LIVE · CATENA D'AUDIT · UE
SISTEMA · 99,99% UPTIME
v 1.0 ↗ FATTO IN UE
Privacy & GDPR

Your data, your rules.

Native GDPR compliance, sovereign EU hosting, clear legal basis, documented access / erasure / portability rights. No ads, no tracking, no resale.

Last updated : 01.05.2026 Version : 2.6
Our commitments
🇪🇺

100% EU

Frankfurt + Paris hosting. No US sub-processor on the data plane. Schrems II compliant.

🚫

Zero ads

No tracking cookies, no third-party analytics on the management app. Session cookie only.

⚖️

Your rights, actually

Signed JSON export, tombstone erasure preserving chain integrity, self-service rectification.

📄

DPA included

Standard EU DPA available on Unlimited and Enterprise. Up-to-date sub-processor list.

Data collected

What we collect.

Breakdown per user profile and purpose. No hidden collection.

👤

Operators (your team)

  • Name, work email
  • Hashed password or SSO identity
  • RBAC role, organization
  • Login IP, login timestamp
📱

Field users

  • Name (if provided in invite)
  • Email/phone for access link
  • Camera, audio, GPS — with on-screen consent
  • Hash of IP/user-agent (not raw)
📦

Inspection data

  • Photos, annotations, whiteboard exports
  • Video recordings (if enabled)
  • EU S3 storage with org-prefixed keys
  • Audit chain: hashes only
Your GDPR rights

6 rights, all self-service.

01

Access

Per-user export endpoint. Signed + zipped JSON bundle of all data referencing you.

Settings → Data → Export
02

Erasure

Tombstone pattern: PII fields nulled, audit chain hash preserved to keep legal integrity verifiable.

Settings → Data → Erase
03

Rectification

Modify your data via the SPA admin. Members, KYB, identity, preferences.

Settings → Profile
04

Portability

Structured JSON export in standard ingest format, importable elsewhere.

Same endpoint as access
05

Objection

Email privacy@nexbasira.com. Response within 30 days per GDPR article 12.

privacy@nexbasira.com
06

DPA complaint

Right to file a complaint with your local DPA (CNIL in France, AEPD in Spain, etc.).

cnil.fr · aepd.es · datatilsynet.no

Legal basis & retention.

Legal basis (GDPR art. 6)

Contract performanceFor the customer organisation
Legitimate interestFor the audit chain (operators are notified)
ConsentFor field camera/audio/GPS capture
Legal obligationeIDAS & accounting retention

Retention periods

Active sessionsPer-org configurable, default unlimited
Video recordingsMigrate to cold archive at 90 days
eIDAS archive7 years min., legal compliance
Account data (billing)Contract duration + 6 fiscal years
Sub-processors

All sub-processors are EU-based.

Service Purpose Country DPA
OVHcloud Primary hosting 🇫🇷 France
Scaleway Secondary hosting 🇫🇷 France
Hetzner Encrypted S3 storage 🇩🇪 Allemagne
LiveKit Cloud (EU) WebRTC media routing 🇩🇪 Allemagne
OVH SMS Invitation SMS delivery 🇫🇷 France
Stripe (EU) Billing & payment 🇮🇪 Irlande
Tezos / Ethereum Blockchain anchoring (hash only) 🌐 Public N/A

Monthly updates. Changes are notified to account admins 30 days in advance.

Data Protection Officer (DPO)

For any question about your personal data, rights or our practices, contact our DPO directly. Reply guaranteed within 30 days.

Email dpo@nexbasira.com
PGP A1B2 C3D4 E5F6 0708 1920 · 3132 3435 3637 3839 4041
Postal address Nexbasira · DPO · 12 rue de la Paix · 75002 Paris · France