The data controller for personal data is Jean-Marc Strauven, a self-employed professional based in Belgium (Kwinkeleer 25, 1760 Roosdaal).

For any question about your data: dpo@nis2you.com

When you use the Service, we collect:

• Account data: name, email address, hashed password, preferred language, tenant membership.
• Business data: risks, controls, action plans, incidents, reviews, assets and other entities you create. This data belongs to you.
• Technical data: IP address, user-agent, last login, audit log of changes. Retained for security purposes.
• Pseudonymous audience measurement: see the dedicated section below.

We do not collect data through third-party cookies, advertising trackers or third-party analytics (no Google Analytics, no Meta Pixel, no external scripts).

• Providing and operating the Service (article 6.1.b GDPR — performance of a contract);
• Service security and abuse prevention (article 6.1.f — legitimate interest);
• Transactional communication: invitations, notifications, alerts (6.1.b);
• Compliance with legal obligations (6.1.c);
• Improving the Service based on aggregated and anonymised data (6.1.f).

Your data is hosted within the European Union. No transfer to a third country takes place under normal operation of the Service. If this changes, you will be informed and you may exercise your right to object.

• Active account: as long as your tenant is active.
• After cancellation: 30 days to allow data export, then secure deletion.
• Audit log: retained as long as the tenant is active (NIS2 traceability requirement).
• Technical logs: 90 days.

Under the GDPR, you have the following rights: access, rectification, erasure, restriction, portability, objection. To exercise these rights: dpo@nis2you.com

If you disagree with our handling, you can lodge a complaint with your supervisory authority:

• 🇧🇪 APD / GBA — dataprotectionauthority.be
• 🇫🇷 CNIL — cnil.fr
• 🇱🇺 CNPD — cnpd.public.lu
• 🇳🇱 AP — autoriteitpersoonsgegevens.nl

To deliver the Service we rely on technical sub-processors (cloud hosting, transactional email, payment). All are bound by a GDPR data-processing agreement (article 28) and process your data only on our instructions.

We implement appropriate technical and organisational measures: TLS encryption, hashed passwords (bcrypt), optional two-factor authentication, full audit log, strict multi-tenant isolation.

To understand the overall use of the Service (how many distinct visitors per day on the landing page and on the dashboard), we count visits without using any third-party service and without setting any cookie.

How it works:

• On each visit we compute a SHA-256 fingerprint from your IP address, your user-agent and a cryptographic salt that rotates every day.
• Only this fingerprint is stored — the IP address and user-agent are never persisted in this table.
• The daily rotation of the salt makes it impossible to link your visits across two different days.
• No user identifier, no session identifier, no cookie is associated with this measurement.

Legal basis: legitimate interest (article 6.1.f GDPR) — measuring the aggregate audience of the Service to operate and improve it.

Retention: fingerprints are kept for 90 days and then deleted.

Your rights: due to the strong pseudonymisation (daily salt rotation), we cannot technically identify you within this data. If you wish to exercise a right to object for your future visits, please contact dpo@nis2you.com.