NGPX NGPX
Privacy Policy - NGPX Group
Back to Home

Privacy Policy

GDPR & ISO 27001 Compliant Data Protection Policy

Last updated: November 2025

Your Privacy Rights at a Glance

We are fully committed to protecting your personal data in compliance with GDPR and ISO 27001 standards.

Key principles of our data protection:

  • Full compliance with EU General Data Protection Regulation
  • ISO 27001 Certified Information Security Management System
  • Privacy by Design and Default implementation
  • Minimum data collection principle
  • Transparent processing with explicit consent
  • Your right to access, rectify, and delete data at any time

1. Introduction and Controller Information

This Privacy Policy explains how NGPX Group ("we", "us", "our") processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and maintains information security under ISO/IEC 27001:2022 standards.

Data Controller:

NGPX Group - Powered by LHB Fürst Holding GmbH
Ittenhauser Str. 10
88048 Friedrichshafen, Germany
Email: privacy@ngpx-group.com
Phone: +49 (0) 160 90624216
Commercial Register: HRB 741356 (Amtsgericht Ulm)

2. Data Protection Officer

We have appointed a Data Protection Officer (DPO) as required by Article 37 GDPR:

Data Protection Officer
NGPX Group
Email: dpo@ngpx-group.com
Phone: +49 (0) 160 90624216

You may contact our DPO for all data protection inquiries and to exercise your rights.

3. Information Security

ISO 27001 Compliance:

We maintain an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standards.

Key Security Measures:

  • Encryption at rest and in transit
  • Regular security audits
  • Access control systems
  • 24/7 monitoring

4. Categories of Personal Data We Process

Data Category Types of Data Purpose Legal Basis
Identity Data Name, title, date of birth, gender Account management, communication Contract (Art. 6(1)(b))
Contact Data Email, phone, address, company Communication & service delivery Contract / Consent
Technical Data IP address, browser type, device info Website functionality, security Legitimate interest
Usage Data Website interactions, preferences Analytics, service improvement Consent (Art. 6(1)(a))
Financial Data Payment details, billing address Payment processing Contract/Legal obligation
Marketing Data Preferences, consent records Direct marketing Consent / Legitimate interest

5. Information Security Management

Our Information Security Management System (ISMS) implements:

  • Risk Assessment: Regular security risk assessments and threat modeling
  • Access Control: Role-based access control (RBAC) with principle of least privilege
  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Monitoring: 24/7 security monitoring and intrusion detection systems
  • Incident Response: Documented incident response plan with 72-hour breach notification
  • Business Continuity: Disaster recovery plan with RPO of 24 hours, RTO of 4 hours
  • Audit Logging: Comprehensive audit trails retained for 3 years

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right to Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate personal data
  • Right to Erasure (Art. 17): Request deletion ("right to be forgotten")
  • Right to Restrict Processing (Art. 18): Limit how we use your data
  • Right to Data Portability (Art. 20): Receive data in machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time
  • Right to Lodge a Complaint (Art. 77): File complaint with supervisory authority

Response Time: We respond to all rights requests within 30 days as required by GDPR.

7. Legal Bases for Processing

We process personal data only when we have a valid legal basis:

Article 6(1)(a) - Consent:

  • Marketing communications
  • Analytics and performance cookies
  • Newsletter subscriptions

Article 6(1)(b) - Contract:

  • Service delivery and account management
  • Customer support
  • Billing and payments

Article 6(1)(c) - Legal Obligation:

  • Tax and accounting records
  • Legal compliance and court orders
  • Anti-money laundering checks

Article 6(1)(f) - Legitimate Interests:

  • Network and information security
  • Fraud prevention
  • Direct marketing to existing customers

8. Data Retention Periods

We retain data only as long as necessary:

  • Customer data: Duration of contract + 6 years
  • Financial records: 10 years (German tax law)
  • Marketing consent: Until withdrawn
  • Website analytics: 26 months
  • Security logs: 3 years
  • Job applications: 6 months

After retention periods expire, data is securely deleted using DoD 5220.22-M standard.

9. International Data Transfers

When transferring data outside the EEA:

  • EU-US Data Privacy Framework: For US transfers
  • Standard Contractual Clauses: EU Commission approved
  • Adequacy Decisions: UK, Switzerland, Canada
  • Explicit Consent: For other countries

All transfers undergo Transfer Impact Assessments (TIA) per Schrems II requirements.

10. Data Breach Notification Procedures

In case of a personal data breach:

  • Internal notification: Within 24 hours to DPO and management
  • Risk assessment: Immediate evaluation of impact
  • Supervisory authority: Notification within 72 hours if high risk
  • Data subjects: Direct notification without undue delay for high-risk breaches
  • Documentation: Full breach register maintained

24/7 Breach Hotline: +49 160 90624216

11. Third-Party Processors

We use carefully selected processors with Data Processing Agreements (Article 28 GDPR):

Processor Service Location Safeguards
AWS Cloud hosting EU (Frankfurt) ISO 27001, SOC 2
Google Analytics Web analytics USA SCCs, DPF certified
Stripe Payment processing EU/USA PCI DSS Level 1
Microsoft 365 Email/productivity EU ISO 27001, SCCs
Cloudflare CDN/Security Global ISO 27001, SCCs

12. Privacy by Design & Default

We implement privacy by design principles (Article 25 GDPR):

  • Data Minimization: Collect only necessary data
  • Purpose Limitation: Use data only for stated purposes
  • Privacy Settings: Most protective settings by default
  • Data Protection Impact Assessments (DPIA): For high-risk processing
  • Pseudonymization: Where possible, data is pseudonymized
  • Security by Default: Encryption enabled by default

13. Automated Decision Making

We do not use automated decision-making or profiling that produces legal effects (Article 22 GDPR).

Where we use automated systems:

  • Fraud detection systems for security
  • Email spam filtering
  • Website personalization (with consent)

You have the right to request human intervention for any automated decisions.

14. Children's Privacy

Our services are not directed at children under 16 years (Article 8 GDPR).

  • We do not knowingly collect data from children
  • Age verification required for certain services
  • Parental consent required for users under 16
  • Immediate deletion upon discovery of underage data

15. Special Categories of Data

We do not intentionally collect special categories of personal data (Article 9 GDPR):

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data
  • Health data
  • Sexual orientation

If such data is provided inadvertently, it will be immediately deleted.

16. Your California Privacy Rights

For California residents (CCPA/CPRA):

  • Right to know what data we collect
  • Right to delete personal information
  • Right to opt-out of sale (we don't sell data)
  • Right to non-discrimination
  • Right to correct inaccurate information
  • Right to limit use of sensitive data

17. Contact Methods

For privacy inquiries:

Email: privacy@ngpx-group.com

Phone: +49 (0) 160 90624216

Post: Data Protection, NGPX Group, Ittenhauser Str. 10, 88048 Friedrichshafen

Response SLA: 72 hours for initial response, 30 days for resolution

18. Supervisory Authority

You have the right to lodge a complaint with the supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg
Postfach 10 29 32
70025 Stuttgart
Germany

Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

19. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

  • Changes in legal requirements
  • New processing activities
  • Technological advancements
  • Organizational changes

Notification: Material changes will be communicated via email and website notice 30 days before taking effect.

Version Control: All versions are archived and available upon request.

Related Documents

This Privacy Policy should be read in conjunction with: