We collect only the information necessary to provide secure, reliable Services.

We do not sell or share your personal information with third-party advertisers.

You have rights to access, modify, export, and delete your data.

All processing is based on clear legal grounds under GDPR.

We use Strictly Necessary cookies only (see Cookie Policy section below).

Account Information: When you create or authenticate an account, we collect your name, email address, username, tenant affiliation, password (securely hashed), and optional profile fields. This information is essential for identity verification and access control within the platform.

Communication & Support Data: When you contact support, request assistance, or respond to onboarding, we collect any information you choose to provide, such as screenshots, system details, usage descriptions, and troubleshooting context. This data is voluntary and used strictly to resolve your request.

Configuration & Preference Data: These are settings you explicitly configure inside Currently, such as UI preferences, dashboard filters, locale settings, and project metadata. They help tailor the platform to your personal workflow.

Usage Data: This includes activity logs, feature interactions, timestamps, viewed pages, workflow events, and performance metrics. We use this data to understand platform reliability, optimize features, and improve user experience. All usage data is anonymized or pseudonymized whenever possible.

Device & Technical Data: When accessing the platform, we collect device type, browser version, operating system, screen resolution, IP address, security identifiers, and system-generated event logs. This ensures compatibility, detects anomalies, and enhances platform security.

Authentication & Security Data: To protect your account, we generate and store login events, failed login attempts, IP location approximations, audit logs, CSRF/XSRF tokens, session identifiers, and system alerts. This data is required for fraud prevention and maintaining a secure environment.

Project & Workflow Data: When you work inside Currently (e.g., dashboards, energy simulations, customer flows), the system generates internal metadata needed for calculations, performance, collaborative features, and system stability. This information always remains strictly within the platform and is not shared externally.

Error Logs & Diagnostics: In case of application errors, the system may generate technical crash logs, stack traces, and diagnostic snapshots. These may include indirect references to your activity (but never sensitive content) and are used solely to improve reliability.

Contractual Necessity: Required to create and manage user accounts, authenticate users, provide dashboard access, deliver platform features, maintain tenant environments, and ensure real-time functionality. Without this processing, the Services cannot be provided.

Legitimate Interests: We process usage data, performance metrics, error diagnostics, security events, and workflow interactions to improve product stability, optimize performance, detect suspicious activity, and understand how users engage with features. All legitimate-interest processing is balanced against your privacy rights.

Legal Obligations: Certain data must be processed or stored to comply with EU and national law, including audit logging, fraud prevention, incident recording, financial regulations (if applicable), and security record-keeping. This may include retaining logs for specified periods to fulfill regulatory requirements.

Consent: We rely on your explicit consent for optional activities, such as receiving newsletters, beta program invitations, or non-essential communication. You may withdraw consent at any time without affecting your use of the core platform.

Providing and maintaining the platform: Delivering real-time dashboards, managing user sessions, processing settings, enabling simulations, rendering workflows, synchronizing tenant projects, and ensuring uninterrupted service delivery.

Securing your account and our infrastructure: Authentication event monitoring, threat detection, rate limiting, prevention of unauthorized access, CSRF protection, and continuous audit logging. Our systems automatically evaluate login patterns to block malicious activity.

Improving performance and stability: Analysis of usage patterns, UI interactions, error logs, and system resource loads to enhance user experience, increase efficiency, and reduce downtime. This includes technical diagnostics, product analytics, and internal testing.

Communication and support: Responding to support tickets, onboarding users, informing customers about operational updates, and delivering account-related notifications. We do not send marketing communications without consent.

Research and product development: We analyze aggregated and pseudonymized data to identify trends, test new features, and evaluate platform improvements. Personal data is not used for external research or shared with third parties.

Fraud prevention and incident response: Logging suspicious activity, verifying access attempts, analyzing potential breaches, and responding to operational incidents. These activities are essential to ensure the integrity of user accounts and tenant environments.

Compliance, enforcement, and record-keeping: Maintaining legally required audit trails, ensuring compliance with GDPR and national privacy regulations, and enforcing platform terms of service. This includes processing necessary to defend against legal claims.

With trusted service providers: We work with carefully selected processors that support the operation of the platform. These may include:

• Cloud hosting and infrastructure services
• Database and storage providers
• Error monitoring and diagnostics tools
• Authentication and identity management systems

Cloud Hosting & Infrastructure (DigitalOcean): The Currently platform is hosted on DigitalOcean servers located in Amsterdam (EU region). All application data, databases, and compute workloads remain fully within the EU/EEA. DigitalOcean acts as a GDPR-compliant processor under a Data Processing Agreement and implements strict technical and organizational safeguards including encryption, access controls, and network isolation.

Content Delivery & Security (Cloudflare): All traffic to the Currently platform is routed through Cloudflare’s EU-based edge network for performance, caching, and DDoS protection. Cloudflare processes only the minimum necessary technical data and does not use this information for advertising or analytics. All Cloudflare processing for Currently remains within EU/EEA regions and is governed by GDPR-compliant Standard Contractual Clauses and strong security controls.

Billing & Subscription Management (Chargebee): Chargebee processes subscription, invoicing, and billing information exclusively through its EU (Amsterdam) infrastructure. All Chargebee-handled data remains within the EU/EEA and is protected by GDPR-compliant Standard Contractual Clauses, encryption, and strict access controls. Full payment card information is not stored or processed by Currently.

For security and fraud prevention: We may share data with specialized vendors who help us identify harmful activity, enforce platform security, detect intrusion attempts, or analyze unusual authentication events.

For legal compliance: We may disclose information if required by law, court order, or governmental authority, but only when such disclosure is:

• Legally mandatory under EU or national law
• Necessary to protect the rights, safety, or property of users
• Required to investigate fraud or security incidents

With your explicit consent: If you choose to connect your account to a third-party integration, participate in beta programs, or receive optional communications, we may share relevant information only after you have given clear and informed consent.

Internal tenants and administrators: In multi-tenant environments, certain data may be visible to tenant administrators to fulfill operational responsibilities such as user management, access control, or support requests. This visibility is strictly role-based and logged.

Data Processing Agreements (DPAs): All processors operate under GDPR-compliant DPAs that define their obligations, confidentiality requirements, and security responsibilities.

Strict purpose limitation: Processors may use your information only to perform contracted services and may not reuse or resell the data for any independent purpose.

Technical and organizational safeguards: All third parties must meet high standards for encryption, access control, vulnerability management, and operational security.

Audits and oversight: We conduct periodic reviews of processors to ensure ongoing compliance with GDPR and industry security practices.

Purpose of collection: Data used for authentication, security, or service delivery is kept for as long as your account remains active. Once it is no longer required, it is deleted or anonymized.

Legal obligations: Certain data must be retained for mandatory legal periods (e.g., tax regulations, cybersecurity laws, audit-control requirements under EU legislation).

Security and fraud prevention: Logs related to authentication attempts, suspicious activity, and system integrity may be retained longer to monitor patterns and protect the Service against ongoing threats.

Operational records: Non-identifiable diagnostic or performance data may be kept for trend analysis and improving platform stability.

Account Data (email, username, tenant affiliation): Retained for the duration of your active account and deleted within a reasonable timeframe after your request to close the account, unless legal obligations require longer storage.

Authentication Data (tokens, XSRF identifiers): Retained for short periods (typically minutes to days), depending on session security policies.

Error logs & diagnostic data: Typically kept for 30–180 days to troubleshoot issues and improve system reliability.

Audit logs: May be retained for several years when required by security, compliance, or contractual obligations, particularly in multi-tenant and enterprise environments.

Support interactions: Kept for as long as needed to resolve your request and maintain accurate support history.

Verification Data (identity checks during GDPR/AVG requests): Retained only for the duration of the verification process and deleted immediately after identity has been confirmed.

Right of access (Article 15 GDPR): You have the right to request confirmation about whether we process your personal data and obtain a copy of the information we hold about you.

Right to rectification (Article 16 GDPR): You may request corrections to inaccurate, incomplete, or outdated personal information.

Right to erasure / “Right to be forgotten” (Article 17 GDPR): You may request deletion of your personal data when it is no longer necessary, you withdraw consent, or processing is unlawful—unless legal or security obligations require retention.

Right to restrict processing (Article 18 GDPR): You may ask us to limit processing of your data while accuracy, legality, or objections are being evaluated.

Right to data portability (Article 20 GDPR): You can request an export of your personal data in a structured, commonly used, machine-readable format, and you may transfer it to another service.

Right to object (Article 21 GDPR): You may object to forms of processing based on legitimate interests or public interest. If you object, we will stop processing unless we demonstrate compelling legitimate grounds.

Right not to be subject to automated decision-making (Article 22 GDPR): Currently does not engage in automated decision-making or profiling that would significantly affect you.

Right to withdraw consent at any time: If processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

EEA & Netherlands: Users have full GDPR rights as listed above. If you believe your rights are violated, you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your personal data has been processed unlawfully.

United Kingdom: Rights are equivalent under the UK GDPR.

Encryption in transit and at rest: All communication between your browser and our servers is encrypted using TLS. Sensitive data stored in our infrastructure uses industry-standard encryption algorithms.

Secure authentication: Passwords are hashed using strong cryptographic methods. We support multi-factor authentication (MFA) and enforce secure credential policies.

Role-based access control (RBAC): Access to internal systems is restricted based on job responsibilities, following the principle of least privilege.

Network and infrastructure security: Firewalls, container isolation, rate limiting, DDoS protection, and continuous vulnerability scanning are used to protect our hosting environment.

Automated monitoring & audit logs: Security events, authentication attempts, administrative actions, and error reports are logged and monitored for suspicious activity.

Confidentiality obligations: All personnel with access to personal data are bound by confidentiality agreements and receive regular privacy and security training.

Data minimization: We limit collection and retention of data to what is strictly necessary for operation of the Services, in accordance with GDPR Articles 5(1)(c) and 25.

Vendor risk management: Third-party processors undergo security reviews and sign GDPR-compliant Data Processing Agreements (DPAs).

Incident response procedures: We maintain protocols to detect, investigate, and remediate security incidents promptly and effectively.

Prompt notification to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) when required by law.

Communication to affected users if the breach is likely to result in a high risk to their rights and freedoms.

Documentation of all breaches as required by GDPR Article 33(5), even if no notification is required.

The European Commission has issued an adequacy decision for the country in question, meaning the jurisdiction provides a comparable level of data protection; or

We enter into Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure appropriate safeguards for personal data; or

The service provider has implemented supplementary technical and organizational safeguards required under the “Schrems II” ruling, such as encryption, access controls, and data-minimization protocols.

Transfers are necessary for the performance of a contract between you and Currently, such as when connecting to external identity providers or mail delivery services.

Right of Access: You may request a copy of the personal data we store about you, along with an explanation of why it is processed and with whom it is shared.

Right to Rectification: If any personal information is incomplete or inaccurate, you can request that we correct or update it.

Right to Erasure (“Right to be Forgotten”): You may request deletion of your personal data when it is no longer needed, when consent is withdrawn, or when processing is unlawful. Certain legal or security obligations may prevent immediate deletion (e.g., audit log retention).

Right to Data Portability: You may request an export of your data in a structured, commonly used, machine-readable format so it can be transferred to another service.

Right to Restrict Processing: In specific cases, you may request that we temporarily suspend processing of your data—for example, while accuracy is being verified.

Right to Object: You may object to certain processing activities, including those based on legitimate interests. If your objection is valid, we will stop processing your data unless overriding legal grounds apply.

Right Not to be Subject to Automated Decision-Making: Currently does not use automated profiling or decision systems that produce legal or similarly significant effects. If this ever changes, we will notify users and provide opt-out options per GDPR.

Email (Primary Contact): [email protected]

Data Protection Contact: [email protected] (Use this address for GDPR/AVG data subject requests.)

Registered Business Address: Currently (Ruthless Dawn) Handelstraat 60, 7311CH Apeldoorn The Netherlands

Website: https://autoriteitpersoonsgegevens.nl

Phone (NL): (+31) 70 888 8500

Postal Address: Autoriteit Persoonsgegevens Postbus 93374 2509 AJ Den Haag The Netherlands

Updates to comply with new legislation, regulatory guidance, or court rulings (e.g., GDPR or Dutch AVG interpretations).

Modifications to our products, platform features, authentication systems, or data-processing tools.

Introduction of new security measures, cookies, or analytics capabilities (where permitted by law).

Corporate changes such as rebranding, company structure updates, or the addition of new service regions.

Clarifications to improve readability, transparency, or user understanding of our practices.

In-dashboard notifications when you log in

Email notifications to registered account holders

Prominent notices posted on our website

No automated decisions are made without meaningful human involvement.

No behavioral predictions, user scoring, or risk assessment algorithms are used.

No automated processing is performed that affects access to features or services.

Notify users before such processing begins.

Explain the logic involved and the potential consequences.

Provide users with the right to obtain human intervention, express objections, or request a review.

Keep you logged in securely during your session.

Protect your account from CSRF and authentication-based threats.

Ensure essential functionality of the dashboard and user interface.