Privacy policy

Cygnean is a brand operated by MOMENTUM TECHNOLOGY ARENA SRL(“we”, “us”). This privacy notice describes how we process personal data in connection with the cygnean.com website and our cold-email outreach into the United States, United Kingdom, and European Economic Area.

Controller details.

• Registered name: MOMENTUM TECHNOLOGY ARENA SRL
• Registered office: Strada Caius Marcius Coriolan 29, București, Romania
• Privacy contact: privacy@cygnean.com
• General contact: hello@cygnean.com

For requests under the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), or any equivalent law, contact the privacy address above. We respond within 30 days for CCPA requests (Cal. Civ. Code §1798.130(a)(2)) and within one month for GDPR requests (Art. 12(3) GDPR), with up to two further months’ extension for complex requests.

We process two distinct categories of personal data depending on how you came to interact with us.

A. Site visitors (cygnean.com)

• Form submissions: when you submit the audit form or book a call: business name, website URL, city/region, email address, and any free-text message you provide.
• Technical data: IP address, user-agent, browser language, page-view timestamps, device type, and pseudonymous session identifiers, captured via PostHog.
• Communications: emails you send to our published addresses.

B. Cold-email recipients

• First name, last name
• Work email address
• Job title / role
• Company name and company website
• Country
• Industry, headcount range, and other firmographic data
• Engagement events from our outreach (sent, opened, clicked, replied, bounced, unsubscribed)
• Suppression status if you have opted out

We do not process phone numbers, home addresses, consumer PII, or any special category of data under GDPR Art. 9 (health, religion, biometric, etc.). Do not submit such data through our forms.

For site visitors, the source is your direct submission. For cold-email recipients, we obtain business contact details from the following sources:

• Public business websites (publicly-posted contact details)
• Public registries (state contractor licensing boards, trade-association rosters)
• Third-party B2B contact databases: Prospeo, Hunter, StoreCensus / StoreLeads, Apollo.io
• Email-deliverability validators: MyEmailVerifier, Bouncer

• Legitimate interests (Art. 6(1)(f) GDPR). Cold-business outreach to companies that we have a reasonable basis to believe may benefit from our services, measuring outreach performance, and securing the website against abuse and fraud. Each cold-outreach campaign is supported by a documented Legitimate Interests Assessment (LIA) that we make available to supervisory authorities on request.
• Performance of pre-contractual / contractual measures (Art. 6(1)(b)). Responding to your audit request, scheduling calls, and delivering proposals.
• Consent (Art. 6(1)(a)). Optional analytics cookies. You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c)). Tax and accounting record retention (Romanian Accounting Law no. 82/1991), and responding to lawful authority requests.

For US recipients, our cold outreach complies with the federal CAN-SPAM Act (15 U.S.C. §7701 et seq.): accurate sender identification, non-deceptive subject lines, valid postal address in every email, working opt-out, and opt-out honoured within 24 hours of receipt (CAN-SPAM allows 10 business days; we automate it).

For Canadian recipients, we rely on CASL implied consent under the public-posting exception (CASL §10(9)(b)) and record the source URL per recipient.

We do not sell personal data. We share it only with vetted sub-processors that act on our written instructions under an Article 28 GDPR data-processing agreement (DPA):

Where a sub-processor is located outside the European Economic Area, transfers are covered by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), supplementary technical measures (TLS 1.2+ in transit, encryption at rest), and the corresponding processor's DPA.

We do not set non-essential cookies. Analytics is performed via PostHog configured in cookieless mode: no cookies, no localStorage, no IndexedDB, no fingerprinting beyond standard HTTP request metadata (IP, user-agent, referer). Page-view and event data is sent to PostHog and retained against an in-memory identifier that exists only for the duration of your visit.

If you arrive from one of our cold-email campaigns via a tagged URL (carrying a parameter such as lead_id), that identifier is used as your session distinct ID so any A/B test variant you saw remains consistent if you return via the same link. The identifier is read from the URL on each visit and is not stored on your device.

We honour the Global Privacy Control (GPC)signal as a valid opt-out of “sale” or “sharing” under CCPA Regulations §7025 Visitors whose browsers send a GPC signal are treated as having opted out without further action. The same signal is read by PostHog and suppresses analytics capture.

Some sub-processors listed in §5 are based in the United States or operate global edge networks. For those transfers, we rely on:

• European Commission adequacy decisions where applicable
• The 2021 Standard Contractual Clauses (Module Two: Controller-to-Processor)
• Technical safeguards including TLS 1.2+ in transit and encryption at rest
• Organisational safeguards including least-privilege access, audited DPAs, and breach-notification clauses

• Cold-email recipient data with no reply: 3 years from collection for EU/UK recipients; 5 years for US/Canada recipients. Then hard-deleted.
• Engagement events: kept alongside the lead until the lead is purged; orphaned thereafter (effectively anonymised).
• Suppression entries (unsubscribes): retained indefinitely so we never re-contact you. Email is hashed (SHA-256) for purged-lead records.
• Site form submissions: 24 months from last interaction unless a paid engagement begins, in which case retention follows the master service agreement.
• Server logs: 30 days rolling.
• Audit log: 5 years minimum, append-only.
• Billing records: 10 years (Romanian Accounting Law no. 82/1991).

Under GDPR you can exercise the following rights free of charge, once per reasonable period:

• Access (Art. 15): receive a copy of the data we hold about you
• Rectification (Art. 16): correct inaccurate or incomplete data
• Erasure (Art. 17): delete your data
• Restriction (Art. 18): pause processing while a dispute is resolved
• Portability (Art. 20): receive your data in a machine-readable format
• Objection (Art. 21): object to processing based on legitimate interests, including cold outreach
• Withdraw consent (Art. 7(3)): at any time
• Lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) at dataprotection.ro or your local supervisory authority in another EU member state.

Under CCPA/CPRA California residents have the rights to:

• Know what personal information we collect, use, disclose, and sell or share (§1798.100, .110, .115)
• Delete personal information we have collected from you (§1798.105)
• Correct inaccurate personal information (§1798.106)
• Opt out of “sale” or “sharing” (§1798.120). We do not sell or share personal information for cross-context behavioural advertising.
• Limit use of sensitive personal information (§1798.121). We do not collect sensitive PI as defined.
• Non-discrimination for exercising any right (§1798.125)

Global Privacy Control. We honour browser GPC signals as a valid opt-out under CCPA Regulations §7025.

To exercise any right, email privacy@cygnean.com. You may also unsubscribe instantly from any cold email by clicking the unsubscribe link in its footer or by replying STOP. We may need to verify your identity before responding to access, deletion, or correction requests.

Cygnean and Xygnius are both brands of MOMENTUM TECHNOLOGY ARENA SRL. They share an outreach pipeline and a unified suppression list. If you opt out of email from either brand, we apply the suppression to both for EU/UK recipients. An erasure request to either brand erases your record across both. US/Canada recipients may request brand-scoped treatment; we default to global suppression for operational simplicity.

• HTTPS-only transport with HSTS
• HTTP-only secure cookies signed by a rotating server-side secret
• Per-route rate limiting at the Cloudflare edge
• Least-privilege access from application processes
• Encrypted backups with offsite copies
• Continuous error monitoring and audit logging

No service can be guaranteed entirely secure. We will notify affected individuals and the relevant supervisory authority without undue delay if a personal-data breach is likely to result in a risk to their rights and freedoms (Art. 33–34 GDPR).

The site is intended for business users and is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a child has submitted data, contact us and we will delete it.

We may update this notice when our processing changes or the law requires it. Material changes will be surfaced on this page at least 14 days before they take effect. The “Last updated” date at the top of the page always reflects the current version.

Privacy requests: privacy@cygnean.com. General enquiries: hello@cygnean.com. Postal correspondence: MOMENTUM TECHNOLOGY ARENA SRL, Strada Caius Marcius Coriolan 29, București, Romania. Related documents: Terms of Service.