NIZU

GDPR Policy

This Data Protection and Privacy Policy (hereinafter: "GDPR Policy" or "Policy") is issued by NIZU OÜ, a private limited company duly incorporated under the laws of the Republic of Estonia, VAT number EE102264113.

This Policy governs the processing of personal data of End-Users at the platform level only — that is, data processed by NIZU in its capacity as Data Controller of the NIZU WorkSpace platform. It does not govern any data processed by Clients within their Client Workspaces.

Document Reference: NIZU-GDPR-001  ·  Version: 1.0  ·  Governing Law: Republic of Estonia · European Union

1. Governing Legal Framework

This Policy is drafted and enforced exclusively in accordance with:

  • Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR);
  • Directive 2002/58/EC (ePrivacy Directive), as amended;
  • Estonian Personal Data Protection Act (isikuandmete kaitse seadus — IKS), as in force;
  • Estonian Information Society Services Act (infoühiskonna teenuse seadus);
  • Binding guidance of the Estonian Data Protection Inspectorate (AKI) and the European Data Protection Board (EDPB).

Jurisdictional limitation: NIZU OÜ is incorporated in and operates under the laws of the Republic of Estonia and the European Union. No foreign national legal system, foreign court, or foreign regulatory authority is recognised as governing, supplementary, or persuasive in relation to this Policy. Any reference to or claim arising from any foreign jurisdiction is hereby expressly excluded.

2. Scope & Exclusions

This Policy applies exclusively to the processing of personal data of End-Users at the platform level, specifically:

  • Account registration and authentication data;
  • Platform usage data (log-ins, session metadata, feature interactions);
  • Communications submitted through NIZU-operated support channels;
  • Technical identifiers necessary for Platform security and service delivery.

This Policy expressly does not apply to:

  • Data processed within a Client Workspace by the Client or Client Administrator — the Client is the sole Data Controller for all such data;
  • GDPR settings, data retention configurations, or consent mechanisms activated by a Client Administrator within their Workspace;
  • The personal data of the Client's employees, contractors, customers, or third parties processed by the Client through the Platform;
  • Fiscal, financial, tax, or billing information of any Client or User.

3. Client Administrator Responsibility

Where a Client activates, configures, or operates any data processing feature or GDPR-relevant setting within its Client Workspace, the Client acts as an independent Data Controller for the purposes of the GDPR. NIZU acts solely as a Data Processor under Article 28 GDPR, on documented instructions from the Client.

The Client Administrator bears sole and exclusive legal responsibility for the lawfulness of all processing within the Workspace, appropriate legal bases, required notices and consents, data subject rights fulfilment, and any compliance failures, regulatory sanctions, or damages arising from the configuration or use of their Workspace.

NIZU OÜ accepts no liability, whether contractual, tortious, or statutory, for any failure by a Client or Client Administrator to comply with applicable data protection law. Any regulatory investigation, penalty, or civil claim arising from Client Workspace data processing is the sole responsibility of the Client.

4. Data Processed at Platform Level

NIZU processes the following categories of personal data of End-Users at the platform level:

  • Account identifiers (name, email, username) — Art. 6(1)(b) GDPR — retained for the duration of account plus 3 years;
  • Authentication logs (IP, timestamps, device) — Art. 6(1)(f) GDPR — retained 12 months rolling;
  • Support communications — Art. 6(1)(b) GDPR — retained 3 years from last interaction;
  • Platform usage metadata — Art. 6(1)(f) GDPR — retained 24 months, then anonymised;
  • Payment transaction reference (not financial data) — Art. 6(1)(c) GDPR — retained 7 years (Estonian Accounting Act).

NIZU does not intentionally collect or process special categories of personal data (Article 9 GDPR) at the platform level. Users must not submit such data through platform-level interfaces.

5. Data Subject Rights

End-Users whose personal data is processed by NIZU at the platform level are entitled to exercise the following rights:

  • Right of Access — Art. 15 GDPR;
  • Right to Rectification — Art. 16 GDPR;
  • Right to Erasure — Art. 17 GDPR (subject to statutory retention obligations);
  • Right to Restriction of Processing — Art. 18 GDPR;
  • Right to Data Portability — Art. 20 GDPR;
  • Right to Object — Art. 21 GDPR;
  • Right to Withdraw Consent — Art. 7(3) GDPR;
  • Right to Lodge a Complaint — with the Estonian Data Protection Inspectorate (AKI) or any competent EU/EEA supervisory authority.

Important limitation: The rights above apply exclusively to personal data processed by NIZU OÜ at the platform level. Rights in relation to data within a Client Workspace must be directed to the relevant Client Administrator. NIZU is not in a position to fulfil such requests directly and accepts no liability for a Client's failure to respond.

To exercise your rights, email legal@nizu.io with subject line "GDPR Data Subject Request". NIZU shall respond within one (1) calendar month, extendable by two (2) further months where necessary (Art. 12(3) GDPR).

6. Transfers of Personal Data

NIZU processes personal data primarily within the European Economic Area (EEA). Where transfers to third countries occur, NIZU ensures appropriate safeguards are in place, including Standard Contractual Clauses (Art. 46(2)(c) GDPR) or adequacy decisions (Art. 45 GDPR). A list of third-country sub-processors is available upon written request to legal@nizu.io.

7. Data Security

NIZU implements technical and organisational measures pursuant to Article 32 GDPR, including TLS 1.2+ encryption in transit and at rest, access controls with MFA for administrative access, regular security testing, pseudonymisation where appropriate, and business continuity procedures. Security measures are dependent on and constrained by the capabilities of the underlying Hetzner GmbH infrastructure.

In the event of a personal data breach, NIZU shall notify the Estonian Data Protection Inspectorate (AKI) within 72 hours where feasible (Art. 33 GDPR), and affected End-Users where there is a high risk to their rights and freedoms (Art. 34 GDPR).

8. Cookies & Tracking

NIZU uses the following types of cookies on the Platform:

  • Strictly necessary cookies — required for Platform operation; exempt from consent;
  • Analytical cookies — used to measure performance and improve service quality; deployed only upon User consent;
  • Functional cookies — used to enable personalised features; deployed only upon User consent.

Third-party or advertising cookies are not used by NIZU at the platform level. Users may manage cookie preferences through the platform-level cookie management interface.

9. Data Protection Officer

NIZU has designated a Data Protection Officer (DPO) in accordance with Article 37 GDPR. The DPO may be contacted at legal@nizu.io, Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia.

10. Amendments

Material amendments to this Policy shall be notified to registered End-Users at least thirty (30) calendar days prior to the effective date. Continued use of the Platform following the effective date constitutes acceptance of the amended Policy.

11. Governing Law & Dispute Resolution

This Policy is governed by and construed exclusively in accordance with the laws of the Republic of Estonia and applicable European Union law. Any dispute shall be subject to the exclusive jurisdiction of the competent courts of the Republic of Estonia, seated in Tallinn. No foreign court, arbitral body, or regulatory authority outside Estonia and the EU has jurisdiction over any matter arising from this Policy.

12. Contact & Supervisory Authority

NIZU OÜ  ·  VAT: EE102264113
Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia
legal@nizu.io

Estonian Data Protection Inspectorate (AKI):
Tatari 39, 10134 Tallinn, Estonia  ·  www.aki.ee  ·  info@aki.ee  ·  +372 627 4135

Read our Terms of Service