Privacy Statement
This statement explains how BV CEEJAY processes personal data in connection with the borgmark.com website and the BorgMark service.
It is written to comply with Regulation (EU) 2016/679 (the GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Who we are
Controller: BV CEEJAY Registered office: Quinten Matsijslei 12, 2018 Antwerpen, Belgium VAT: BE0865267120 Contact: hello@borgmark.com
We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. Privacy enquiries are handled by the address above.
2. Roles
- For personal data of website visitors and the personal data of our customers’ account holders (e.g. the person who signs up, billing contacts), we act as Controller. This statement describes that processing.
- For personal data that customers or their users upload, generate or transmit through the BorgMark service (source code, commit metadata, CI logs, issues, etc.), we act as Processor on behalf of our customer. That processing is governed by our Data Processing Agreement, not this statement.
3. What we collect and why
3.1 Website visitors
We do not run third-party analytics, advertising trackers, or behavioural cookies on borgmark.com. We set only the cookies strictly necessary to deliver the site (e.g. preserving your selected language).
Our web server logs (IP address, user agent, requested URL, timestamp) are retained for up to 30 days for security and abuse prevention, on the basis of our legitimate interest (Article 6(1)(f) GDPR) in operating a secure service.
3.2 Customer account data
When you create an account or buy a plan, we process:
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, hashed password or SSO identifier | Creating and authenticating your account | Performance of the contract — Art. 6(1)(b) |
| Organisation name, billing address, VAT number | Invoicing and tax compliance | Legal obligation — Art. 6(1)(c); contract — Art. 6(1)(b) |
| Payment metadata (transaction IDs, last 4 digits of card) | Payment reconciliation | Contract — Art. 6(1)(b) |
| IP address, login timestamps, audit logs | Security, abuse prevention, audit trail | Legitimate interest — Art. 6(1)(f) |
| Support correspondence | Responding to your requests | Legitimate interest — Art. 6(1)(f) |
We do not ask for payment details to start a 14-day trial.
3.3 Marketing
We send service-related operational emails (account notifications, security alerts, billing). These are not marketing and you cannot opt out while you have an active account.
We do not currently operate a marketing newsletter. If we introduce one, it will be opt-in.
4. Recipients and sub-processors
We share personal data only with the following processors, all established in the EU/EEA:
| Recipient | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (compute, storage, database) | Germany |
| Combell NV | Transactional email delivery | Belgium |
| Mollie B.V. | Payment processing | Netherlands |
We disclose personal data to public authorities only when required to do so by a binding legal order issued under EU or Belgian law.
5. International transfers
We do not transfer personal data outside the European Economic Area. All processing takes place in the EU/EEA. If this ever changes, we will update this statement and rely on a transfer mechanism permitted under Chapter V GDPR.
6. Retention
| Category | Retention |
|---|---|
| Web server logs | Up to 30 days |
| Account data | For the duration of the account, deleted within 30 days of termination |
| Audit logs (account level) | 12 months |
| Backups | Overwritten on a rolling 35-day cycle |
| Invoices and accounting records | 7 years (Belgian tax law) |
| Support correspondence | Up to 24 months after closure of the ticket |
7. Your rights
Under the GDPR you have the right to:
- access your personal data (Art. 15);
- rectify inaccurate or incomplete data (Art. 16);
- erase your data (Art. 17), subject to legal retention obligations;
- restrict processing (Art. 18);
- portability of data you have provided to us (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time where processing is based on consent (Art. 7(3)), without affecting the lawfulness of prior processing.
To exercise any of these rights, email hello@borgmark.com. We will respond within one month of receiving your request. We may ask you to confirm your identity before acting on a request.
You also have the right to lodge a complaint with a supervisory authority. The competent authority in Belgium is the Gegevensbeschermingsautoriteit / Autorité de protection des données (gegevensbeschermingsautoriteit.be).
8. Security
We protect personal data using technical and organisational measures appropriate to the risk, including TLS in transit, AES-256 at rest, multi-factor authentication for administrative access, restricted production access on a least-privilege basis, and routine patching and backups. Full detail is in Annex II of our DPA.
9. Cookies
borgmark.com uses only strictly necessary cookies (language preference, session state). We do not use analytics, advertising or social-media tracking cookies, so no cookie consent banner is required under the e-Privacy Directive.
10. Changes
We may update this statement to reflect changes to the Service or our legal obligations. We will publish the new version with an updated effective date. Material changes affecting customers will be announced by email to the account’s billing contact at least 30 days in advance.
11. Contact
Questions or complaints about this statement: hello@borgmark.com Postal: BV CEEJAY, Quinten Matsijslei 12, 2018 Antwerpen, Belgium.