Juridische documenten

Juridische documenten > Europese Unie

Privacy Policy

Last updated: 4 May 2026

This Privacy Policy explains how NEXON Systems Sp. z o.o. (referred to as NEXON, we) collects, uses, stores, and protects personal data of website visitors, users of the NEXON Vision service, and customer representatives.

NEXON Vision is a Software-as-a-Service platform for managing Digital Signage screens, devices, playlists, schedules, and content.

This Policy applies to customers registered outside Ukraine and visitors to our international website. For customers registered in Ukraine, the data controller is TOV NEXON Ukraine, and a separate privacy policy applies.

This Policy is drafted in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Polish data protection law.

1. Data Controller

NEXON Systems Sp. z o.o.

  • KRS: 0001225896
  • NIP / VAT EU: PL5223365741
  • Registered office: ul. Legionowa 31A, 01-343 Warszawa, Poland
  • Email for data protection inquiries: [email protected]
  • Phone: +48 514 908 198

The person responsible for data protection matters is the Managing Director of NEXON Systems Sp. z o.o. For all questions regarding the processing of personal data, the exercise of data subject rights, or notifications about incidents, please contact [email protected].

We have not appointed a separate Data Protection Officer (DPO), as this is not mandatory for our processing activities under Article 37 GDPR. Should this become required, we will appoint a DPO and update this Policy.

2. Roles

For data of Customer representatives, contact persons, Account users, payment, and contractual data, NEXON acts as the data controller.

For personal data uploaded, stored, or broadcast by the Customer through the Service as part of their Content, the Customer is the data controller and NEXON acts as the data processor under a separate Data Processing Agreement (DPA).

The Customer is responsible for ensuring a lawful basis for uploading, storing, and broadcasting personal data of third parties through the Service, and for informing data subjects about such processing.

3. What Data We Collect

3.1. Website Visitor Data

  • IP address;
  • browser, device type, and operating system;
  • browser language;
  • date and time of visit;
  • pages viewed;
  • referrer source;
  • cookie data and similar technologies;
  • Google Analytics (GA4) data;
  • session and behavioural data, including session recording.

Regarding session recordings. Session recordings contain anonymised information about interaction with the interface (cursor movements, clicks, scrolling). Entered passwords, payment data, and other sensitive information are automatically masked and do not appear in recordings. Session recordings are used solely for error analysis, UX improvement, and technical support. We do not use these recordings for automated decision-making about users, profiling, or other actions that may produce legal or similarly significant effects on a specific person.

3.2. Customer and User Data

Contact and registration data: - first and last name of the contact person; - email, phone, position; - company name, country, address, tax details; - login, password (in hashed form), account settings.

Service usage data: - Plan information, invoices, payments, and interaction history; - device data: IP addresses, device type, OS version, application version, technical logs; - data on screens, screen groups, playlists, schedules, and settings; - uploaded Content: files, images, videos, text, links, and other materials; - access and action logs in the Service.

Communication data: - support inquiries (email, chat, phone); - recordings of phone calls with technical support (subject to notification at the start of the call); - chat history on the website; - transactional notifications sent through email, SMS, or push notifications.

3.3. Payment Data

Payments are processed through the external payment operator Stripe. Card data (card number, CVV, expiry date) is not stored in NEXON's infrastructure and is processed exclusively by the payment operator in accordance with PCI DSS standards.

NEXON receives only a limited dataset from the payment operator: payment status, amount, date, masked card number (last 4 digits), and transaction identifier.

3.4. Integration Data

If the Customer connects third-party services or integrations, we may process technical data, access tokens, account identifiers, and other information necessary for the operation of such integration.

If the Customer uses the Canva integration, design files, images, text, layouts, links, and other materials may be processed for the purpose of creating designs, exporting, or importing content between Canva and the Service.

If the Customer uses Google integrations, Google data is processed solely for providing the relevant feature activated by the Customer. We do not use data obtained through Google APIs for advertising, do not sell such data, and do not transfer it to third parties, except as necessary for the operation of the integration, security, or compliance with law.

3.5. Audience Counting Modules

Certain modules of the Service may use technology to count the number of devices (smartphones, tablets, laptops) within range of a screen based on Bluetooth or Wi-Fi signals to estimate the anonymous count of persons near the screen.

Such modules do not identify specific individuals, do not store MAC addresses in their original form (hashing or aggregation is applied), and are not used for tracking the behaviour of specific people. Only aggregated statistics are collected (e.g., "20 devices per hour"). If the Customer activates such a module, the Customer is responsible for informing visitors of the location in accordance with applicable law.

NEXON does not use cameras, facial recognition technology, or other means of processing biometric data within the main Service.

4. Purposes of Processing

We use personal data for the following purposes:

  • creating and administering Accounts;
  • providing access to the Service and managing screens, devices, playlists, schedules, and Content;
  • issuing invoices and maintaining accounting records;
  • technical support and responding to inquiries (including call recordings for quality control and training);
  • ensuring security, detecting abuse, errors, and unauthorised access;
  • backups and Service recovery;
  • improving features, interface, and Service performance (including session analysis);
  • sending transactional notifications about the Service via email, SMS, or push (account changes, device errors, billing, security);
  • operating integrations activated by the Customer;
  • compliance with legal obligations and protection of NEXON's rights.

NEXON does not use personal data for marketing email campaigns. Transactional notifications (regarding Service operation, billing, security) are sent regardless of marketing consent, as they are necessary for the performance of the contract.

5. Legal Bases for Processing

Depending on the situation, we process personal data on the following legal bases under Article 6 GDPR:

  • performance of a contract (Article 6(1)(b) GDPR) — for providing the Service, processing payments, technical support;
  • compliance with legal obligations (Article 6(1)(c) GDPR) — for accounting, tax, and other regulatory requirements;
  • legitimate interests of NEXON (Article 6(1)(f) GDPR) — for Service security, analytics, product development, defence of rights;
  • consent (Article 6(1)(a) GDPR) — for non-essential cookies, optional notifications;
  • instructions of the Customer — where NEXON acts as a data processor.

6. Cookies

We use cookies and similar technologies for website operation, session management, security, analytics, and improving user experience. Non-essential cookies are used only with consent.

Consent management is implemented through Cookiebot. Detailed information is in our separate Cookie Policy.

7. Where Data Is Processed

7.1. Primary Infrastructure

Personal data, Content, technical logs, device settings, playlists, and other Service data are stored and processed on servers within the European Union, including the DigitalOcean data centre in Frankfurt am Main, Germany.

7.2. Processing Within the EU

NEXON's development, technical support, monitoring, and Service administration team is located in the European Union (Poland). All Customer data is processed within the European Economic Area (EEA), which provides a level of data protection compliant with GDPR.

7.3. Third Countries

Certain third-party providers of technical, analytics, email, SMS, payment, or integration services may process limited data in countries outside the EEA (such as the United States or Australia). In such cases, we apply appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • adequacy decisions where applicable;
  • mechanisms under the EU-US Data Privacy Framework for relevant providers;
  • other lawful safeguards.

8. Subprocessors and Third-Party Providers

For the operation of the Service, we engage third-party providers who process data only to the extent necessary for the relevant services.

Categories of providers include:

  • hosting and server infrastructure providers;
  • analytics and integration providers;
  • consent management providers;
  • payment operators;
  • session analysis and behavioural analytics providers;
  • providers of email, SMS, and push notification services;
  • design tools providers (Customer-activated);
  • helpdesk, monitoring, backup, and logging providers;
  • banks, accountants, auditors, lawyers, and other professional advisors.

The current list of specific providers, with the country of processing and transfer mechanisms, is published on the Subprocessor List page and updated upon changes.

9. Data Retention Periods

Category of data Retention period
Active Account data For the duration of Service use
Data after end of paid period Up to 90 calendar days, after which it may be permanently deleted
Accounting and tax documents At least 5 years from the end of the tax year (Polish tax law)
Contract documents 6 years after termination (Polish Civil Code)
Access and technical logs Up to 12 months
Recordings of support phone calls Up to 6 months
Backups Up to 30 days after deletion of main data
Website analytics data (Google Analytics) Up to 14 months
Cookie data As specified in the Cookie Policy

Data is deleted or anonymised after the relevant retention period, unless required by law or necessary for the protection of NEXON's rights in case of a dispute.

10. Your Rights

In accordance with the GDPR, you have the following rights:

  • right of access (Article 15 GDPR) — to obtain information about the processing of your personal data and a copy of such data;
  • right to rectification (Article 16 GDPR) — to request correction of inaccurate or incomplete data;
  • right to erasure (Article 17 GDPR, "right to be forgotten") — to request deletion of your data where there is no further lawful basis for retention;
  • right to restriction of processing (Article 18 GDPR);
  • right to data portability (Article 20 GDPR) — to receive your data in a structured, machine-readable format;
  • right to object (Article 21 GDPR) — to object to processing based on legitimate interests or for direct marketing;
  • right to withdraw consent (Article 7(3) GDPR) — at any time where processing is based on consent (without affecting the lawfulness of prior processing);
  • right not to be subject to automated decision-making (Article 22 GDPR);
  • right to lodge a complaint with a supervisory authority.

To exercise your rights, contact s[email protected]. We respond within 30 calendar days of receiving the request. In complex cases, the period may be extended by a further 30 days with notice to the requester.

We may request additional information to verify the identity of the requester to avoid disclosing data to unauthorised persons.

11. Security and Incidents

We apply technical and organisational measures to protect personal data, including HTTPS/TLS, access controls, secure password hashing, two-factor authentication for administrative access, regular backups, employee access on a need-to-know basis, action logging, and monitoring.

A detailed description of measures is provided in the TOMs (Technical and Organisational Measures), which form part of the DPA.

Breach notification. Where a personal data breach is identified that is likely to result in a risk to the rights and freedoms of data subjects, we notify: - the Customer (where NEXON is the processor) — without undue delay and no later than 72 hours after becoming aware of the breach; - the supervisory authority — within 72 hours of becoming aware, in accordance with Article 33 GDPR; - affected data subjects — without undue delay, where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).

12. Complaints to a Supervisory Authority

If you believe that the processing of your personal data violates the law, you may:

  • contact NEXON at [email protected] to resolve the matter;
  • lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) in Poland — the lead supervisory authority for NEXON Systems Sp. z o.o.;
  • lodge a complaint with the supervisory authority in your country of residence (in accordance with Article 77 GDPR);
  • bring an action before a court in accordance with applicable law.

Contact details of the Polish supervisory authority: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland; https://uodo.gov.pl

13. Changes to This Policy

We may update this Policy from time to time. A new version takes effect upon publication on the website, unless otherwise indicated.

For material changes that significantly affect the rights of data subjects, we provide notice through the Service or email at least 30 calendar days before the changes take effect.

The date of the last update is shown at the top of this Policy.