SCADA NextGen S.L. (“we”, “our”, “us”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information about you when you use our website, software, or services, in compliance with the General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is:
SCADA NextGen S.L.
Spain, European Union
Email: privacy@scadanextgen.com
The Data Protection Officer (DPO) can be reached at the same address with subject “Attn: DPO”.
2. Data We Collect
We collect the following categories of personal data:
| Category | Data | Source |
|---|---|---|
| Account Information | Name, email address, company name, job title, country | Provided by you at registration |
| License Usage | Machine fingerprint hash, module activation events, license key status, activation timestamps | Automatically collected by the Software |
| Billing Information | Invoice details, VAT number, payment method (processed by our payment provider; we do not store card data) | Provided by you at checkout |
| Communications | Emails, support tickets, contact form submissions | Provided by you |
| Analytics | Aggregated, anonymised usage metrics (page views, feature usage frequency). No individual user tracking. | Automatically collected via privacy-respecting analytics |
| Log Data | IP address (truncated to /24 subnet), browser type, access timestamps | Automatically collected by web servers |
We do not collect special categories of data as defined in GDPR Art. 9 (health, biometric, political opinions, etc.).
3. Legal Basis (GDPR Art. 6)
We rely on the following legal bases for processing your data:
- Contract performance (Art. 6(1)(b)): Processing your account information and license data is necessary to deliver the software and services you have purchased.
- Legitimate interests (Art. 6(1)(f)): We process anonymised analytics and log data to improve our software and protect against fraud and abuse.
- Consent (Art. 6(1)(a)): Where you have opted in to receive marketing communications, we process your email address on this basis. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): We retain billing records and invoices as required by Spanish tax law.
4. How We Use Your Data
We use your data to:
- Provision, activate, and manage your software license
- Process payments and issue invoices
- Provide technical support and respond to enquiries
- Send product updates, security notices, and renewal reminders
- Send marketing communications (only if you have opted in)
- Detect and prevent unauthorised license use or fraud
- Improve our software through aggregated usage analysis
- Comply with legal and regulatory obligations
5. Data Sharing
We do not sell, rent, or trade your personal data. We may share data with the following categories of third parties:
- Payment processors: We use Stripe (EU data residency) to process payments. Stripe is a data processor under a signed Data Processing Agreement.
- Cloud infrastructure: Our systems run on Supabase (EU region). Database data is encrypted at rest and in transit.
- Email delivery: Transactional emails are sent via a third-party service under a DPA.
- Legal authorities: We will disclose data where required by law, court order, or to protect our legal rights.
All processors are located in the EU/EEA or operate under Standard Contractual Clauses (SCCs) where applicable.
6. Data Retention
| Category | Data |
|---|---|
| Account Data | Retained while your account is active, plus 12 months after closure |
| License Records | Retained for 7 years (legal obligation — Spanish commercial law) |
| Billing Records | Retained for 10 years (Spanish tax law Art. 30 C.Com.) |
| Support Tickets | Retained for 3 years after resolution |
| Marketing Consents | Retained until withdrawn; evidence of consent retained for 3 years |
| Log Data | 90 days rolling retention |
7. Your Rights
Under GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request deletion of your data where there is no compelling reason for continued processing. Note: data required by law cannot be erased.
- Right to portability (Art. 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
- Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
- Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing.
To exercise any of these rights, contact us at privacy@scadanextgen.com. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority:
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure:
- All data in transit is encrypted using TLS 1.3 or higher
- Data at rest is encrypted using AES-256
- Access to production systems is restricted via role-based access control and multi-factor authentication
- Security events are logged and audited on a rolling 90-day basis
- We conduct periodic penetration testing and vulnerability assessments
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Art. 33–34.
10. Children's Privacy
Our services are intended for use by businesses and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify you of material changes via email or a prominent notice on our website at least 30 days before they take effect.
The date at the top of this page indicates when the policy was last revised. We recommend reviewing this page periodically.
12. Contact for Data Requests
For any questions about this Privacy Policy, or to exercise your data protection rights, contact our Data Protection Officer:
Data Protection Officer
SCADA NextGen S.L., Spain, EU
Email: privacy@scadanextgen.com
Subject line: “Data Request — [Your Name]”
See also our Terms of Service.