Privacy Policy

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Nephelix Nova Ltd
Centris Business Gateway, Level 4/W
Triq is-Salib tal-Imriehel, Zone 3
Birkirkara, CBD 3020, Malta
Email: Email

2. Data Protection Officer

No Data Protection Officer has been appointed because the legal requirements of Article 37 GDPR are not met: Nephelix Nova Ltd is a small company, does not conduct regular and systematic monitoring of data subjects on a large scale, and does not process special categories of personal data on a large scale. For data protection enquiries, please contact the controller directly at the address above.

3. Overview of Data Processed

• Server log data: IP address, browser type and version, operating system, referrer URL, requested URL, date and time of access
• Email correspondence: Name, email address, company name, and message content when you voluntarily contact us by email

4. Hosting and Delivery (Cloudflare)

This website is delivered via Cloudflare Pages (Cloudflare, Inc., USA). When you visit, Cloudflare receives standard access data: IP address, browser information, referrer, requested URL, and access time. This is necessary to deliver the site and to protect against abuse. Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure operation). A data processing agreement under Article 28 GDPR is in place (Cloudflare Standard DPA).

Transfer to the USA: Cloudflare is certified under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and additionally relies on EU Standard Contractual Clauses. Details: Cloudflare's Privacy Policy.

5. Email Contact

If you contact us by email, we process the data you provide (name, email address, company, message content) to respond to your inquiry. Legal basis: Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (legitimate interest in responding to enquiries). We retain the data until you request deletion or the purpose no longer applies, subject to statutory retention obligations.

Email hosting (Google Workspace): our business email is hosted on Google Workspace, operated by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) with sub-processing by Google LLC (USA). Google stores and processes incoming email on our behalf under a data processing agreement pursuant to Article 28 GDPR (Google Workspace Data Processing Addendum). Google LLC is certified under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and additionally relies on EU Standard Contractual Clauses. Details: Google's Privacy Policy.

6. Cookies

This website sets no analytics, marketing, or tracking cookies. When Cloudflare's bot protection is active, Cloudflare may set the strictly-necessary __cf_bm cookie (30-minute lifetime) for bot detection — this is exempt from consent under § 25(2) No. 2 TDDDG (the former TTDSG, renamed with effect from 14 May 2024).

7. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Article 15 GDPR) — You may request confirmation of whether personal data concerning you is being processed and, if so, obtain access to that data.
• Right to rectification (Article 16 GDPR) — You may request the correction of inaccurate personal data or the completion of incomplete data.
• Right to erasure (Article 17 GDPR) — You may request the deletion of your personal data where there is no legal obligation to retain it.
• Right to restriction of processing (Article 18 GDPR) — You may request that the processing of your data be restricted under certain circumstances.
• Right to data portability (Article 20 GDPR) — You may request to receive the personal data you provided in a structured, commonly used, and machine-readable format.
• Right to object (Article 21 GDPR) — You may object to the processing of your personal data based on legitimate interests at any time. We will then cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent (Article 7(3) GDPR) — You may withdraw any consent given at any time with future effect. The lawfulness of processing carried out prior to withdrawal remains unaffected.
• Right to lodge a complaint (Article 77 GDPR) — You have the right to lodge a complaint with a supervisory authority. The competent authority for Nephelix Nova Ltd is the Office of the Information and Data Protection Commissioner (IDPC), Level 2, Airways House, High Street, Sliema SLM 1549, Malta — idpc.org.mt. Visitors from Germany may alternatively contact the state data protection authority (Landesdatenschutzbehörde) responsible for their place of residence.

8. Data Retention

• Server logs / Cloudflare: per Cloudflare's own security log policies (typically a few days); we keep no separate logs.
• Email correspondence: for the duration of the business relationship and thereafter until the applicable tax and commercial retention periods expire (for Nephelix Nova Ltd, up to 9 years under Maltese law).

9. Changes to This Policy

We reserve the right to update this privacy policy to reflect changes in our practices or for legal, regulatory, or operational reasons. The current version is always available on this page with the "Last updated" date above.