This is the CromaPages Unified Privacy Policy, effective May 2026. It covers all three CromaPages products and every category of person whose data we process — from paying Subscribers to anonymous tour viewers. Read the section most relevant to you using the table of contents.
At CromaPages, we take your privacy seriously. This Policy explains — in plain language — exactly what personal data we collect, why we collect it, who it is shared with, how long we keep it, and what rights you have over it. We never sell personal data. We never use it for advertising. We collect only what is necessary to provide our services.
1Who We Are
CromaPages is a Proprietorship that operates three software products through a shared platform at app.cromapages.com. All products are owned, operated, and legally responsible for by the same entity — CromaPages.
2Who This Policy Covers
This Policy applies to every person whose personal data CromaPages processes. Because our products involve multiple layers of users, different sections of this Policy apply to different people. Find your user type in the table below and read the corresponding section.
| Who You Are | Product | Our Role | Section |
|---|---|---|---|
| Website visitor | All | Data Controller | Section 3A |
| Registered Subscriber / account holder | All | Data Controller | Section 3B |
| GatherMonk client / portal user / form respondent | GatherMonk | Data Processor | Section 3C |
| VeeSpaces virtual tour viewer | VeeSpaces | Data Processor | Section 3D |
| VeeSpaces in-tour lead capture form respondent | VeeSpaces | Data Processor | Section 3E |
| CromaPages DXP experience visitor | DXP | Data Processor | Section 3F |
Data Controller vs Data Processor: When CromaPages is the Data Controller, we decide how and why your data is processed and are directly responsible to you. When CromaPages is a Data Processor, we process data only on behalf of a Subscriber who is the Data Controller — that Subscriber is primarily responsible to you for that data. See Section 4 for a full explanation.
3AWebsite Visitors
Applies to: anyone who visits cromapages.com, gathermonk.com, or veespaces.com. CromaPages is the Data Controller.
When you visit any of our marketing websites, we collect the following data automatically:
- Analytics data via Google Analytics: pages visited, session duration, approximate geographic region (country/city — derived from IP, not stored as raw IP), device type, browser type, referral source, and anonymised user behaviour flows.
- Session recording via Microsoft Clarity: mouse movement, scroll depth, click heatmaps, and session replays. Clarity does not capture passwords, payment card numbers, or form field content by default. No personally identifiable information is recorded.
- Cookies: both tools set cookies on your device. These are non-essential analytics cookies and do not load until you have actively accepted them via our cookie consent banner. See Section 6 for the full cookie inventory.
Lawful basis: Consent (you opt in via the cookie consent banner before analytics tools load).
How to opt out: Click "Manage Preferences" in the cookie banner at any time to withdraw consent. You can also opt out directly via Google Analytics opt-out.
3BRegistered Subscribers
Applies to: anyone who creates an account and subscribes to any CromaPages product at app.cromapages.com. CromaPages is the Data Controller.
| Data Category | Specific Data | Purpose | Lawful Basis |
|---|---|---|---|
| Account data | Name, email address, password (hashed), account creation date | Identity verification, account access, communications | Contract performance |
| Billing data | Billing address, VAT/GST number (where provided), Stripe customer ID, invoice history | Payment processing, invoicing, tax compliance | Contract performance / legal obligation |
| Usage data | Feature usage, login timestamps, IP address at login, session data, actions taken within the Platform | Security monitoring, service improvement, fraud detection | Legitimate interest |
| Support data | Communications with our support team via support@cromapages.com, in-app chat logs (if applicable) | Resolving support requests, improving our service | Contract performance / legitimate interest |
| Product-specific content | Documents, forms, tour assets, experience content created or uploaded by the Subscriber | Delivering the subscribed service | Contract performance |
CromaPages does not store your full payment card number, CVV, or card expiry date. All card data is handled directly and exclusively by Stripe. CromaPages stores only your Stripe customer ID and invoice records. See Section 5.
3CGatherMonk Clients & Portal Users
Applies to: anyone who receives a GatherMonk document request link, logs into a GatherMonk Client Portal, or submits a GatherMonk form. CromaPages is the Data Processor. The GatherMonk Subscriber who invited you is the Data Controller.
If you received a GatherMonk request or portal invitation, it was sent by an organisation that uses GatherMonk — not by CromaPages directly. That organisation is responsible for your data. CromaPages processes it only to deliver the service to them. For questions about why your data was collected, contact the organisation that sent you the invitation.
When you interact with a GatherMonk request, form, or Client Portal, CromaPages collects and processes:
- Submitted content: all text answers, uploaded files, and images you provide in response to a document request or form — exactly as you submit them.
- Authentication data (Client Portal): your email address, OTP token, login timestamp, and IP address at the time of login. This is used solely to authenticate your access to the portal.
- Interaction metadata: submission timestamp, completion percentage, which fields were completed, and when — used for the Subscriber's audit log and progress tracking.
Lawful basis: The Subscriber (Data Controller) is responsible for establishing the lawful basis for collecting your data. CromaPages processes it under the Subscriber's instructions as a Data Processor.
"Your documents are collected on behalf of [Organisation Name], who is responsible for this request. Your submission is securely processed and stored by CromaPages (India) on behalf of [Organisation Name]. For privacy enquiries, contact [Organisation Name] or support@cromapages.com."
3DVeeSpaces Virtual Tour Viewers
Applies to: anyone who views a VeeSpaces virtual tour — whether public, shared via link, or password-protected. CromaPages is the Data Processor. The VeeSpaces Subscriber who created the tour is the Data Controller.
If you viewed a virtual tour created by an organisation using VeeSpaces, that organisation is the Data Controller for analytics collected during your visit. Contact them for questions about why data was collected, or contact support@cromapages.com.
When you view a VeeSpaces virtual tour, CromaPages automatically collects the following data on behalf of the Subscriber:
- IP address and approximate geographic location (country, region, city level) derived from your IP address
- Device type, operating system, and browser type
- Tour engagement data — which scenes were viewed and for how long
- Referral source — the URL from which you arrived at the tour
Where you access a password-protected tour, CromaPages additionally logs the authentication event — your IP address and the timestamp of the access attempt — for security purposes. This log is deleted in accordance with our standard retention schedule.
No personal information is required to view a tour. You do not need to create an account, provide your name, or log in.
Lawful basis: Legitimate interest — providing tour delivery and analytics to the Subscriber.
3EVeeSpaces In-Tour Lead Capture Form Respondents
Applies to: anyone who submits a lead capture form embedded within a VeeSpaces virtual tour. CromaPages is the Data Processor. The VeeSpaces Subscriber is the Data Controller.
If you choose to submit a form embedded in a VeeSpaces tour (for example, a contact form, an enquiry form, or a registration form), the information you provide passes through CromaPages' servers before being delivered to the Subscriber who created the tour and form.
- CromaPages receives your submitted form data transiently in order to route and deliver it to the Subscriber.
- CromaPages does not use form submission data for any purpose other than delivering it to the Subscriber.
- The Subscriber who created the form is the Data Controller responsible for: (i) providing you with notice of what data is collected and why; (ii) having a lawful basis for collection; and (iii) handling your data subject rights requests.
For questions about why a specific form was collecting your data, contact the organisation whose tour you were viewing, or write to support@cromapages.com.
3FCromaPages DXP Experience Visitors
Applies to: anyone who visits a Store Locator, Interactive Microsite, Digital Guidebook, or Personalised Content Page created using CromaPages DXP. CromaPages is the Data Processor. The DXP Subscriber is the Data Controller.
When you visit or interact with a CromaPages DXP experience, CromaPages collects the following on behalf of the Subscriber:
- IP address and approximate geographic location (country, region, city level) — used to deliver location-based functionality and to provide analytics to the Subscriber
- Device type, browser type, and operating system — for rendering and analytics
- Pages and sections of the experience viewed, and time spent — engagement analytics for the Subscriber
- Referral source — the URL from which you arrived
Personalised Content Pages
If you access a DXP experience via a personalised invitation link, the Subscriber who sent you that link has arranged for the experience to display personalised content — such as your name. When you access a personalised experience, CromaPages logs which experience you accessed and when, on behalf of the Subscriber. The Subscriber who sent you the invitation is the Data Controller for your personalisation data.
Store Locators and GPS
Store Locators use your IP-derived location to display nearby results. Where a Store Locator prompts you to share your device-level GPS coordinates, this is an explicit opt-in — your GPS data is used only to calculate results and is not retained by CromaPages.
Lawful basis: Legitimate interest — delivering location-based functionality and analytics to the Subscriber.
The organisation whose experience you are viewing is responsible for informing you about data collected during your visit. This disclosure should appear in that organisation's privacy notice or on the experience page.
4Our Role: Data Controller vs Data Processor
Under data protection law — including the EU and UK GDPR and India's DPDPA — a Data Controller decides why and how personal data is collected. A Data Processor handles personal data only on the Controller's instructions. CromaPages acts in both roles, depending on the context.
| Context | CromaPages' Role | Who is the Controller |
|---|---|---|
| Subscriber account and billing data | Data Controller | CromaPages |
| Marketing website analytics (GA, Clarity) | Data Controller | CromaPages |
| GatherMonk — client submissions, portal access, form data | Data Processor | The GatherMonk Subscriber |
| VeeSpaces — tour viewer analytics, authentication, lead capture forms | Data Processor | The VeeSpaces Subscriber |
| CromaPages DXP — experience visitor analytics and personalisation data | Data Processor | The DXP Subscriber |
Where CromaPages is a Data Processor, our obligations are: (i) to process data only on the Subscriber's documented instructions; (ii) to implement appropriate technical and organisational security measures; (iii) to notify the Subscriber of any data breach within 72 hours; (iv) to assist the Subscriber in responding to data subject rights requests; and (v) to delete or return data at the end of the engagement.
Subscribers who require a formal Data Processing Agreement (DPA) as required under GDPR Article 28 may request one by emailing support@cromapages.com.
5Payment Processing — Stripe
All subscription payments for CromaPages products are processed by Stripe (Stripe Payments Europe, Limited — an Irish entity for non-US transactions, and Stripe India Private Limited for domestic Indian transactions). Stripe acts as a Data Processor on behalf of CromaPages for payment processing.
- When you subscribe, your payment card details are entered directly into Stripe's secure payment interface. CromaPages never sees, receives, or stores your full card number, CVV, or expiry date.
- CromaPages stores only your Stripe Customer ID, subscription plan details, and invoice records — for billing, reconciliation, and tax compliance purposes.
- Stripe may process your name, email address, billing address, and payment card data under its own Privacy Policy and PCI-DSS compliance obligations. For full details, see stripe.com/privacy.
- For Subscribers based in India: Stripe India Private Limited processes domestic payments as a payment aggregator under RBI regulations. International inward remittance compliance (FIRA/eBRC for GST purposes) remains the Subscriber's responsibility.
Stripe is PCI-DSS Level 1 certified — the highest standard for payment card data security. Stripe automatically enters into a Data Processing Agreement with CromaPages as part of its standard terms, covering GDPR obligations for EU and UK Subscriber payment data.
6Cookies & Tracking Technologies
CromaPages uses cookies and similar technologies on its marketing websites (cromapages.com, gathermonk.com, veespaces.com). This section explains what we use, why, and how you can control your preferences.
What Are Cookies?
Cookies are small text files placed on your device by a website when you visit it. They allow the website to remember information about your visit — such as your language preference or whether you have already consented to cookies — and to collect analytical data about how the site is used.
Cookie Categories We Use
| Cookie / Tool | Category | Purpose | Duration | Consent Required |
|---|---|---|---|---|
| Cookie consent preferences | Strictly Necessary | Stores your cookie consent decision so you are not asked again on every page | 12 months | No — essential |
| Session / authentication cookies (app.cromapages.com) | Strictly Necessary | Keeps you logged in to your account during a session | Session (cleared on logout) | No — essential |
| Google Analytics (_ga, _ga_*, _gid) | Analytics | Measures page views, user sessions, traffic sources, and anonymised user behaviour on our marketing websites. Data is processed by Google LLC in the USA. | _ga: 2 years; _gid: 24 hours | Yes — opt-in via banner |
| Microsoft Clarity (_clsk, _clck, MUID) | Analytics / Session Recording | Records session replays, mouse movement, scroll depth, and heatmaps on our marketing websites. Helps us identify UX issues. No PII is recorded. Data is processed by Microsoft Corporation in the USA. | _clsk: 1 day; _clck: 1 year; MUID: 1 year | Yes — opt-in via banner |
How to Manage Your Preferences
- Cookie banner: When you first visit any CromaPages website, a cookie consent banner will appear. You can choose to Accept All, Decline All, or Manage Preferences. Analytics tools do not load until you Accept.
- Update at any time: Click "Manage Preferences" or "Cookie Settings" in the footer of any CromaPages website to update your choices at any time.
- Browser settings: Most browsers allow you to block or delete cookies from your browser settings. Note that blocking all cookies may prevent some website features from working correctly.
- Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on to prevent Google Analytics from collecting data about your visits.
- Microsoft Clarity opt-out: Visit Microsoft's Privacy Statement for opt-out options applicable to Clarity.
Google Analytics and Microsoft Clarity are used only on our marketing websites — cromapages.com, gathermonk.com, and veespaces.com. They are not loaded within the application platform at app.cromapages.com or on any End User experience (virtual tours, DXP pages, GatherMonk portals).
7Data Storage & Security
Where Your Data Is Stored
All CromaPages application data — including Subscriber account data, Content, and End User data processed through our Products — is stored on servers provided by Amazon Web Services (AWS) and Microsoft Azure. At the time of publication of this Policy (May 2026), servers are located in the United States.
CromaPages has plans to migrate data storage to UK/EU-region servers (AWS London / eu-west-2) within the next 6 months. When this migration is complete, this Policy will be updated to reflect the new storage location, and the international transfer section below will be simplified accordingly. We will notify all active Subscribers by email before the migration is completed.
Security Measures
CromaPages implements the following security measures to protect personal data:
- Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security) — the same standard used by banking and e-commerce websites.
- Encryption at rest: all data stored on our servers is encrypted at rest using AES-256 encryption.
- Access controls: access to personal data within CromaPages' systems is restricted to personnel who have a legitimate operational need, and is subject to role-based access controls.
- Data breach response: in the event of a personal data breach, CromaPages will notify affected Subscribers without undue delay and within 72 hours of becoming aware of the breach.
- Vendor security: AWS and Azure maintain industry-leading security certifications including ISO 27001 and SOC 2. Their security posture is publicly documented.
While CromaPages takes every reasonable precaution, no internet transmission or electronic storage system is 100% secure. If you have reason to believe your account has been compromised, please contact support@cromapages.com immediately.
8International Data Transfers
CromaPages is based in India. Our application infrastructure is currently hosted in the United States (AWS and Azure). This means that personal data you provide — whether as a Subscriber or as an End User interacting with our platform — may be transferred to and stored in servers located in the United States.
For Subscribers and End Users in the European Union or United Kingdom, this international transfer is governed by:
- Standard Contractual Clauses (SCCs) between CromaPages and its infrastructure providers (AWS and Azure). These are legally approved contractual safeguards that require our providers to protect EU/UK personal data to GDPR standards, regardless of where it is physically stored.
- Both AWS and Microsoft Azure have entered into SCCs with EU and UK data protection authorities and publish their Data Processing Addenda publicly.
Upon completion of our planned UK/EU server migration (within 6 months), this international transfer section will no longer apply to EU and UK users — data will be stored and processed within the UK/EEA and no cross-border transfer mechanism will be required. This Policy will be updated at that time.
For Subscribers in India, data processing by CromaPages — an Indian entity — on servers in the US constitutes a cross-border data transfer under India's Digital Personal Data Protection Act (DPDPA) 2023. CromaPages complies with applicable DPDPA obligations for cross-border transfers.
Our analytics subprocessors (Google Analytics and Microsoft Clarity) also process data in the USA. This transfer is covered by Stripe, Google, and Microsoft's own SCC commitments as published in their respective privacy documentation.
9Our Subprocessors
A subprocessor is a third-party service that processes personal data on CromaPages' behalf in order to provide our services. We disclose all subprocessors below. We perform security due diligence before engaging any subprocessor and require them to maintain appropriate data protection standards.
| Subprocessor | Category | Purpose | Data Processed | Location |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure | Cloud hosting of application, databases, and file storage | All Subscriber and End User data stored on the Platform | USA (migrating to UK within 6 months) |
| Microsoft Azure | Infrastructure | Cloud hosting and compute services | All Subscriber and End User data stored on the Platform | USA (migrating to UK within 6 months) |
| Stripe (Stripe Payments Europe Ltd) | Payments | Subscription payment processing | Subscriber name, email, billing address, payment card data (handled exclusively by Stripe — not shared with CromaPages) | Ireland (EU) + USA |
| Google Analytics (Google LLC) | Analytics | Website traffic and behaviour analytics on marketing websites | Anonymised page views, session data, approximate location — marketing websites only | USA |
| Microsoft Clarity (Microsoft Corporation) | Analytics | Session recording and heatmaps on marketing websites | Mouse movement, scroll data, click maps, session replays — no PII — marketing websites only | USA |
We will notify active Subscribers at least 30 days before adding any new subprocessor that will have access to their data. This list is reviewed and updated whenever a change is made. Last reviewed: May 2026.
10Your Rights
Depending on where you are located, you have different rights over your personal data. We set these out clearly below.
For EU and UK Users — GDPR Rights
Right of Access
Request a copy of all personal data CromaPages holds about you, including the categories of data, the purposes, and who it has been shared with.
Right to Rectification
Ask us to correct any personal data that is inaccurate or incomplete.
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
Right to Restrict Processing
Ask us to pause processing of your data — for example, while you contest its accuracy or while an objection is being assessed.
Right to Data Portability
Receive your personal data in a structured, machine-readable format to transfer it to another service, where processing is based on consent or contract.
Right to Object
Object to processing based on legitimate interest, including for direct marketing. We will stop processing unless we can demonstrate compelling legitimate grounds.
Right re: Automated Decisions
Request human review of any automated decision that significantly affects you. CromaPages does not currently make automated decisions with legal or significant effect.
Right to Withdraw Consent
Where processing is based on consent (such as analytics cookies), you may withdraw consent at any time via the cookie banner — without affecting the lawfulness of prior processing.
For Indian Users — DPDPA Rights
Under India's Digital Personal Data Protection Act 2023, individuals have the following rights in respect of their personal data processed by CromaPages:
- Right to access information: the right to know what personal data is being processed, the purposes of processing, and the identity of all processors.
- Right to correction and erasure: the right to request correction of inaccurate or misleading personal data, and erasure of data no longer needed for the purpose it was collected.
- Right to grievance redressal: the right to have complaints addressed promptly. CromaPages commits to responding to requests within 30 days.
- Right to nominate: the right to nominate another individual who may exercise rights on your behalf in the event of your death or incapacity.
How to Exercise Your Rights
To exercise any of the rights above, please contact us at support@cromapages.com with "Privacy Rights Request" as the subject line. Please include sufficient information for us to identify you and the data concerned.
We will respond to all rights requests within 30 days. For complex or multiple requests, we may extend this by up to a further 30 days, and will notify you if we need to do so.
We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case a reasonable administrative fee may apply.
Important — GatherMonk, VeeSpaces, and DXP End Users: If you are an End User (a GatherMonk client, a tour viewer, or a DXP experience visitor) and your rights request relates to data collected by a CromaPages Subscriber on their behalf, you should contact that Subscriber (the Data Controller) in the first instance. CromaPages can assist but the Subscriber holds primary responsibility for responding to rights requests over their data.
11Data Retention
CromaPages retains personal data for no longer than is necessary for the purposes described in this Policy, or as required by applicable law. The following retention periods apply:
| Data Category | Applies To | Retention Period |
|---|---|---|
| Active Subscriber account data | All products | Duration of active subscription |
| Subscriber Content (documents, tour assets, DXP experiences) | All products | Duration of subscription + 30 days after cancellation, then permanently deleted |
| Payment and invoice records | All products | 7 years (required by Indian accounting law) |
| GatherMonk client submission data and audit logs | GatherMonk | Duration of Subscriber's subscription + 30 days, then permanently deleted |
| VeeSpaces tour viewer analytics | VeeSpaces | 30 days, then aggregated and anonymised or deleted |
| VeeSpaces password-protected tour authentication logs | VeeSpaces | 90 days, then permanently deleted |
| DXP experience visitor analytics (IP, location, engagement) | CromaPages DXP | 30 days, then aggregated and anonymised or deleted |
| DXP personalised content page access logs | CromaPages DXP | Duration of Subscriber's subscription + 30 days, then deleted |
| Website analytics (Google Analytics, Microsoft Clarity) | Marketing websites | Per tool retention settings: GA 14 months; Clarity 3 months for recordings |
| Support communications | All products | 3 years from the date of last communication, then deleted |
At the end of each retention period, data is permanently and securely deleted from CromaPages' active systems. Backups containing the data are overwritten within 30 days of scheduled deletion.
12Children's Data
CromaPages products are designed for and marketed to businesses and professionals. Our products are not intended for use by persons under the age of 18, and we do not knowingly collect personal data from children.
If you believe a child has provided personal data to CromaPages — whether as a Subscriber or in the course of interacting with a CromaPages-powered experience — please contact us immediately at support@cromapages.com and we will take prompt steps to delete that data.
CromaPages Subscribers are responsible for ensuring that the experiences they create using our products do not collect personal data from children without appropriate consent and safeguards in place.
13Changes to This Privacy Policy
CromaPages may update this Privacy Policy from time to time as our products, legal obligations, or data practices change. We distinguish between material and non-material changes:
- aMaterial changes — such as a new category of data we collect, a change to how we share data, or a new subprocessor — will be communicated to active Subscribers by email at least 30 days before the change takes effect.
- bNon-material changes — such as clarifications, corrections, or administrative updates — will be reflected by updating the "Effective Date" at the top of this page. No email notification will be sent for minor updates.
- cContinued use of any CromaPages product after the effective date of a revised Policy constitutes acceptance of the updated Policy.
- dWe encourage all Subscribers to review this Policy periodically. The current version is always available at cromapages.com/privacy/.
The most significant anticipated change is our planned migration of data storage to UK/EU-region servers. When this migration is complete, we will update Sections 7, 8, and 9 of this Policy and notify all Subscribers by email.
14Contact & Complaints
If you have any questions, concerns, or requests relating to this Privacy Policy or to how CromaPages handles your personal data, please contact us:
Escalation — Regulatory Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant data protection authority:
- EU users: Contact your national data protection authority. A full list is available at edpb.europa.eu.
- UK users: Contact the Information Commissioner's Office (ICO) at ico.org.uk or by telephone at 0303 123 1113.
- Indian users: Once the DPDPA Data Protection Board is established and operational, complaints may be lodged with the Board. CromaPages will update this section when the Board is operational.
We always prefer to resolve concerns directly before you escalate to a regulator, so please contact us first and give us the opportunity to address your concern.