How we collect, use, and protect your data. We believe in strict data minimization and complete transparency under GDPR.
NIS2Engine ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR — EU Regulation 2016/679).
We are a data controller under GDPR. We process personal data only as described in this policy and only where we have a lawful basis to do so.
Controller: NIS2Engine
Contact: Available via /contact
We operate a B2B SaaS platform that provides automated vendor security assessments and NIS2 Article 21 compliance documentation for organizations subject to EU cybersecurity regulations.
When you create an account we collect:
Purpose: To create and manage your account.
Lawful basis: Contract (Article 6(1)(b) GDPR).
When you subscribe we collect:
We do not store your credit card number or CVV. All payment data is processed by Lemon Squeezy (see Section 6).
Purpose: To process your subscription and issue invoices.
Lawful basis: Contract and Legal obligation (Article 6(1)(b) and 6(1)(c) GDPR).
When you add vendors we collect:
Purpose: To perform security assessments and generate compliance reports.
Lawful basis: Contract (Article 6(1)(b) GDPR).
We collect and store:
Purpose: To provide compliance documentation and audit trail.
Lawful basis: Contract (Article 6(1)(b) GDPR).
Retention: 24 months from scan date.
Standard server logs including:
Purpose: Security monitoring and debugging.
Lawful basis: Legitimate interests (Article 6(1)(f) GDPR).
Retention: 90 days.
If you contact us via the contact form:
Purpose: To respond to your enquiry.
Lawful basis: Legitimate interests (Article 6(1)(f) GDPR).
Retention: 2 years from last contact.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Providing the platform | Account data, vendor data, scan results | Contract |
| Processing payments | Billing data | Contract, Legal obligation |
| Sending monthly reports | Email address, scan results | Contract |
| Service notifications | Email address | Contract |
| Security and fraud prevention | Usage data, IP address | Legitimate interests |
| Legal compliance | All data | Legal obligation |
| Customer support | Account data, communication data | Legitimate interests |
| Platform improvement | Anonymized usage data | Legitimate interests |
We do not sell, rent, or trade your personal data.
We share data only in these circumstances:
| Subprocessor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (AWS Frankfurt) | Standard Contractual Clauses |
| Lemon Squeezy | Payment processing | US | Standard Contractual Clauses |
| Mailgun | Email delivery | EU | Standard Contractual Clauses |
| Google (Safe Browsing API) | Threat intelligence | US | Standard Contractual Clauses |
| IPInfo | IP intelligence | US | Standard Contractual Clauses |
| URLScan.io | Domain intelligence | EU | GDPR compliant |
| AbuseIPDB | IP reputation | US | Standard Contractual Clauses |
| AlienVault OTX | Threat intelligence | US | Standard Contractual Clauses |
| Shodan | Port and vulnerability data | US | Standard Contractual Clauses |
| Vercel | Frontend hosting | US/EU | Standard Contractual Clauses |
| DigitalOcean | Backend hosting | EU (Amsterdam) | Standard Contractual Clauses |
We will notify clients at least 30 days before adding or changing any subprocessor.
Where we transfer data outside the EEA we use Standard Contractual Clauses approved by the European Commission. We do not transfer data to countries without an adequate transfer mechanism.
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Billing records | 7 years (tax law requirement) |
| Vendor domain data | Until removed or account deletion |
| Scan results and PDFs | 24 months from scan date |
| Usage logs | 90 days |
| Communication data | 2 years from last contact |
| Backup data | 30 days after primary deletion |
To exercise any right use the contact form at /contact. We respond within 30 days.
Right of access (Article 15) — Request a copy of all personal data we hold about you.
Right to rectification (Article 16) — Request correction of inaccurate data.
Right to erasure (Article 17) — Request deletion of your personal data. We delete all data except where legally required to retain it.
Right to restriction (Article 18) — Request restriction of processing in certain circumstances.
Right to data portability (Article 20) — Request your data in JSON or CSV format.
Right to object (Article 21) — Object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent you can withdraw at any time.
Right to lodge a complaint — You have the right to complain to your national data protection authority:
We use only essential cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| supabase-auth-token | Authentication session | Session |
| theme-preference | Dark/light mode preference | 1 year |
| ls-cart | Lemon Squeezy checkout session | Session |
No advertising cookies. No analytics cookies. No third-party tracking. No cookie consent banner required.
Our platform is a B2B service for organizations and their authorized employees. We do not knowingly collect data from anyone under 18. If you believe we have done so inadvertently, contact us via /contact immediately.
We will notify you of material changes by email at least 30 days before they take effect. The version number and date at the top of this page reflect the current version.
For all privacy related enquiries use the contact form at /contact.
We aim to respond to all privacy enquiries within 5 business days and all formal rights requests within 30 days as required by GDPR Article 12.