Privacy Notice
Last updated: 16th December 2025
- Introduction
- Data Controller Details
- Scope of This Privacy Notice
- Personal Data We Collect
- Purposes of Processing
- Legal Bases for Processing (Article 6 GDPR)
- Automated Decision-Making and Profiling
- Data Sharing and Recipients
- International Data Transfers
- Data Retention
- Data Security
- Data Subject Rights
- Right to Lodge a Complaint
- Children’s Data
- Cookies and Similar Technologies
- Changes to This Privacy Notice
- Contact Information
1. Introduction
This Privacy Notice explains how personal data is collected, used, disclosed, and protected when you interact with the Vaivera website or communicate with us in relation to the Vaivera platform.
Vaivera is developed and operated by Caeleste Ltd (“Caeleste ”, “we”, “us”, or “our”). For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws, Caeleste acts as the data controller with respect to the personal data described in this Privacy Policy.
We are committed to processing personal data in a lawful, fair, and transparent manner, and to protecting the rights and freedoms of individuals whose data we process.
2. Data Controller Details
Data Controller: Caeleste Ltd
Registered/Operational Address: North Quay, Norfolk, United Kingdom.
Email Address: spe@vaivera.com
3. Scope of This Privacy Notice
This Privacy Notice applies to the processing of personal data in connection with:
- Visits to the Vaivera website;
- Enquiries, demo requests, and partnership communications submitted through the website or via email; and
Other communications with us relating to the Vaivera platform.
This Privacy Notice does not apply to personal data processed within customer or partner deployments of the Vaivera platform. In such contexts, Caeleste Institute may act as a data processor on behalf of customers, and the processing of personal data is governed by separate contractual arrangements, including Data Processing Agreements (DPAs).
4. Personal Data We Collect
Caeleste Institute collects only personal data that is relevant, necessary, and proportionate to the purposes described in this Privacy Notice.
4.1 Personal Data Provided Directly by You
When you contact us, submit a demo request, or otherwise communicate with us, we may collect the following categories of personal data:
- Full name
- Business email address
- Organisation name
- Job title or professional role (where provided)
- Message content and any information you choose to include in your communication
The provision of this personal data is voluntary. However, failure to provide certain information may limit our ability to respond to your enquiry or request.
4.2 Personal Data Collected Automatically
When you visit the Vaivera website, we may automatically collect limited technical and usage data, including:
- Internet Protocol (IP) address
- Browser type and version
- Device type and operating system
- Date and time of access
- Pages visited and interaction data
This information is collected for security, operational, and analytical purposes.
4.3 Special Categories of Personal Data
Caeleste Institute does not intentionally collect special categories of personal data as defined under Article 9 of the GDPR through the Vaivera website.
Visitors are requested not to submit sensitive personal data through contact forms or general communications.
4.4 Source of Personal Data
Personal data processed under this Privacy Notice is collected either:
- Directly from you, or
- Automatically through your interaction with the website
We do not obtain personal data from third-party data brokers or publicly available sources for the purposes covered by this Privacy Notice.
5. Purposes of Processing
Caeleste Institute processes personal data only for specified, explicit, and legitimate purposes, and does not process such data in a manner incompatible with those purposes.
Personal data collected under this Privacy Notice may be processed for the following purposes:
- To respond to enquiries, demo requests, and partnership communications;
- To communicate information requested about Vaivera and related services;
- To manage professional relationships and business communications;
- To operate, secure, and maintain the Vaivera website and related systems;
- To monitor, detect, and prevent misuse, fraud, or unauthorised access to the website;
- To analyse website usage in order to improve performance, reliability, and user experience; and
- To comply with applicable legal, regulatory, or contractual obligations.
Personal data will not be processed for purposes that are incompatible with those listed above without prior notice or, where required by law, the data subject’s consent.
6. Legal Bases for Processing (Article 6 GDPR)
Caeleste Institute processes personal data only where a valid legal basis exists, in accordance with Article 6 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Depending on the context, personal data is processed on one or more of the following legal bases:
6.1 Legitimate Interests (Article 6(1)(f))
Processing is necessary for the purposes of Caeleste Institute’s legitimate interests, including:
- responding to business enquiries and communications;
- managing professional relationships;
- operating, securing, and improving the Vaivera website; and
- preventing misuse or unauthorised access.
These interests are not overridden by the rights and freedoms of data subjects, given the limited nature of the data processed and the reasonable expectations of individuals engaging in business communications.
6.2 Consent (Article 6(1)(a))
Where you voluntarily submit personal data through forms or explicitly consent to specific processing activities, we rely on your consent as the legal basis.
Consent may be withdrawn at any time by contacting spe@vaivera.com, without affecting the lawfulness of processing carried out prior to withdrawal.
6.3 Legal Obligation (Article 6(1)(c))
Processing may be necessary to comply with applicable legal or regulatory obligations to which Caeleste Institute is subject.
6.4 Contractual Necessity (Article 6(1)(b))
In limited circumstances, personal data may be processed where necessary to take steps at your request prior to entering into a contract, or to perform contractual obligations.
7. Automated Decision-Making and Profiling
No automated decision-making or profiling within the meaning of Article 22 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) is carried out in relation to personal data processed under this Privacy Notice.
In particular, personal data collected through the Vaivera website or through communications with Caeleste Institute is not subject to decisions based solely on automated processing that produce legal effects or similarly significant effects.
Any automated decision-making, scoring, or AI-based processing performed within customer or partner deployments of the Vaivera platform is governed by separate contractual, privacy, and data protection arrangements, and is outside the scope of this Privacy Notice.
8. Data Sharing and Recipients
Caeleste Institute does not disclose personal data to third parties except where such disclosure is necessary for the purposes described in this Privacy Notice or where required by law.
Personal data may be shared with the following categories of recipients:
- Service providers that support website hosting, IT infrastructure, security monitoring, analytics, or communication services;
- Professional advisers, such as legal, compliance, or audit advisers, where necessary for legitimate business or legal purposes; and
- Public authorities or regulators, where disclosure is required by applicable law or regulatory obligation.
All third-party service providers are engaged under contractual arrangements that require them to process personal data only on documented instructions from Caeleste Institute and to implement appropriate technical and organisational measures to protect personal data.
Caeleste Institute does not sell personal data and does not share personal data with third parties for advertising or marketing purposes.
9. International Data Transfers
Personal data processed under this Privacy Notice may, in limited circumstances, be transferred to recipients located outside the European Economic Area (EEA).
Where such international transfers occur, Caeleste Institute ensures that appropriate safeguards are implemented in accordance with Chapter V of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), including one or more of the following:
- Standard Contractual Clauses approved by the European Commission;
- Adequacy decisions adopted by the European Commission, where applicable; or
- Other lawful transfer mechanisms recognised under applicable data protection law.
Caeleste Institute takes reasonable steps to ensure that transferred personal data continues to receive a level of protection essentially equivalent to that guaranteed within the EEA.
10. Data Retention
Caeleste Institute retains personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the principles of data minimisation and storage limitation under Article 5(1)(e) of the GDPR.
Retention periods are determined based on:
- the nature and sensitivity of the personal data;
- the purposes for which the data is processed;
- legal, regulatory, or contractual obligations; and
- the need to establish, exercise, or defend legal claims.
Indicative retention periods include:
- Enquiry and contact data: retained for up to 24 months following the last meaningful interaction, unless a longer retention period is required for legal or compliance purposes;
- Website technical and security logs: retained for up to 12 months, unless extended retention is necessary to investigate security incidents or comply with legal obligations.
Personal data is securely deleted or anonymised once it is no longer required.
11. Data Security
Caeleste Institute implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 of the GDPR.
These measures include, where appropriate:
- Access controls and authentication mechanisms to restrict access to personal data;
- Secure communication channels for data transmission;
- Logical separation of systems and environments where required;
- Monitoring and logging of access to systems processing personal data;
- Policies and procedures governing data handling, retention, and access; and
- Regular review of security practices to address emerging risks.
While no system can be guaranteed to be completely secure, Caeleste Institute takes reasonable and proportionate steps to safeguard personal data and to reduce risks to an acceptable level.
12. Data Subject Rights
Subject to applicable law and the conditions set out in the General Data Protection Regulation (EU) 2016/679 (“GDPR”), individuals whose personal data is processed under this Privacy Notice have the following rights:
- Right of access (Article 15): to obtain confirmation as to whether personal data is being processed and to access such data;
- Right to rectification (Article 16): to request correction of inaccurate or incomplete personal data;
- Right to erasure (Article 17): to request deletion of personal data where lawful grounds apply;
- Right to restriction of processing (Article 18): to request that processing be limited in certain circumstances;
- Right to data portability (Article 20): to receive personal data in a structured, commonly used, and machine-readable format, where applicable;
- Right to object (Article 21): to object to processing based on legitimate interests, including profiling related to such processing.
Requests to exercise these rights may be submitted by contacting spe@vaivera.com.
We may require verification of identity before responding to a request.
Caeleste Institute will respond to valid requests without undue delay and in any event within the timeframes prescribed by applicable law.
13. Right to Lodge a Complaint
If you believe that the processing of your personal data infringes the General Data Protection Regulation (EU) 2016/679 (“GDPR”) or other applicable data protection laws, you have the right to lodge a complaint with a supervisory authority.
You may lodge a complaint with:
- the supervisory authority in the EU Member State of your habitual residence;
- the supervisory authority in the EU Member State of your place of work; or
- the supervisory authority in the EU Member State where the alleged infringement occurred.
This right is without prejudice to any other administrative or judicial remedy available to you.
14. Children’s Data
The Vaivera website and related communications are intended for use by professionals and organisations. They are not directed at children, and Caeleste Institute does not knowingly collect personal data from individuals under the age of 16.
If we become aware that personal data of a child under 16 has been collected inadvertently, we will take reasonable steps to delete such data without undue delay.
15. Cookies and Similar Technologies
The Vaivera website uses cookies and similar technologies to ensure basic functionality, enhance security, and improve user experience.
Cookies are small text files that are placed on your device when you visit a website. They allow the website to recognise your device and store certain information about your preferences or interactions.
15.1 Types of Cookies Used
The Vaivera website may use the following categories of cookies:
- Strictly necessary cookies
These cookies are required for the operation and security of the website and cannot be disabled through website settings. - Analytics cookies
These cookies help us understand how visitors interact with the website by collecting aggregated and anonymised usage information. Where required by applicable law, analytics cookies are used only with your consent.
We do not use cookies for behavioural advertising or cross-site tracking.
15.2 Legal Basis for Cookies
Strictly necessary cookies are processed on the basis of legitimate interests (Article 6(1)(f) GDPR), as they are essential to the operation and security of the website.
Non-essential cookies, including analytics cookies where applicable, are processed on the basis of consent (Article 6(1)(a) GDPR). You may withdraw your consent at any time by adjusting your cookie preferences.
15.3 Managing Cookies
You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality or security of the website.
Further information about cookies and your choices is available in the Cookie Policy.
16. Changes to This Privacy Notice
Caeleste Institute may update this Privacy Notice from time to time to reflect changes in legal requirements, regulatory guidance, or our data processing practices.
Where changes are made, the updated Privacy Notice will be published on the Vaivera website, and the “Last updated” date at the top of the document will be revised accordingly.
Where required by applicable law, we will take reasonable steps to notify individuals of material changes.
17. Contact Information
For questions about this Privacy Notice or our data protection practices, contact us: