Privacy Policy
How Niserva collects, uses, and protects your personal data under the EU General Data Protection Regulation (GDPR).
This privacy policy explains how MB „O zeniau“ (the small partnership operating Niserva, hereafter "Niserva", "we") processes your personal data when you use the niserva.com website and the Niserva platform. The policy complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Lithuanian Law on Legal Protection of Personal Data.
1. Data controller
MB „O zeniau“, established in the Republic of Lithuania. Contact us at info@nexdev.lt for anything related to your personal data.
2. What we collect
- Account data — name, email, password hash, company name, country, sector, role within the organization.
- Usage data — login records, IP address, browser type, language preference, session cookies.
- Compliance content — risks, vendors, incidents, policies, training records, evidence files you upload to your workspace. This data belongs to your organization; we just store it.
- Payment data — invoice history, plan information. Card data itself is handled by Stripe — Niserva never sees it.
- Communications — emails, support tickets, response history.
3. Why we process
- Performance of contract (Art. 6(1)(b)) — account creation, service delivery, billing, support.
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, product improvement, aggregated analytics.
- Consent (Art. 6(1)(a)) — non-essential analytics cookies, marketing messages (revocable any time).
- Legal obligation (Art. 6(1)(c)) — accounting, tax, NIS2 / cybersecurity law compliance.
4. Retention
- Active account data — duration of the contract.
- Inactive accounts — deleted or anonymized 12 months after last login.
- Invoice records — 10 years (Lithuanian tax law).
- Audit and security logs — up to 12 months.
- Cookie consent records — 12 months, then re-prompt.
5. Sub-processors
Niserva relies on these processors, all bound by GDPR-compliant DPAs:
| Processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (eu-west-1) |
| Vercel Inc. | Hosting, edge infrastructure | EU + US (Frankfurt) |
| Anthropic PBC | AI Compliance Officer, AI policy generation | US (DPF + SCC) |
| Resend Inc. | Transactional email delivery | US (DPF + SCC) |
| Stripe Payments Europe Ltd. | Payment processing | Ireland + US (DPF) |
Full processor list and DPA on the Data Processing Agreement page.
6. International transfers
When data crosses out of the EU/EEA (e.g. Anthropic, Resend, Stripe US infrastructure), we rely on the European Commission's Standard Contractual Clauses (SCCs) and where applicable the EU-U.S. Data Privacy Framework (DPF). The most sensitive content (NIS2 evidence) and our core database stay in EU regions.
7. Your rights
Under GDPR you have the right to:
- Access your data (Art. 15)
- Have inaccurate data corrected (Art. 16)
- Have data erased (Art. 17)
- Restrict processing (Art. 18)
- Receive your data in a portable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with the Lithuanian DPA — State Data Protection Inspectorate (VDAI), vdai.lrv.lt/en
Email info@nexdev.lt to exercise any of these rights. We respond within 30 days.
8. Security
TLS 1.3 in transit, AES-256 at rest, Postgres Row-Level Security for tenant isolation, MFA for platform admins, audit log on every change. Details: Security page.
9. Children
Niserva is not directed at people under 18 and we do not knowingly collect their data.
10. Policy changes
Material changes are emailed to you at least 30 days before they take effect. Editorial updates are reflected in the "Updated" date at the top of this page.
11. Contact
MB „O zeniau“
Email: info@nexdev.lt
Site: niserva.com