Privacy Policy

Last updated: 8 March 2026

This privacy policy fulfills our obligations under GDPR Art. 13 (information to be provided when personal data are collected from the data subject).

Who We Are

Veridion Nexus operates Sovereign Shield, a GDPR Chapter V runtime enforcement and evidence service. For questions about this policy or data requests, contact us at: privacy@veridion-nexus.eu

What Data We Collect and Why

Account data

When you register, we collect your email address, company name, and a bcrypt-hashed password. We use this to create and manage your account.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

API usage data

When you call our API, we store the transfer evaluation requests you submit — including destination country, partner name, data categories, and the resulting decision (ALLOW/BLOCK/REVIEW). This data forms your evidence vault and is the core service you signed up for.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

Technical data

We store your API key hash (never the raw key), tenant identifier, enforcement mode, and trial expiry date. We also log IP addresses for rate limiting (5 requests per IP per hour on registration).

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in service security and abuse prevention.

Email communications

We send a welcome email upon registration containing your API key. We do not send marketing emails.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

Where Your Data Is Stored

All data is stored on servers operated by Hetzner Online GmbH, located in the European Union (Germany/Finland). No personal data is transferred outside the EU/EEA as part of our infrastructure.

How Long We Keep Your Data

  • Account and API usage data: retained for the duration of your account plus 12 months after deletion request or trial expiry
  • Evidence vault records: retained for the duration of your account — these records support your GDPR Art. 30 obligations and are not deleted during active use
  • Rate limiting logs: deleted within 24 hours

Data We Do Not Collect

We do not collect payment card data (no payment processing is currently implemented). We do not use cookies for tracking. We do not use analytics services. We do not sell or share your data with third parties for commercial purposes.

Your Rights Under GDPR

As a data subject under GDPR, you have the right to:

  • Access (Art. 15)— Request a copy of all personal data we hold about you
  • Rectification (Art. 16)— Request correction of inaccurate or incomplete data
  • Erasure (Art. 17)— Request deletion of your data (subject to legal retention requirements)
  • Portability (Art. 20)— Receive your data in a structured, machine-readable format
  • Restriction (Art. 18)— Request limitation of processing in certain circumstances
  • Object (Art. 21)— Object to processing based on legitimate interests

To exercise any of these rights, contact: privacy@veridion-nexus.eu. We will respond within one month (30 days) as required by GDPR Art. 12(3).

Security

Passwords are stored as bcrypt hashes and never in plaintext. API keys are stored as SHA-256 hashes — the raw key is shown once at registration and never stored. All data in transit is encrypted via TLS (managed by Caddy). Database backups are encrypted at rest on Hetzner infrastructure.

Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated via email to registered users. The date at the top of this page reflects the latest revision.

Supervisory Authority

You have the right to lodge a complaint with your national data protection authority. If you are based in the EU, you may contact the supervisory authority in your country of residence. A list of EU DPAs is available at: edpb.europa.eu

This privacy policy was prepared based on the current technical implementation of Sovereign Shield. It has not been reviewed by legal counsel. If you have specific compliance requirements, we recommend independent legal review before relying on this document.