Privacy Policy

Last updated: March 2026

1. Data We Collect

NexCyberEU collects the following categories of personal and operational data to provide our regulatory compliance platform:

  • Account information: Name, email address, organisation name, and billing details provided at registration.
  • Assessment inputs: Product descriptions, technical specifications, and regulatory metadata submitted during compliance assessments.
  • Usage logs: Timestamps of platform interactions, pages visited, API calls, and features used.
  • Payment data: Billing address and payment method tokens processed by Stripe. We do not store raw card numbers.
  • Communications: Messages sent to our support or sales teams.

2. How We Use Your Data

  • Service delivery: Running compliance calculations (CRA, NIS2, AI Act, RED, DORA) using our deterministic RICE engine.
  • Billing and credits: Tracking credit consumption, processing payments, and issuing invoices.
  • Security and fraud prevention: Monitoring for suspicious access and protecting platform integrity.
  • Product improvement: Aggregated, anonymised analytics to identify usability issues.
  • Legal compliance: Retaining records as required by applicable law.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Third-Party Sub-processors

We engage a curated list of sub-processors, each bound by a GDPR-compliant data processing agreement. The exhaustive register (purpose, data categories, hosting region, transfer mechanism, and DPA link) is maintained at /legal/sub-processors.

Core sub-processors at the date hereof:

Hetzner Online GmbH (Germany)

Primary database (PostgreSQL self-hosted) and application infrastructure in EU data centres (Falkenstein, Nuremberg). Intra-EU processing.

Fly.io Inc. (United States)

Backend API runtime hosting in the EU region (Paris). Persistent customer data is stored in Hetzner, not on Fly. SCCs in place.

Vercel Inc. (United States)

Hosting and edge delivery of the web application. No persistent personal data at this layer. SCCs + EU-US Data Privacy Framework where applicable.

Stripe Payments Europe Ltd (Ireland)

Payment processing and subscription billing. Stripe is an independent controller for payment data under its own privacy policy.

Material changes are notified to DPA-bound customers at least 30 days in advance.

4. Data Retention

Account data is retained for the duration of the active subscription and 12 months after account closure. Assessment data may be retained for up to 36 months to support compliance audit trails unless you request earlier deletion. Usage logs are retained for 90 days.

5. Your GDPR Rights

Under GDPR (EU 2016/679), you have the following rights:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to lodge a complaint: Contact your national supervisory authority (France: CNIL — www.cnil.fr).

To exercise any right, contact our DPO. We will respond within 30 days as required by GDPR.

6. Contact and DPO

For privacy enquiries or data subject requests:

Reach us: Privacy & DPO enquiry

NexCyberEU — EU-based SaaS provider. Governing law: French law.