GDPR Policy

1. Scope

This Policy applies to the processing of personal data of individuals located in the European Economic Area (EEA) and, where applicable, the United Kingdom, in connection with Vibble.

2. Legal Bases for Processing

We process personal data only when a lawful basis under the GDPR applies, including:

• Contract: to provide Vibble and fulfill our agreement with you.
• Legitimate Interests: to maintain and improve Vibble, ensure security, and prevent abuse, balanced against your rights.
• Consent: for certain optional features, marketing, and non-essential cookies, where required.
• Legal Obligation: to comply with applicable laws, regulatory requirements, and court orders.

3. Data Subject Rights

Under the GDPR, you may have the right to:

• Access your personal data and receive a copy.
• Request rectification of inaccurate or incomplete data.
• Request erasure of data (“right to be forgotten”) in certain circumstances.
• Restrict processing under specific conditions.
• Object to processing based on legitimate interests or for direct marketing.
• Data portability, where processing is based on consent or contract and carried out by automated means.

To exercise your rights, contact us at privacy@nexa-group.org.

4. Data Protection by Design & Default

Vibble incorporates privacy and data protection principles into product design and default settings. We seek to collect only data necessary for specified purposes and limit access to authorized personnel.

5. Data Protection Impact Assessments (DPIAs)

Where processing is likely to result in a high risk to individuals’ rights and freedoms, Nexa-Group conducts Data Protection Impact Assessments and consults supervisory authorities when required.

6. Data Transfers Outside the EEA/UK

When transferring personal data outside the EEA/UK, we ensure appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized under the GDPR.

7. Data Security

We maintain a risk-based information security program, including technical and organizational measures such as encryption, access controls, monitoring, and incident response procedures.

8. Data Breach Notification

In the event of a personal data breach, Nexa-Group will assess the risk to individuals and, where required, notify the relevant supervisory authority and affected data subjects in accordance with GDPR timelines.

9. Supervisory Authorities & Complaints

You have the right to lodge a complaint with your local data protection authority if you believe your rights under GDPR have been violated.

10. Contact for GDPR Matters

GDPR & EU/EEA Privacy: gdpr@nexa-group.org
Data Protection Officer (where appointed): dpo@nexa-group.org