Privacy Policy

We take the protection of your personal data very seriously. We process personal data exclusively in accordance with applicable law, in particular the GDPR and the Austrian Telecommunications Act 2021 (TKG 2021). This privacy policy explains the nature, scope and purpose of the processing of personal data on this website.

1. Controller

NexGen IT-Security GmbH
Liechtensteinklammstraße 60, 5600 St. Johann im Pongau, Austria
Email: office@nexgen-itsec.com
Website: https://nexgen-itsec.com

2. Website hosting

This website is provided using cloud infrastructure from Amazon Web Services (AWS). Where possible, the website is operated within the European Union, in particular using AWS regions in Europe.

The provider of the technical infrastructure is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. Depending on the services used, other entities of the Amazon Web Services group may be technically involved.

Processed data: When you access the website, technically required access data is processed, including IP address, date and time of access, requested URL/file, referrer URL, browser type, operating system and user agent.

Purpose: Provision of the website, ensuring system security, technical stability, load balancing, error analysis, abuse detection and administration.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, stable and performant operation of the website).

Recipients / processors: Amazon Web Services as technical hosting provider. A data processing agreement pursuant to Art. 28 GDPR is in place with AWS.

Third-country transfers: Transfers of personal data to third countries, in particular to the United States, cannot be completely excluded as part of technical operations. Where such transfers occur, they are based on appropriate safeguards under the GDPR, in particular EU Standard Contractual Clauses or comparable legal mechanisms.

3. Server log files

Server log files are processed to ensure IT security and for technical error analysis.

Processed data: IP address, time of access, requested resource, HTTP status code, referrer, browser information and comparable technical metadata.

Purpose: attack detection, abuse prevention, error analysis, maintaining system security and stability.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Log data is stored only as long as necessary for security and operational purposes, generally for a maximum of 30 days, unless a security-relevant incident requires longer retention.

4. Contact requests and email processing

When you contact us via the contact form, the data you provide (e.g. name, company, email address, message) is processed for handling your request.

Technical processing of the contact form is carried out via the AWS infrastructure used by us. Submitted data is processed solely for handling your request and forwarded to our business email address.

Where communication continues by email, further processing may take place via our business email systems provided by IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany.

Processed data:
Name, company, email address, message content, time of request and technical metadata required for secure transmission and operation.

Purpose:
Handling and responding to your request, initiating pre-contractual measures and secure technical communication.

Legal basis:
Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Recipients / processors:
Amazon Web Services as hosting provider and IONOS SE as email service provider.

Retention period:
Requests are stored only as long as necessary for processing. Unless statutory retention obligations apply, deletion takes place in principle after a maximum of 6 months.

5. Web analytics

If web analytics tools are used on this website, this is done exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR. Non-essential analytics or tracking technologies are activated only after your explicit consent.

If no web analytics is currently active, no related processing takes place.

6. Cookies & consent management

This website may use technically necessary functions required for secure and proper operation. Non-essential cookies or similar technologies are used only with your consent.

You can withdraw or adjust your consent at any time with future effect via the consent management tool, where implemented.

7. Your rights

You have the right of access, rectification, erasure, restriction of processing, data portability and objection. If processing is based on consent, you may withdraw that consent at any time with future effect.

Supervisory authority: You have the right to lodge a complaint with a supervisory authority. In Austria, the competent authority is the Austrian Data Protection Authority (DSB), Barichgasse 40–42, 1030 Vienna, https://www.dsb.gv.at

8. Data security

Data is transmitted exclusively via encrypted connections (TLS). Access to processing systems is technically restricted, and measures for attack detection, misuse prevention, logging of security-relevant events and protection of the cloud infrastructure are implemented.

9. NexGen AI Prompt Shield Browser Extension

This section supplements the privacy policy above with the specific data processing carried out by the "NexGen AI Prompt Shield" browser extension, which corporate customers use to check input sent to AI chat services (ChatGPT, Microsoft Copilot, Google Gemini, Claude).

Important note on responsibility: NexGen AI Prompt Shield is operated by corporate customers themselves (self-hosted model). For the substantive processing of checked text during operation, the deploying company (your employer or its IT department) is the controller under data protection law, not NexGen IT-Security GmbH. NexGen provides the software only.

Purpose of the extension: Checking text input before it is sent to AI chat services for sensitive or business-relevant content; depending on configuration, blocking, displaying a warning, or logging the event.

Processed data:
Stored locally in the browser: server address and department API key (provided by the IT department), login token, email address, display name, role and department name of the logged-in user, as well as configured security settings.

Transmitted to the company's own server: email address and password at login; the text of the prompt field immediately before sending, for policy checking; the result of the check (detected category, risk level, action taken) for audit-log traceability.

Recipients: This data is transmitted exclusively to the server operated and configured by the deploying company itself - never to NexGen IT-Security GmbH or any other third party, in particular not for advertising or analytics purposes.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the deploying company in protecting confidential and personal data from unauthorized disclosure to external AI services), possibly in conjunction with the employer's internal policies.

Retention period: Determined and managed by the deploying company itself.

Your rights: For access, rectification, or erasure requests regarding data processed during operation, please contact your company's IT department as the controller under data protection law. For questions about the software itself, reach us at office@nexgen-itsec.com.

Last updated: 2026