Privacy Policy
Last updated: March 2026
DRAFT — This document requires review by a qualified legal professional before use.
1. Data Controller
TriStiX S.L., a limited liability company registered in Alicante, Spain, is the data controller for all personal data processed through the NetSenX platform, as defined by the General Data Protection Regulation (EU 2016/679, "GDPR").
Data Protection Officer: dpo@netsenx.com
2. Data We Collect
2.1 Account Data
When you register for NetSenX, we collect: email address, full name, company name, country, and billing information (processed by Stripe — we do not store credit card numbers).
2.2 Network Flow Metadata
The NetSenX agent collects network flow metadata from your infrastructure:
- Source and destination IP addresses
- Port numbers and transport protocols (TCP, UDP, ICMP)
- Byte counts and packet counts per flow
- Connection timestamps and duration
- TLS/JA3 fingerprints (where available)
The agent does not capture packet payloads, HTTP request/response bodies, email content, DNS query results, or any other communication content. This is by design to minimize personal data processing while maintaining effective threat detection.
2.3 Usage and Analytics Data
We use PostHog (self-hosted, EU) to collect anonymized dashboard usage data including: pages visited, features used, session duration, and browser/device type. Analytics collection can be disabled in Dashboard → Settings → Privacy & Analytics.
2.4 Error Tracking
We use Sentry to collect error reports when the dashboard or backend encounters an error. Error reports are automatically scrubbed of personal data (IP addresses, tokens, email addresses) before transmission using our custom GDPR scrubbing middleware.
3. Legal Basis for Processing (GDPR Art. 6)
| Data Category | Legal Basis | GDPR Article |
|---|---|---|
| Account data | Performance of contract | Art. 6(1)(b) |
| Network flow metadata | Performance of contract | Art. 6(1)(b) |
| Usage analytics | Legitimate interest (product improvement) | Art. 6(1)(f) |
| Marketing emails | Consent | Art. 6(1)(a) |
| Error tracking | Legitimate interest (service reliability) | Art. 6(1)(f) |
| Billing data | Legal obligation | Art. 6(1)(c) |
4. Data Location
All personal data is processed and stored exclusively within the European Union. We do not transfer personal data outside the EU/EEA.
| Service | Location | Purpose |
|---|---|---|
| Supabase | Frankfurt, Germany | Database, authentication |
| Fly.io | Amsterdam, Netherlands | Backend API compute |
| Vercel | EU Edge | Dashboard hosting |
| Cloudflare | EU | DNS, CDN, DDoS protection |
5. Sub-Processors
We use the following sub-processors to provide the Service. Each sub-processor has been evaluated for GDPR compliance:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database and authentication | All application data | EU (Frankfurt) |
| Fly.io Inc. | Backend API compute | API requests, processing | EU (Amsterdam) |
| Stripe Inc. | Payment processing | Billing data, payment methods | EU |
| Vercel Inc. | Dashboard hosting | Frontend assets, session cookies | EU Edge |
| Cloudflare Inc. | DNS, CDN, DDoS protection | HTTP requests (proxied) | EU |
| Resend Inc. | Transactional email | Email addresses, email content | EU |
| Sentry (Functional Software) | Error tracking | Error reports (PII scrubbed) | EU |
We will notify you of any changes to our sub-processor list at least 30 days in advance. You may object to a new sub-processor by contacting privacy@netsenx.com.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Network telemetry & alerts | Per plan (30d / 60d / 90d / 365d / unlimited) |
| Decision Traces | Same as network telemetry |
| Account data | Duration of subscription + 90 days |
| Billing records | 7 years (legal obligation) |
| Audit logs | 12 months |
| Analytics data | 12 months |
After account deletion, all personal data is permanently erased within 90 days, except billing records retained for legal obligations.
7. Your Rights (GDPR Art. 15-22)
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15):Export all your data via Dashboard → Settings → Export Data, or API endpoint
GET /tenant/export. - Right to rectification (Art. 16):Update your profile information in Dashboard → Settings.
- Right to erasure (Art. 17):Delete your account and all associated data via Dashboard → Settings → Delete Account, or API endpoint
DELETE /tenant. - Right to restriction (Art. 18): Contact privacy@netsenx.com.
- Right to data portability (Art. 20): Data export is provided in machine-readable JSON and CSV formats.
- Right to object (Art. 21): You may object to analytics processing by disabling analytics in Settings, or contact our DPO.
- Right to withdraw consent (Art. 7(3)): For consent-based processing (marketing), unsubscribe at any time via email links.
We will respond to data subject requests within 30 days as required by GDPR Art. 12(3).
8. Cookies
We use only essential cookies required for authentication and session management. These cookies are:
sb-*— Supabase authentication session (HTTP-only, secure, SameSite=Lax)__csrf— CSRF protection token (HTTP-only, secure)
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. PostHog analytics (when enabled) uses localStorage, not cookies, and can be disabled by the user.
9. International Transfers
We do not transfer personal data outside the European Economic Area (EEA). All infrastructure, sub-processors, and data storage are located within the EU. If this changes in the future, we will implement appropriate safeguards (Standard Contractual Clauses or adequacy decisions) and update this policy.
10. Security Measures
We implement technical and organizational measures to protect personal data, including:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest (Supabase managed)
- Row-level security (RLS) for tenant isolation in PostgreSQL
- Role-based access control (RBAC) with 5 permission levels
- CSRF protection (double-submit cookie pattern)
- Rate limiting on all API endpoints
- Security headers (HSTS, CSP, X-Frame-Options)
- Regular security audits and SAST scanning
- Audit logging of all administrative actions
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email at least 30 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.
12. Contact and Complaints
For privacy inquiries or to exercise your data subject rights:
- Data Protection Officer: dpo@netsenx.com
- Privacy inquiries: privacy@netsenx.com
- Company: TriStiX S.L., Alicante, Spain
You have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at www.aepd.es, or with your local EU supervisory authority under GDPR Art. 77.