Privacy Policy
Last updated: 21 May 2026
1. Data Controller
TriStiX S.L. NIF: B-26925016 Registro Mercantil de La Rioja Email: privacy@netsenx.com Website: https://netsenx.com
2. Data Protection Officer (DPO)
You may contact our Data Protection Officer at any time:
- Email: dpo@netsenx.com
- Postal: TriStiX S.L., Attn: DPO, La Rioja, Spain
3. Legal Basis for Processing
We process personal data under the following legal bases pursuant to GDPR Art. 6(1):
| Legal Basis | Purpose |
|---|---|
| Art. 6(1)(b) — Contract | Providing the NetSenX SaaS platform, account management, billing, and support |
| Art. 6(1)(f) — Legitimate Interest | Security monitoring, fraud prevention, service improvement, and analytics |
| Art. 6(1)(a) — Consent | Marketing communications, non-essential cookies, newsletter |
| Art. 6(1)(c) — Legal Obligation | Tax records, regulatory compliance, law enforcement requests |
4. Categories of Personal Data
4.1 Account Data
- Name, email address, company name, job title
- Billing information (processed by Stripe; we do not store full payment card numbers)
- Authentication credentials (hashed)
4.2 Usage Data
- IP addresses (anonymized after 30 days)
- Browser type, device information, operating system
- Pages visited, features used, session duration
- Referral source
4.3 Network Telemetry Data (Customer-Controlled)
- Network flow metadata processed by the NetSenX platform
- Threat detection alerts and incident reports
- This data is processed on behalf of the customer as a Data Processor (see our DPA)
4.4 Support Data
- Support ticket content, chat transcripts
- Feedback and survey responses
5. Data Retention Periods
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Duration of contract + 5 years | Spanish commercial law (Codigo de Comercio Art. 30) |
| Billing records | 5 years after transaction | Spanish tax law (Ley General Tributaria) |
| Usage analytics | 26 months | Legitimate interest; anonymized after 30 days |
| Network telemetry | Customer-defined (default 90 days) | Data Processing Agreement terms |
| Support tickets | 3 years after resolution | Service improvement |
| Marketing consent records | Duration of consent + 3 years | Accountability obligation |
6. Data Recipients and Transfers
We share personal data only with the following categories of recipients:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, DNS | EU (with global edge) | EU SCCs, DPA |
| Stripe, Inc. | Payment processing | USA | EU SCCs, PCI DSS |
| Resend, Inc. | Transactional email | USA | EU SCCs, DPA |
| PostHog, Inc. | Product analytics (opt-in) | EU (Frankfurt) | DPA, cookieless mode available |
| Hetzner Online GmbH | Infrastructure hosting | Germany | GDPR-compliant, DPA |
All international data transfers are governed by Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c) or adequacy decisions per Art. 45.
7. Data Breach Notification
In the event of a personal data breach:
- Customer DPO notification: Within 24 hours of confirmed breach
- Supervisory authority notification: Within 72 hours per GDPR Art. 33
- Data subject notification: Without undue delay where required per GDPR Art. 34
Our incident response procedure includes:
- Immediate containment and assessment
- Classification of severity and affected data categories
- Notification to affected parties with details of the breach, likely consequences, and mitigation measures
- Post-incident review and remediation report
8. Your Rights (GDPR Articles 15-22)
You have the following rights regarding your personal data:
- Right of Access (Art. 15) — Obtain a copy of your personal data
- Right to Rectification (Art. 16) — Correct inaccurate data
- Right to Erasure (Art. 17) — Request deletion ("right to be forgotten")
- Right to Restriction (Art. 18) — Limit processing in certain circumstances
- Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format
- Right to Object (Art. 21) — Object to processing based on legitimate interest
- Right not to be subject to Automated Decision-Making (Art. 22)
To exercise any of these rights, contact: dpo@netsenx.com
We will respond within 30 days (extendable to 90 days for complex requests per Art. 12(3)).
9. Complaints
EU Supervisory Authority
You have the right to lodge a complaint with your local data protection authority.
Spanish Authority (AEPD)
As TriStiX S.L. is registered in Spain, our lead supervisory authority is:
Agencia Espanola de Proteccion de Datos (AEPD) C/ Jorge Juan 6, 28001 Madrid, Spain Website: https://www.aepd.es Phone: +34 901 100 099
You may file a complaint directly with the AEPD via their electronic office: https://sedeagpd.gob.es
10. Cookies
For detailed information about our use of cookies, please see our Cookie Policy.
11. Children's Privacy
NetSenX is a B2B enterprise platform. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact dpo@netsenx.com immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders and posted on this page with an updated revision date.
TriStiX S.L. — NIF B-26925016 Registered in the Registro Mercantil de La Rioja, Spain