nextdooh
Sign inGet started

Compliance · EU / EEA

GDPR posture for digital signage

How nextdooh handles personal data of EU/EEA operators and audience members under Regulation (EU) 2016/679.

1 · Who's the controller

For platform-level data (operator account, billing, audit logs), Kryil Infotech is the data controller. For media you upload as an operator, you are the controller and Kryil Infotech is your processor.

2 · Categories of personal data we process

  • Operator email, full name, role — basis: contract (Art. 6(1)(b)); retained for account lifetime + 18 months.
  • Login IP, user agent — basis: legitimate interest in security (Art. 6(1)(f)); 30-day retention, then anonymised.
  • Billing identifiers (Stripe customer ID, last 4, country) — basis: contract / legal obligation; 7-year retention for tax law.
  • Operator-uploaded media — your own legal basis as controller; deletable on demand.
  • Anonymous audience analytics (count-only, no identifiers) — not personal data.

3 · Sub-processors

  • Microsoft Azure — production hosting + media storage; EU (Frankfurt) on request, default IN (Chennai); SCCs + Azure DPA.
  • Stripe Payments Europe Ltd — card processing; EU + US; SCCs, Stripe DPA.
  • Resend Inc. — transactional email; US; SCCs, Resend DPA, transactional content only.
  • SendGrid (Twilio) — marketing email, opt-in only; US; SCCs.

4 · Data subject rights (Chapter III)

Reach us at [email protected] to exercise any of:

  • Art. 15 — access; we return a structured export of account data, audit trail, and billing history.
  • Art. 16 — rectification, performed within 7 business days.
  • Art. 17 — erasure (right to be forgotten); account erased within 30 days, backups age out within a further 30 days.
  • Art. 18 — restriction of processing pending dispute resolution.
  • Art. 20 — portability — account profile + uploaded media in machine-readable form (JSON + original media).
  • Art. 21 — objection to legitimate-interest processing (security logs).

5 · International transfers

Our default deployment is Chennai. Operators with EU/EEA residency may request migration to Frankfurt via [email protected] — no extra cost. Transfers from EU to India rely on Standard Contractual Clauses (Module 2), Commission Implementing Decision (EU) 2021/914, plus a transfer impact assessment.

6 · Security of processing (Art. 32)

  • TLS 1.2+ in transit; AES-256 at rest for database and media object storage.
  • Bcrypt hashing (cost 12); email-code MFA on every superadmin login and on sensitive privilege-escalation operations. TOTP-based MFA is on the roadmap.
  • Append-only audit log retained 12 months.
  • Access reviewed on each role change and at minimum annually; least privilege; named operators only.
  • Dependency scanning + monthly OS patching cadence.
  • Quarterly DR drill; backups encrypted, regionally segregated.

7 · Breach notification (Art. 33–34)

We notify the relevant supervisory authority within 72 hours of detecting a personal-data breach affecting EU/EEA residents and, where high risk to data subjects is likely, communicate to affected individuals without undue delay.

EU representative: we don't currently maintain an Art. 27 representative. If your engagement requires one, contact us — we work with a partner law firm in Berlin.

Contact

Data Protection Officer: [email protected]
Postal address: Kryil Infotech Pvt. Ltd., Workflow Ranka Junction, 3rd Floor, 224, KR Puram, Bangalore – 560016, Karnataka, India.

Get the signed statement

The GDPR posture above is also a downloadable PDF — useful for procurement, legal, or audit forwarding. Sign in and open Settings → Compliance & security documents. For custom-scope engagements, write to [email protected].

Direct PDF slug: gdpr.pdf