Privacy Policy
What we collect, why we collect it, and your rights.
01 Who we are
This Privacy Policy describes how WEB rješenja d.o.o., a company incorporated in Croatia (OIB 97669668809), operating the Nebion hosting platform (the "Operator", "we") collects and processes personal data.
We act as controller for personal data we collect about you in connection with your account, billing, and use of our website. We act as processor for personal data you upload to or generate within your hosted Projects — that processing is governed by the Data Processing Agreement.
Contact: hello@ws.agency .
02 What we collect
Account data
Name, email, organisation, country, language preference. Provided by you when creating or updating your account.
Billing data
Billing address, VAT number where applicable, payment instrument metadata (card brand and last four digits — full card data is held by our payment processor, never by us).
Usage data
API and dashboard logs (timestamp, endpoint, IP, user agent), product telemetry (resource utilisation per Project), deployment events. Used to operate, secure, and improve the Service.
Support data
Messages, attachments, and metadata you send through support channels.
Website analytics
Aggregate, privacy-respecting analytics on nebion.host (page views, country-level geography, referrer). No cross-site tracking, no advertising IDs. See the Cookie Policy for specifics.
03 Why we process it
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Operating your account and providing the Service | Contract (6(1)(b)) |
| Billing, invoicing, tax compliance | Contract & legal obligation (6(1)(b)/(c)) |
| Security, fraud and abuse prevention | Legitimate interests (6(1)(f)) |
| Service improvements (aggregate analytics) | Legitimate interests (6(1)(f)) |
| Product and operational notices | Contract (6(1)(b)) |
| Marketing communications | Consent (6(1)(a)) — opt-in, opt-out anytime |
05 International transfers
Production data is hosted on infrastructure located in the European Union and, for opt-in regions, in the United States. Where personal data is transferred outside the EEA, we use Standard Contractual Clauses (SCCs) and supplementary measures where appropriate.
06 How long we keep it
- Account data: while your account is active, plus 30 days after closure.
- Billing records: as required by tax law (typically 7–10 years in the EU).
- Operational logs: 30–90 days, depending on log type.
- Support tickets: 24 months from last activity.
- Marketing consent: until withdrawn.
07 Your rights
If you are in the EU/EEA, UK, or another jurisdiction with similar law, you have the right to access, rectify, erase, port, or restrict the processing of your personal data, and to object to processing based on legitimate interests. You may also withdraw consent at any time.
To exercise any right, write to hello@ws.agency . We respond within 30 days. Detailed procedure: see the GDPR / Data Subject Rights page.
You also have the right to lodge a complaint with a supervisory authority — for EU users, typically the authority in your country of residence.
08 Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+), encryption at rest for production storage, role-based access control, audit logging, and least-privilege principles for our personnel.
No system is perfectly secure. If you discover a vulnerability, please disclose responsibly to hello@ws.agency .
09 Changes to this Policy
We may update this Policy as we add features, change sub-processors, or as the law changes. Material changes will be notified at least 30 days in advance by email or in-product notice. The "Last updated" date at the top of this page reflects the most recent change.