising pixels, or cross-site trackers on custena.com. If this changes we will update this page and, where required, ask for consent first.
11. Children
The Service is not directed to individuals under the age of 16 and we do not knowingly process their data. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to this policy
We may update this policy. Material changes will be announced in the dashboard or by email before they take effect. The "Last updated" date at the top of this page always reflects the current version.
13. Contact
Genesis Software Group ApS · CVR 45033139 · Copenhagen, Denmark · contact@genesissoftware.io.