Privacy Policy

irq
scb
sd
At Nexufend, we believe privacy is a right, not a checkbox. This Privacy Policy explains what personal data we collect, why we collect it, and how we use, store, and protect it, whether you are a customer, an authorized user of the Nexufend platform, or simply visiting our website.

We've written this Policy to be as clear as possible. The formal legal text follows below. If anything is unclear, or if you want to exercise your rights, you can always reach us directly at legal@nexufend.com.

Privacy Policy

Nexufend GmbH Last updated: 2026-05-04

1. Introduction

Nexufend GmbH ("Nexufend", "we", "us", "our") is committed to protecting personal data. This Privacy Policy explains how we collect, use, store, and share personal data when you or your organization interacts with us as a customer, prospective customer, or business contact.

This Privacy Policy covers Nexufend's role as a data controller — meaning the processing of personal data that Nexufend determines the purposes and means of, such as data about the individuals who represent our customers (account holders, billing contacts, authorized users, and support contacts).

It does not cover the processing of personal data that Nexufend performs as a data processor on behalf of customers — for example, network telemetry, security logs, and device data generated by the Nexufend Agent deployed on customer infrastructure. That processing is governed separately by the Data Processing Addendum ("DPA") entered into between Nexufend and the relevant customer.

2. Controller Identity and Contact

Data controller:

Nexufend GmbH Office Park 2, 5. Stock 1300 Wien Flughafen Austria Commercial Register: FN 637490 k (Landesgericht Korneuburg) VAT ID: ATU81156801

Data protection contact: legal@nexufend.com

For all data protection inquiries or to exercise your rights under this Policy, contact us at the address above or by email at legal@nexufend.com.

3. Scope and Applicability

This Policy applies to natural persons whose personal data Nexufend processes as a controller, including:

  • Authorized users and administrators of the Nexufend management console
  • Billing and procurement contacts at customer organizations
  • Individuals who contact us for sales, support, or partnership inquiries
  • Visitors to nexufend.com

This Policy applies regardless of whether the customer organization is located in the EU or elsewhere. Where applicable, we comply with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and other applicable data protection laws.

4. Personal Data We Collect

4.1 Account and Contact Data

When a customer organization creates an account or enters into a contract with Nexufend, we collect personal data about the individuals designated to manage that relationship:

DataExamplesSourceIdentity dataFull name, job titleProvided by the individual or customer organizationContact dataBusiness email address, phone numberProvided by the individual or customer organizationOrganization dataCompany name, address, VAT numberProvided by the customer organizationBilling dataInvoice address, payment contact nameProvided by the customer organizationAccount identifiersUsernameCreated by the individual during registrationAuthentication credentialsPasskeys, FIDO2 keys/tokensCreated/registered by the individual

We do not collect payment card data directly. Payment processing is handled by our payment processor (see Section 7).

4.2 Usage and Platform Data

When authorized users access the Nexufend management console, we automatically collect:

DataPurposeLogin timestamps and IP addressesSecurity and access auditingConsole activity logs (policy changes, configuration events)Audit trail and supportBrowser type and operating systemCompatibility and troubleshootingSession identifiersAuthentication

4.3 Communication Data

When you contact us by email, phone, or through our support platform, we collect the content of that communication and any personal data included within it, together with metadata such as date, time, and communication channel.

4.4 Website Data

The nexufend.com website is hosted on Webflow (Webflow Inc., USA). When you visit nexufend.com, technical data necessary to deliver the website (such as your IP address and browser information) is processed by Webflow's infrastructure. See Section 7.1 for details.

We use Google Tag Manager (Google LLC, USA) on nexufend.com to manage and deploy tracking tags. Google Tag Manager itself does not set cookies or collect personal data — however, the tags it manages (such as advertising pixels) may do so once you have given consent. No advertising or tracking tags will fire until you have accepted the relevant cookie categories via our consent banner.

We use advertising tracking pixels via Google Tag Manager (e.g., LinkedIn Insight Tag, Google Ads, or Meta Pixel) to support our marketing activities. Our cookie consent banner is already in place; no advertising tags will fire without your prior consent.

We also use Google reCAPTCHA (Google LLC, USA) on nexufend.com contact forms and other interactive elements to detect bots and prevent fraudulent submissions. reCAPTCHA processes your IP address, browser and device information, and behavioral signals (such as mouse movements and timing). This processing is based on our legitimate interest in protecting our website and users from automated abuse (Art. 6(1)(f) GDPR). reCAPTCHA is a functional security measure and does not require your consent, though you may object to this processing at any time (see Section 11).

The management console (dashboard), which is hosted separately on Scaleway infrastructure in the EU, does not use Google Tag Manager, tracking pixels, advertising cookies, or reCAPTCHA.

5. Legal Bases for Processing

We process personal data only where we have a valid legal basis under GDPR Article 6. The following table sets out the processing activities and their corresponding legal bases.

Processing activityLegal basisAccount creation and managementArt. 6(1)(b) — necessary for the performance of a contractProviding the Service to authorized usersArt. 6(1)(b) — necessary for the performance of a contractBilling, invoicing, and payment administrationArt. 6(1)(b) — contract performance; Art. 6(1)(c) — legal obligation (Austrian BAO §132)Customer support and communicationsArt. 6(1)(b) — contract performanceSending product updates and service noticesArt. 6(1)(b) — contract performance; Art. 6(1)(f) — legitimate interestPlatform security monitoring and fraud preventionArt. 6(1)(f) — legitimate interest in protecting the platform and customersMarketing and commercial communications (where applicable)Art. 6(1)(a) — consent, or Art. 6(1)(f) — legitimate interest for existing customers under applicable lawAdvertising tracking on nexufend.com via Google Tag ManagerArt. 6(1)(a) — consent (cookie consent banner required; no tags fire without prior consent)Bot detection and fraud prevention via Google reCAPTCHA on nexufend.comArt. 6(1)(f) — legitimate interest in protecting the website and users from automated abuse and fraudulent submissionsRetaining records for statutory complianceArt. 6(1)(c) — legal obligation (Austrian BAO §132, UGB §212)Improving and developing the ServiceArt. 6(1)(f) — legitimate interest

Where we rely on legitimate interest, we have carried out a balancing assessment and determined that our interests do not override the rights and freedoms of the individuals concerned. You may object to processing based on legitimate interest at any time (see Section 10).

6. How We Use Personal Data

We use the personal data described in Section 4 for the following purposes:

  • Contract administration: Managing customer accounts, processing orders and invoices, handling renewals and terminations.
  • Providing the Service: Enabling authorized users to access the management console and operate the platform.
  • Customer support: Responding to inquiries, resolving technical issues, and communicating service updates.
  • Security: Monitoring for unauthorized access, investigating incidents, and protecting the integrity of the platform.
  • Legal compliance: Fulfilling our obligations under Austrian commercial and tax law, including retaining business records for the required statutory periods.
  • Service improvement: Using aggregated and anonymized usage patterns to identify issues and improve the platform. We do not use identifiable personal data from customer accounts to train AI/ML models.

7. Sub-processors and Third-Party Recipients

As a data controller, Nexufend shares personal data with the following categories of recipients:

7.1 Service Providers (Sub-processors)

These organizations process personal data on our behalf under contractual arrangements that include data protection obligations.

Sub-processorRoleLocationData processedZoho Corporation GmbHCRM, email, support ticketing, internal communications, payment processingEU — GermanyCustomer contact data, communications, account data, billing/payment dataZoho Corporation B.V.Sub-processor of Zoho GmbH; EU data center operationsEU — NetherlandsSame as aboveScaleway SASCloud infrastructure hosting (management console)EU — FrancePlatform data, access logsWebflow Inc.Website hosting (nexufend.com)US (SCCs in place)Website visitor IP addresses, browser data, technical delivery dataGoogle LLC (Google Tag Manager)Tag management on nexufend.comUS (SCCs in place)Manages and deploys tracking tags; no data collected by GTM itselfGoogle LLC (Google Meet)Video conferencingUS (SCCs in place)Names, email addresses of meeting participantsGoogle LLC (Google reCAPTCHA)Bot detection and fraud prevention on nexufend.com forms and interactive elementsUS (SCCs in place)IP address, browser and device signals, behavioral dataFinsweet Inc. (ConsentPro)Consent Management Platform — records and stores visitor consent preferences on nexufend.comUS (SCCs in place per Finsweet DPA, accepted via Finsweet ToS)Visitor consent choices, IP region, browser/device information, page URLs, timestamps

We do not sell personal data to third parties.

7.2 Affiliates

We may share personal data with Nexufend Affiliates (as defined in our Terms of Service) for the purposes of providing and improving the Service, or in connection with a corporate restructuring or transfer described in Section 8.

7.3 Legal Obligations

We may disclose personal data to public authorities, law enforcement bodies, or courts where required by applicable law, court order, or regulatory requirement. We will notify you where legally permitted before making such a disclosure.

7.4 Professional Advisors

We may share personal data with lawyers, auditors, and insurers where necessary in connection with a dispute, audit, or legal proceeding.

7.5 Advertising Platforms (Independent Controllers — Consent-Activated)

When you accept advertising cookies via our consent banner on nexufend.com, your browser sends data directly to the advertising platforms whose tags we deploy via Google Tag Manager (which may include LinkedIn, Google Ads, and Meta). These platforms act as independent data controllers in respect of the data they receive — they determine their own purposes and means of processing, and their processing is governed by their own privacy policies, not by this Policy or Nexufend's Data Processing Addendum.

No data is shared with these platforms unless you have given explicit prior consent via our cookie banner. You can withdraw consent at any time by updating your preferences in the banner.

8. International Data Transfers

All personal data processed by Nexufend is currently stored and processed within the European Union (Scaleway — France; Zoho — Germany/Netherlands).

Where we use service providers located outside the EU/EEA, data transfers are carried out under Standard Contractual Clauses (SCCs) as approved by the European Commission, or another valid transfer mechanism under GDPR Chapter V. This currently applies to:

  • Webflow Inc. (USA) — website hosting for nexufend.com; visitor IP addresses and browser data processed in the US under SCCs
  • Google LLC (USA) — Google Tag Manager (tag management on nexufend.com), Google reCAPTCHA (bot detection on nexufend.com), and Google Meet (video conferencing); processed in the US under SCCs
  • Finsweet Inc. (USA) — ConsentPro consent management platform; visitor consent choices and associated browser/device data processed in the US under SCCs (DPA accepted via Finsweet ToS)

Advertising platforms (Section 7.5) operate as independent controllers under their own terms; any data they receive flows directly from your browser upon your consent and is not a transfer made by Nexufend.

EU customer data (Agent telemetry, management console data) will remain permanently within the EU. If Nexufend in the future routes such data to non-EU infrastructure, any such transfer will be carried out under a valid transfer mechanism and reflected in an updated version of this Policy and the applicable DPA.

9. Cookies

We operate two distinct web properties with different cookie profiles:

9.1 nexufend.com (Marketing Website — hosted on Webflow)

nexufend.com is hosted on Webflow Inc. (USA). Webflow may set cookies necessary to deliver the website. Our cookie consent banner is in place on nexufend.com; no advertising or analytics tags will fire without your prior consent.

We use advertising tracking pixels via Google Tag Manager (e.g., LinkedIn Insight Tag, Google Ads, or Meta Pixel) to support our marketing activities. These tags are only activated after you accept the relevant cookie categories in our consent banner.

We also use Google reCAPTCHA on contact forms and other interactive elements to protect against bots and automated abuse. reCAPTCHA may set functional cookies and processes behavioral signals to distinguish human users from bots. This is a functional security measure based on legitimate interest (Art. 6(1)(f)) — it does not require opt-in consent, though you may object at any time (see Section 11).

Cookie typeStatusConsent required?Strictly necessary (Webflow delivery)In useNo — technically essentialStrictly necessary (ConsentPro consent preference)In useNo — technically essential (remembers your consent choices)Functional / security (Google reCAPTCHA)In useNo — legitimate interest (fraud/bot prevention); right to object appliesAnalyticsNot in useYes — if introducedAdvertising / tracking pixels (via GTM)In useYes — no tags fire without prior consent via consent banner

9.2 Management Console (Customer Dashboard — hosted on Scaleway, EU)

The Nexufend management console is hosted on Scaleway infrastructure in the EU and uses only strictly necessary cookies (session management and authentication). It does not use any analytics, tracking, or advertising cookies, and this will not change without updating this Policy.

Cookie typeStatusConsent required?Strictly necessary (session, authentication)In useNo — technically essentialAll other typesNot in useN/A

9.3 Managing Cookies

You can control and delete cookies through your browser settings. Disabling strictly necessary cookies on nexufend.com or the management console may affect functionality. You can accept or decline individual cookie categories at any time via the consent banner on nexufend.com.

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law.

Data categoryRetention periodBasisContract and account dataDuration of the contractual relationship + 7 yearsAustrian BAO §132 (tax/accounting records)Invoices and payment records7 years from invoice dateAustrian BAO §132Account credentials and user profilesDuration of contract + up to 60 days (grace period)Legitimate interest / account recoverySupport communications3 years after the end of the contractStatute of limitations (Austrian ABGB §1489)Console access logs3 yearsSecurity and auditWebsite visitor data (nexufend.com via Webflow)Per Webflow's data retention policy; technical delivery data not retained by Nexufend beyond the sessionTechnical necessityAdvertising / tracking dataPer the retention policy of the relevant advertising platform; subject to consent withdrawal at any timeConsent (Art. 6(1)(a))

When the retention period expires, personal data is securely deleted or anonymized.

11. Your Rights

Under GDPR, individuals have the following rights regarding their personal data held by Nexufend as controller. Note that some of these rights apply in specific circumstances.

RightDescriptionAccess (Art. 15)Request a copy of the personal data we hold about youRectification (Art. 16)Request correction of inaccurate or incomplete personal dataErasure (Art. 17)Request deletion of your personal data, subject to legal retention obligationsRestriction (Art. 18)Request that we limit processing of your data in certain circumstancesPortability (Art. 20)Receive your data in a structured, machine-readable formatObjection (Art. 21)Object to processing based on legitimate interest, including direct marketingWithdraw consentWhere processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at legal@nexufend.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing a request.

We do not charge a fee for handling rights requests except where they are manifestly unfounded or excessive.

12. Right to Lodge a Complaint

If you believe that Nexufend has processed your personal data in violation of applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority:

Österreichische Datenschutzbehörde (DSB) Barichgasse 40–42 1030 Vienna, Austria dsb.gv.at

You may also contact the supervisory authority in your country of residence or workplace within the EU/EEA.

13. Data Security

Nexufend implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. These measures include encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication for internal systems, and audit logging. A full description of our security measures is set out in the Technical and Organizational Measures Annex to our Data Processing Addendum.

No method of data transmission or storage is completely secure. If you become aware of a security concern relating to your account or data, contact us immediately at legal@nexufend.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify customers by email or via the management console at least 30 days before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

Continued use of the Service or nexufend.com after the effective date of a revised Policy constitutes acceptance of the changes.

15. Contact

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact:

Nexufend GmbH legal@nexufend.com Office Park 2, 5. Stock, 1300 Wien Flughafen, Austria

Nexufend GmbH — nexufend.com — legal@nexufend.com

Still have questions?
Contact us at legal@nexufend.com — we're happy to help.
Arrow right icon
Get in touch
z
z
z
z
i
i
z
z
Experience Nexufend in Action
Book Demo
Book Demo
Company Logo of Nexufend
Office Park 2, 1300 Schwechat, Vienna Airport
General
HomeAbout Us
Legal
ImpressumPrivacy PolicyTerms of ServiceCookie Settings
Copyright © Nexufend 2026