PRIVACY POLICY

NexonHost S.R.L.

1. General information

This Privacy Policy is intended to inform NexonHost S.R.L. users and customers about how personal data is processed in connection with the use of the website, the customer account, and the hosting services provided.

NexonHost complies with Regulation (EU) 2016/679 (GDPR), Law no. 190/2018, and other applicable national legislation.

This Policy applies to:

• visitors of the NexonHost website;

• customers / potential customers;

• persons who contact NexonHost (email/phone/ticket).

2. Who is responsible for data processing

2.1. NexonHost customer data (contractual relationship) – Data Controller

For data processed for administrative, commercial, and support purposes, NexonHost S.R.L. acts as a DATA CONTROLLER, within the meaning of Article 4(7) GDPR.

Controller identification details:
NexonHost S.R.L.
Registered office: Lipova, Arad, Romania, B.P. Hasdeu Street no. 60
Tax ID (C.U.I.): 34578646
Phone: +40 723 996 387
GDPR contact e-mail: gov@nexonhost.com

2.2. Data Protection Officer (DPO)

NexonHost has not currently appointed a Data Protection Officer (DPO). For any questions regarding data protection or to exercise your rights, you may contact us at: gov@nexonhost.com

If NexonHost appoints a DPO in the future, the contact details will be published by updating this Policy.

2.3. Customer data uploaded to hosting services – Processor

For personal data uploaded, stored, or processed by customers through the hosting services (e.g., databases, files, emails, applications), NexonHost S.R.L. acts exclusively as a DATA PROCESSOR on behalf of the customer (the customer being the Data Controller).

In this situation, NexonHost processes data only on the basis of the customer’s documented instructions and within the limits of the GDPR.

3. Personal data processed by NexonHost as Controller

3.1. Categories of data

We may process, as applicable:

• identification and contact data: first name, last name, email, phone;

• billing/contract data: address, VAT ID / CNP (as applicable), invoice details;

• account data: username/customer ID, passwords, account settings;

• payment data: transaction status, payment references (without storing full card details);

• support data: requests, tickets, correspondence;

• technical/security data: IP address, authentication logs, access data and security events.

3.2. Data sources

Data may come from:

• directly from you (form, account, contract, email, phone);

• from the use of services (logs, IP, security events);

• from partners involved in payments/service delivery (e.g., payment processors), strictly to the extent necessary to perform the contract (usually payment confirmation and transaction reference).

3.3. Purposes and legal bases for processing

Processing is carried out strictly for the following purposes:
a) Concluding and performing the contract (Article 6(1)(b) GDPR)

• account creation, service administration, hosting delivery, technical support.

b) Compliance with legal obligations (Article 6(1)(c) GDPR)

• invoicing, accounting records, tax obligations, responses to authorities, document retention as required by law.

c) Legitimate interest (Article 6(1)(f) GDPR)

• infrastructure security, fraud/abuse prevention, service protection, incident investigation, defending NexonHost’s rights in court.

4. Storage period

Data is retained:

• for the duration of the contractual relationship and service provision;

• thereafter, in accordance with legal obligations (e.g., financial-accounting documents, under applicable law);

• technical and security logs: 12 months;

• support requests: 3 years;

• marketing data (if any): until withdrawal of consent / objection.

Where periods cannot be expressed precisely, they are set according to the purpose, nature of the data, and applicable legal obligations.

5. Data recipients

Data may be disclosed, as applicable, to:

• service providers (processors): payment processors, IT infrastructure providers, support services, email services, security solutions, accounting (if applicable);

• public authorities, based on legal obligations or valid requests.

All contracted providers are required to comply with GDPR requirements through contractual clauses.

6. Transfers to third countries (outside the EEA)

As a rule, NexonHost aims to keep processing within the EEA (European Economic Area) and will not transfer data to third countries.

If, exceptionally, a transfer to a third country is necessary, it will be carried out only under the conditions provided by the GDPR, based on appropriate safeguards.

7. Customer data stored on hosting services (NexonHost as Processor)

For data uploaded by customers:

• NexonHost does not determine the purposes of processing of such data;

• NexonHost does not use the data for its own benefit;

• NexonHost does not analyze the content;

• NexonHost does not disclose the data without instructions or legal obligations.

Responsibility for the lawfulness of the data, informing data subjects, and the legal bases for processing lies exclusively with the customer, as the Data Controller.

8. Data subject rights

Under GDPR, data subjects benefit from:

• the right of access;

• the right to rectification;

• the right to erasure;

• the right to restriction of processing;

• the right to data portability;

• the right to object;

• the right to withdraw consent (where processing is based on consent);

• the right to lodge a complaint with ANSPDCP;

• the right to bring an action before the courts.

Requests regarding data processed by NexonHost as Controller may be sent to: gov@nexonhost.com .
For data processed by customers via hosting services, data subjects must address the Data Controller directly (the NexonHost customer).

9. Exercising rights, response time and conditions

a) Response time: NexonHost generally responds within 1 month from receiving the request. This may be extended by up to 2 additional months if the request is complex or numerous; in this case, you will be informed within the initial 1-month period.
b) Identification: NexonHost may request additional information to identify the requester, to the extent permitted by GDPR.
c) Additional copies: for additional copies of data, NexonHost may charge a reasonable fee based on administrative costs, under GDPR conditions.
d) Legal limitations: in certain situations, access may be restricted where legal obligations or the rights of others apply; you will be informed of the reasons, to the extent permitted by law.

10. Automated decisions / profiling

NexonHost does not use decision-making processes based solely on automated processing, including profiling, that produce legal effects or significantly affect you.

If automated mechanisms are implemented strictly for security purposes (e.g., detecting fraud/abuse attempts), they do not produce significant legal effects on the data subject, but aim to protect the services.

11. Cookies and similar technologies (website)

The NexonHost website may use:

• strictly necessary cookies for operation (for example, session/authentication, security, technical preferences);

• analytics cookies (statistics regarding website usage), only if you provide consent;

• marketing cookies (if used), only if you provide consent.

You can manage cookie preferences from your browser settings and/or via the consent mechanism (banner) available on the website, if implemented. Refusing non-essential cookies does not affect the basic operation of the website.

12. Mandatory nature of providing data

Providing certain data is necessary:

• to conclude and perform the contract (e.g., identification and billing data);

• to comply with legal obligations.

If such data is not provided, NexonHost may be unable to provide services or conclude the contract.

13. Data security

NexonHost implements appropriate technical and organizational measures, including, as applicable:

• encryption of communications and access security measures;

• access control and authentication;

• firewall / protection against unauthorized access and anti-abuse measures;

• monitoring of security events;

• confidentiality policies for staff/contractors with access to personal data.

14. Complaints

Data subjects may lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) or another competent supervisory authority, according to the GDPR.

15. Policy updates

NexonHost reserves the right to update this Privacy Policy. The applicable version is the one published on the website at the time the services/website are used.