NEXIEL
Loading...
Menu

For Relying Parties

OverviewAPISDKPricingUse casesAgeCheck for ClubsAge verificationEUDI guide

For Issuers

OverviewCredential typesNFCAPIDashboardPricingIndustries (Issuers)Use cases

Docs

Docs hubVerify docsIssue docsEducation docsWebhooksWallet architectureRunbooksDeveloper hub
About EUDIPricingBlogContact

Legal

Privacy Policy — NEXIEL LIMITED

This Privacy Policy explains how NEXIEL LIMITED (“NEXIEL”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit our website, use our dashboard, APIs, or services, or interact with us as a customer, prospective customer, supplier, partner, or end user of a customer.

Effective date: 03 January 2026

Last updated: 03 January 2026

NEXIEL LIMITED (Ireland) — VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND

1. Scope and who this policy applies to

This policy applies to personal data processed by NEXIEL in the following contexts:

  • Website visitors and marketing contacts.
  • Prospective customers and customers (including account admins and authorized users).
  • End users whose credentials or identity attributes are processed through our platform by a customer (e.g., wallet holder presenting or receiving a credential).
  • Representatives of suppliers, integration partners, and business contacts.
  • Anyone communicating with NEXIEL (support tickets, email, phone, chat).

If you are an end user interacting through a customer’s application, that customer may provide additional privacy information and determine the purposes of processing. This policy still explains NEXIEL’s role and what we do with your data.

2. Key GDPR roles: Controller vs Processor

A. NEXIEL as Controller (we decide why/how data is processed)

  • Website analytics and cookies (where applicable).
  • Sales, marketing, and business communications.
  • Customer account administration (accounts, authentication, billing contacts).
  • Security logging and fraud/abuse prevention for our own systems.
  • Corporate compliance and legal obligations.

B. NEXIEL as Processor (customer decides why/how data is processed)

  • Credential issuance workflows (customer is the issuer).
  • Credential verification workflows (customer is the relying party).
  • Business onboarding verification workflows (organization/representative details).
  • Audit trails, evidence packs, and verification results generated for the customer.

Where we are a processor, processing is governed by a Data Processing Addendum (“DPA”) and the customer’s instructions, subject to applicable law.

3. Transparency and clear language

NEXIEL aims to provide information and communications about personal data in a clear, accessible way, consistent with GDPR transparency requirements (including GDPR Article 12).

4. What personal data we collect

A. Website and marketing data (Controller)

  • Identifiers and contact details: name, email, phone, company, job title.
  • Communications: messages you send to us, meeting notes, email content you provide.
  • Device and usage: IP address, user agent, pages viewed, timestamps, approximate location from IP.
  • Cookie/technology data (where used): cookie IDs, preferences, analytics identifiers.

B. Customer account and admin data (Controller)

  • Admin/user profile: name, work email, role, team, authentication data.
  • Account meta: customer ID, application ID, subscription/billing contacts, support history.
  • Security: login timestamps, API key usage logs, device identifiers, IPs, anomaly indicators.

C. Platform verification/issuance data (Processor)

  • Credential data presented/issued (attributes included in the credential, per type/use case).
  • Verification results and signals (pass/fail, confidence scores, match candidates, timestamps).
  • Evidence packs / audit snapshots (inputs used, matching versions, registry snapshots, hashes).
  • Certificate information for issuer authority verification (fingerprints, subject fields, validity, metadata).

D. Business onboarding and KYC/KYB-related data (Controller and/or Processor)

  • Company details: legal name, registration number, VAT, address, jurisdiction, directors/owners (if provided).
  • Representative: name, role, contact details, proof of authorization, identity verification artifacts where applicable.
  • Screening results: sanctions screening results, match candidates, review notes.

Important: Services may involve regulated-sector data. Customers should configure data minimization so only necessary attributes are processed.

5. Special categories of personal data

Some customers may process “special category” data under GDPR (e.g., health-related data, biometric identifiers, or other sensitive attributes) depending on the credential and use case. NEXIEL does not require special category data by default; if processed, it is on customer instructions with additional safeguards.

6. Sources of personal data

  • You directly (forms, email, calls, support, onboarding steps).
  • Our customers (when you are an end user interacting with a customer service).
  • Technical sources (logs, device data, cookies where applicable).
  • Public/official registries and trust lists for issuer authority verification (e.g., qualified trust service providers, education registries) where necessary.

7. Purposes of processing and legal bases

A. When NEXIEL is Controller

  1. Provide and secure our website and services — Legal basis: legitimate interests and/or contract.
  2. Customer onboarding, account management, and support — Legal basis: contract; legitimate interests.
  3. Sales, marketing, and relationship management (B2B) — Legal basis: legitimate interests and/or consent where required.
  4. Compliance with legal obligations — Legal basis: legal obligation.
  5. Security monitoring, fraud prevention, and abuse detection — Legal basis: legitimate interests and, where required, legal obligation.

B. When NEXIEL is Processor

  • Issuing credentials to end users.
  • Verifying credentials presented by end users.
  • Issuer authority checks and evidence capture required by the customer’s compliance program.

Legal basis: determined by the customer as controller (e.g., contract, legitimate interests, legal obligation, consent, or substantial public interest depending on use case).

8. Sanctions screening and third-party compliance data sources

NEXIEL may support customer compliance programs through sanctions screening and verification signals. Checks may involve querying third-party datasets/services and storing match candidates, confidence, and audit logs/evidence packs. Where sources are unavailable, we may fall back to cached data or alternatives and log the outcome.

9. Trusted lists and issuer authority verification (QEAA/PID and related services)

NEXIEL may verify issuer authority against recognized registries and trusted lists, including EU trusted lists of qualified trust service providers (QTSPs) and their qualified services. We may validate signed trusted-list documents, record integrity evidence (hashes, signature validity, signing certificate fingerprints), match certificate fingerprints against trusted-list entries, and record evidence packs for review. Under eIDAS, national trusted lists have constitutive effect.

10. How we share personal data

A. Customers and their authorized users (Processor outputs)

Verification results, audit logs, and evidence packs are shared with the initiating customer.

B. Service providers / processors and subprocessors

We use vetted providers under contract with confidentiality/data protection obligations. Key provider:

  • Stripe (payment processing / billing). Privacy: https://stripe.com/ie/privacy. Depending on activity, Stripe may act as controller and/or processor.

C. Legal and compliance disclosures

We may disclose data to comply with law, lawful requests, enforce agreements, protect rights/safety, or investigate fraud.

D. Corporate transactions

Data may be disclosed in mergers, acquisitions, financing, or asset sales with safeguards.

We do not sell personal data.

11. International transfers

NEXIEL is based in Ireland. If data is transferred outside the EEA, we use safeguards such as adequacy decisions or Standard Contractual Clauses (SCCs) with supplementary measures. In processor contexts, the customer’s DPA governs transfer mechanisms.

12. Data retention

We retain personal data only as long as necessary for the purposes described, unless longer is required by law. Typical retention (may vary by contract/use case):

  • Website inquiries and sales communications: retained for a reasonable period for relationship and recordkeeping.
  • Customer account: life of contract and reasonable period after termination for dispute resolution, security, compliance.
  • Platform logs and security records: retained for security monitoring and auditability.
  • Verification evidence packs: retained to support audit/reproducibility as agreed with customers.

Where customers control retention (processor context), we support deletion/export requests as required under the DPA.

13. Security measures

  • Access controls and least privilege.
  • Encryption in transit (TLS) and at rest where appropriate.
  • Logging and monitoring for security events.
  • Segregation of customer environments and logical access controls.
  • Incident response procedures and security reviews.

No method of transmission or storage is 100% secure. If you suspect unauthorized access, contact us using the details below.

14. Your data protection rights (GDPR)

Subject to conditions/exceptions, individuals may have rights to be informed, access, rectification, erasure, restriction, portability, objection (including to direct marketing), and rights related to automated decision-making/profiling.

If NEXIEL is the controller, contact us (Section 19). If we process on behalf of a customer, contact the customer first; we will assist them as required.

15. Automated decision-making and profiling

NEXIEL may provide automated scoring/matching/confidence indicators in verification workflows. Where decisions have legal or similarly significant effects, appropriate human review should be in place (typically controlled by the customer). You can request information about logic involved and contest decisions where applicable.

16. Cookies and similar technologies

If our website uses cookies or similar technologies, we will provide a cookie notice explaining what is used, why, and how to manage preferences. Where required, we obtain consent before placing non-essential cookies.

17. Children’s privacy

Services may be used in contexts involving minors (e.g., education). Customers are responsible for appropriate lawful basis and notices/consents. NEXIEL does not knowingly market directly to children.

18. Complaints

Contact NEXIEL first (Section 19). You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC). The DPC accepts concerns via webform or email at info@dataprotection.ie.

19. Contact details

Data Protection / Privacy contact (NEXIEL): Email dpo@nexiel.ie

Postal address: NEXIEL LIMITED, VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND

20. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in practices, technology, legal requirements, or services. We will update the “Last updated” date and, where appropriate, provide additional notice.

Questions? Email dpo@nexiel.ie or write to NEXIEL LIMITED, VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND.