Privacy Policy
Transparent data processing practices aligned with GDPR, POPIA, and Zimbabwe Cyber and Data Protection Act. Your rights, our commitments.
EU Regulation
South Africa
Cyber & Data Protection Act
DSAR Response Time
Last updated: 09 November 2025
What We Collect
Contact & Account Data
Examples: Name, email, phone, company, job title
Purpose: Service delivery, account management, support
Incident Response Data
Examples: System logs, network captures, malware samples
Purpose: Forensic investigation, threat analysis
Training & Academy Data
Examples: Assessment scores, certification status, attendance
Purpose: Educational services, accreditation
Marketing Data
Examples: Newsletter subscriptions, event registrations, preferences
Purpose: Communications (consent-based)
Technical Telemetry
Examples: IP addresses, user agents, session identifiers
Purpose: Security, fraud prevention, service optimization
Legal Bases for Processing
Contractual Necessity
Processing required to deliver cybersecurity services, training, or consulting as agreed in contracts.
Legitimate Interest
Service improvement, fraud prevention, system security, and threat intelligence (balanced against your rights).
Consent
Marketing communications, newsletter, event invitations (withdrawable at any time via unsubscribe links).
Legal Obligation
Regulatory reporting (breach notifications), tax compliance, lawful law enforcement requests.
Retention Periods
- Incident Response Data: 24 months post-engagement (legal hold precedence applies)
- Forensic Evidence: 36 months (regulatory and litigation requirements)
- Training Records: 7 years (accreditation body requirements)
- Marketing Consents: Until withdrawal or 24 months of inactivity
- Billing Records: 7 years (tax compliance)
International Data Transfers
Data may be transferred between our Harare (Zimbabwe) and Warsaw (Poland/EU) facilities. We implement:
- Standard Contractual Clauses (SCCs): EU-approved Module 2 (Controller to Processor)
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access Controls: Role-based with geo-restrictions where feasible
- Transfer Impact Assessments: Quarterly reviews per Schrems II guidance
Your Data Subject Rights
Access
Request a copy of your personal data we hold.
Rectification
Correct inaccurate or incomplete data.
Erasure (Right to be Forgotten)
Delete your data when no longer needed or consent withdrawn.
Restriction
Limit processing while we verify accuracy or assess lawfulness.
Objection
Object to processing based on legitimate interest or direct marketing.
Portability
Receive your data in structured, machine-readable format.
Withdraw Consent
Revoke consent for marketing or optional processing at any time.
To exercise your rights: Email privacy@nexnet.example with your request. We respond within 30 days (extendable to 60 days for complex requests with notification).
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects. Threat intelligence scoring uses human review for all client-facing decisions.
Cookies & Tracking
See our Cookie Policy for details on essential, analytics, and preference cookies. We use privacy-first analytics (Matomo) with IP anonymization.
Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected such data, contact us for deletion.
Changes to This Policy
We may update this policy to reflect legal, operational, or service changes. Material changes will be communicated via email (for registered users) and website notice 30 days prior to effective date.
Contact & Complaints
Data Protection Officer: dpo@nexnet.example
General Privacy Inquiries: privacy@nexnet.example
You have the right to lodge a complaint with your local supervisory authority:
- EU: EU Data Protection Authorities
- South Africa: Information Regulator (POPIA) - inforeg.org.za
- Zimbabwe: Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)