Controller information
Controller: Next Generation Access SL
Contact: support@ng-key.com
If a dedicated data-protection contact or representative is appointed for a particular customer project, regulated deployment, or public-sector engagement, the relevant contact details will be provided in the associated contract or privacy notice layer.
Categories of personal data
- Identity and account data, such as names, usernames, work email addresses, and administrative role details.
- Device and technical data, such as IP addresses, telemetry metadata, browser details, logs, and security event records.
- Operational access data, such as reader assignments, schedule presets, audit records, credential references, and support actions.
- Commercial or communication data, such as support requests, onboarding messages, contract contact details, and transaction-related correspondence.
Purposes and legal bases
- To provide and secure the platform, on the basis of contract performance or pre-contractual steps.
- To maintain service integrity, fraud prevention, incident response, and platform security, on the basis of legitimate interests and legal obligations where applicable.
- To manage customer support, account administration, and product communications, on the basis of contract performance and legitimate interests.
- To comply with accounting, tax, regulatory, cybersecurity, and data-protection obligations, on the basis of legal obligation.
- To send electronic marketing only where consent, soft opt-in, or another lawful basis is validly available under GDPR and Spanish LSSI rules.
Recipients and international transfers
Personal data may be processed by hosting providers, cloud infrastructure partners, email or communications providers, support tools, security vendors, and carefully selected subprocessors acting on documented instructions and subject to appropriate confidentiality and security obligations.
Where personal data are transferred outside the European Economic Area, Next Generation Access SL seeks to use an appropriate transfer mechanism under Chapter V GDPR, such as an adequacy decision, Standard Contractual Clauses, or another recognised safeguard. Additional information may be provided on request where legally required.
Retention
We retain personal data only for as long as necessary for the relevant service purpose, security requirement, support need, legal retention period, or contractual lifecycle. Retention periods vary by record type, customer deployment, and regulatory context.
Where data are no longer required, they are deleted, anonymised, or restricted in accordance with our internal retention and security procedures.
Your rights
Subject to the conditions set out in the GDPR and applicable Spanish law, you may request access, rectification, erasure, restriction, portability, or objection, and you may withdraw consent where processing relies on consent.
You may also lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) or another competent supervisory authority in the EU Member State of your habitual residence, workplace, or alleged infringement.
To exercise your rights, contact us at support@ng-key.com and describe your request clearly enough for us to verify and process it securely.
Security and updates
We apply technical and organisational measures designed to protect confidentiality, integrity, availability, and resilience, taking into account the nature of the processing and the risks presented. No system can guarantee absolute security, but we aim to maintain protections appropriate to the context of access-control and identity-management operations.
This policy may be updated to reflect legal, operational, or product changes. The latest published version on this page applies from its publication date unless a stricter legal rule requires otherwise.