VERSION 1.0 • LAST UPDATED: JUNE 2026

Privacy Policy

How we collect, use, and protect your data. We believe in strict data minimization and complete transparency under GDPR.

NIS2Engine ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR — EU Regulation 2016/679).

We are a data controller under GDPR. We process personal data only as described in this policy and only where we have a lawful basis to do so.

For any questions about this policy, use the contact form at /contact.

1. Who We Are

Controller: NIS2Engine
Contact: Available via /contact

We operate a B2B SaaS platform that provides automated vendor security assessments and NIS2 Article 21 compliance documentation for organizations subject to EU cybersecurity regulations.

2. Data We Collect

2.1 Account Data

When you create an account we collect:

  • Email address
  • Company name
  • Country
  • Industry sector
  • Password (stored as a bcrypt hash — never in plain text)

Purpose: To create and manage your account.
Lawful basis: Contract (Article 6(1)(b) GDPR).

2.2 Billing Data

When you subscribe we collect:

  • Name on billing account
  • Billing address
  • VAT number if applicable

We do not store your credit card number or CVV. All payment data is processed by Lemon Squeezy (see Section 6).

Purpose: To process your subscription and issue invoices.
Lawful basis: Contract and Legal obligation (Article 6(1)(b) and 6(1)(c) GDPR).

2.3 Vendor Domain Data

When you add vendors we collect:

  • Vendor domain names
  • Vendor company names if provided
  • Notes you add
  • Scan authorization consent timestamp

Purpose: To perform security assessments and generate compliance reports.
Lawful basis: Contract (Article 6(1)(b) GDPR).

2.4 Scan Results Data

We collect and store:

  • Raw scan output
  • Security scores and grades
  • Generated PDF reports
  • Remediation letters

Purpose: To provide compliance documentation and audit trail.
Lawful basis: Contract (Article 6(1)(b) GDPR).
Retention: 24 months from scan date.

2.5 Usage Data

Standard server logs including:

  • IP address
  • Browser type and version
  • Pages visited and timestamps

Purpose: Security monitoring and debugging.
Lawful basis: Legitimate interests (Article 6(1)(f) GDPR).
Retention: 90 days.

2.6 Communication Data

If you contact us via the contact form:

  • Your email address
  • Message content

Purpose: To respond to your enquiry.
Lawful basis: Legitimate interests (Article 6(1)(f) GDPR).
Retention: 2 years from last contact.

3. Data We Do Not Collect

No sensitive personal data
No personal data about your vendors' employees
No cross-site tracking
No advertising cookies or tracking pixels
We do not sell your data
We do not use your data to train AI models
We do not record screens or keystrokes

4. How We Use Your Data

PurposeData UsedLawful Basis
Providing the platformAccount data, vendor data, scan resultsContract
Processing paymentsBilling dataContract, Legal obligation
Sending monthly reportsEmail address, scan resultsContract
Service notificationsEmail addressContract
Security and fraud preventionUsage data, IP addressLegitimate interests
Legal complianceAll dataLegal obligation
Customer supportAccount data, communication dataLegitimate interests
Platform improvementAnonymized usage dataLegitimate interests

5. Data Sharing

We do not sell, rent, or trade your personal data.

We share data only in these circumstances:

  • With subprocessors — third-party services used to operate the platform, all contractually bound to GDPR compliance.
  • Legal requirements — If required by a valid legal order from a competent authority.
  • Business transfer — If the business is sold or merged, we will notify you at least 30 days before any transfer and you will have the right to delete your account.

6. Subprocessors

SubprocessorPurposeLocationTransfer Mechanism
SupabaseDatabase, authentication, storageEU (AWS Frankfurt)Standard Contractual Clauses
Lemon SqueezyPayment processingUSStandard Contractual Clauses
MailgunEmail deliveryEUStandard Contractual Clauses
Google (Safe Browsing API)Threat intelligenceUSStandard Contractual Clauses
IPInfoIP intelligenceUSStandard Contractual Clauses
URLScan.ioDomain intelligenceEUGDPR compliant
AbuseIPDBIP reputationUSStandard Contractual Clauses
AlienVault OTXThreat intelligenceUSStandard Contractual Clauses
ShodanPort and vulnerability dataUSStandard Contractual Clauses
VercelFrontend hostingUS/EUStandard Contractual Clauses
DigitalOceanBackend hostingEU (Amsterdam)Standard Contractual Clauses

We will notify clients at least 30 days before adding or changing any subprocessor.

7. International Data Transfers

Where we transfer data outside the EEA we use Standard Contractual Clauses approved by the European Commission. We do not transfer data to countries without an adequate transfer mechanism.

8. Data Retention

Data TypeRetention Period
Account dataUntil account deletion + 30 days
Billing records7 years (tax law requirement)
Vendor domain dataUntil removed or account deletion
Scan results and PDFs24 months from scan date
Usage logs90 days
Communication data2 years from last contact
Backup data30 days after primary deletion

9. Security Measures

Technical

  • All data encrypted in transit using TLS 1.3
  • All data encrypted at rest using AES-256
  • Row-level security on all database tables
  • JWT authentication with short expiry
  • SOC 2 certified infrastructure via Supabase

Organizational

  • Production data access limited to authorized personnel
  • No plain text passwords stored
  • Regular access permission reviews
  • Incident response procedure in place

10. Your Rights Under GDPR

To exercise any right use the contact form at /contact. We respond within 30 days.

Right of access (Article 15) — Request a copy of all personal data we hold about you.

Right to rectification (Article 16) — Request correction of inaccurate data.

Right to erasure (Article 17) — Request deletion of your personal data. We delete all data except where legally required to retain it.

Right to restriction (Article 18) — Request restriction of processing in certain circumstances.

Right to data portability (Article 20) — Request your data in JSON or CSV format.

Right to object (Article 21) — Object to processing based on legitimate interests.

Right to withdraw consent — Where processing is based on consent you can withdraw at any time.

Right to lodge a complaint — You have the right to complain to your national data protection authority:

  • Germany: BfDI (Federal Commissioner for Data Protection)
  • Netherlands: AP (Autoriteit Persoonsgegevens)
  • Ireland: DPC (Data Protection Commission)
  • France: CNIL
  • Any EU member state DPA

11. Cookies

We use only essential cookies:

CookiePurposeDuration
supabase-auth-tokenAuthentication sessionSession
theme-preferenceDark/light mode preference1 year
ls-cartLemon Squeezy checkout sessionSession

No advertising cookies. No analytics cookies. No third-party tracking. No cookie consent banner required.

12. Children's Data

Our platform is a B2B service for organizations and their authorized employees. We do not knowingly collect data from anyone under 18. If you believe we have done so inadvertently, contact us via /contact immediately.

13. Changes to This Policy

We will notify you of material changes by email at least 30 days before they take effect. The version number and date at the top of this page reflect the current version.

14. Contact

For all privacy related enquiries use the contact form at /contact.

We aim to respond to all privacy enquiries within 5 business days and all formal rights requests within 30 days as required by GDPR Article 12.