NordixSystems

Privacy policy

How Nordix Systems handles personal data across the website and Services — controllers, AI processing, sub-processors, transfers, retention, your rights, and our DPO.

1. Introduction

Nordix Systems ("Nordix Systems", "we", "us", or "our") is part of the NCS Group (NCS — Nordic Compute System, operated by Easy Drift AS, Norway) and is committed to protecting the privacy and personal data of everyone who interacts with our website, platforms, applications, and Services. This Privacy Policy explains what data we collect, how and why we use it, with whom we share it, and the rights you have over your information.

It covers the website at nordixsystems.com and the Services — including Nordix BIOS, Nordix POS, Nordix Booking, Nordix Loyalty, the Nex consumer app, ION Consulting managed services (ION Virtual Workers, FinanceFlow), and our marketing-automation tools — together with their associated APIs.

2. Scope and Our Role

Nordix Systems acts in different roles depending on the data and the Service:

  • As a controller, we decide how and why personal data is processed for our own purposes — for example, data collected through this website, the contact and demo-booking forms, newsletter subscriptions, account registration, billing, and security.
  • As a processor (or sub-processor), we process personal data on behalf of, and under the instructions of, our business customers and Partners — for example, the operational data flowing through Nordix BIOS, Nordix POS, Booking, loyalty programs, and the AI agents that act on a customer's behalf. In those cases, the customer or Partner is the controller and is responsible for the lawful basis of the processing and for its own privacy notice to end users. That processing is governed by our Data Processing Agreement (DPA).

This Privacy Policy describes our practices as a controller, and explains, where relevant, how we support customers and Partners when we act as a processor.

3. Data Controller and Contact

The data controller for the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Brazilian General Data Protection Law (LGPD), and other applicable data-protection laws is:

Nordix Systems, part of NCS — Nordic Compute System (operated by Easy Drift AS, Norway). Postal: Nordix Systems, c/o NCS group, Oslo, Norway (full address on request).

For any privacy-related inquiry, contact privacy@nordixsystems.com. Our Data Protection contact is dpo@ncsengine.com.

4. Data We Collect

Depending on which Services you use, we may collect the following categories of personal data:

Information you provide directly:

  • Contact and identity details (name, work email, optional company, role, message) submitted through forms, sign-ups, or sales and support interactions, including the date and time you pick when booking a demo.
  • Account and profile information when you register for a platform or app.
  • Billing details (company, billing contact, tax identifiers); payment-card and financial-instrument data is collected and processed by our payment processors, not stored in full by us.
  • Communications and content you submit, including support messages, demo requests, and feedback.

Information generated through use of the Services:

  • Server logs and usage data (request URL, IP address (truncated), user agent, referrer, response code, browser and device type, pages and features used, timestamps). Server logs are retained 30 days for security and capacity planning.
  • Account-, transaction-, and operational data, such as bookings, orders, point-of-sale transactions, and loyalty activity (points, tiers, offers, redemptions, visit history) — typically processed on behalf of a business customer.
  • Conversation and prompt data exchanged with AI assistants and agents across channels (chat, web widget, email, and, where enabled, messaging platforms such as WhatsApp, Telegram, and Instagram).
  • Voice-call data, including recordings and transcriptions, where you use voice/telephony features.
  • Connected-account and integration data, including access tokens and configuration for third-party services you authorize (point-of-sale, payments, advertising, messaging, calendars, content-management, accounting, and analytics). Credentials are stored securely and shown masked.
  • For Partners' B2B2C use, end-user identifiers from messaging channels (such as a channel-specific user ID or phone number) needed to route and authorize interactions.
  • Developer and API data, including API keys and request metadata.
  • Plausible analytics — anonymous, cookie-free, GDPR-compliant pageview events: URL, country (geo-IP), referrer, device type. No personal identifiers and no fingerprinting.
  • Anti-fraud and anti-bot signals (such as IP address and CAPTCHA/anti-bot tokens).

Information from third parties:

  • Business contact details from publicly available professional directories for B2B outreach, and data from integrations and providers you connect.

5. Special Categories and Sensitive Data

Some Services may be used by professional customers to process information that could include sensitive categories (for example, where a customer's operations touch health- or legal-related data). In these cases, Nordix Systems typically acts as a processor on behalf of the customer, who is responsible for establishing a lawful basis (including any explicit consent or professional-secrecy basis required) and for its own notices to data subjects. We apply heightened technical and organizational safeguards to such data and process it only to provide the Service. We do not seek to collect special-category data through our own marketing or website activities.

6. How We Use Your Data

Where we act as a controller, we process personal data to:

  • Service delivery: provide, operate, secure, and maintain our website, platforms, AI models, agents, and applications.
  • Accounts and billing: create and manage accounts, process subscriptions and payments (via processors), and prevent payment fraud.
  • Communication: reply to your inquiry, maintain a record of the request in our sales pipeline, send service and transactional notifications, and provide support. We may reach out by email up to twice to follow up on an enquiry.
  • Improvement: analyze usage to improve our platforms, features, models, and documentation, using aggregated or de-identified data where feasible.
  • Security and abuse prevention: detect, prevent, and respond to security incidents, fraud, abuse, and technical issues (rate-limiting, spam, automated abuse).
  • Legal compliance: comply with applicable laws, regulations, and lawful requests.
  • Marketing: with your consent or as otherwise permitted, send relevant updates about NCS Group products and services. You can opt out at any time.

Where we act as a processor, we process personal data only to provide the Services in accordance with the customer's or Partner's documented instructions and the DPA.

Under the GDPR, UK GDPR, and equivalent laws (including the LGPD), we rely on:

  • Contractual necessity: processing required to deliver Services you have requested or contracted.
  • Legitimate interests: improving and securing our Services and conducting B2B marketing, provided these interests do not override your fundamental rights.
  • Consent: where you have given clear consent for specific activities (for example, certain marketing or special-category processing). You may withdraw consent at any time.
  • Legal obligation: where processing is required to comply with applicable law.

8. AI and Automated Processing

Several Services rely on artificial intelligence, including third-party AI model providers engaged as sub-processors.

  • No training on your data without consent: we do not use Customer Data to train shared or foundation AI models, and our AI sub-processors (such as OpenAI and Anthropic) are engaged under agreements that prohibit using your content to train their models, unless you provide explicit instruction or consent.
  • AI sub-processors: conversation and prompt content may be transmitted to AI model providers solely to generate responses and perform the tasks you request.
  • Automated agent actions: where AI agents (such as Nordix BIOS or ION Virtual Workers) act on a customer's behalf, those actions follow the customer's configuration, with an audit trail available. Customers are responsible for maintaining human oversight of high-impact actions.
  • Automated decision-making: we do not use the Services to make decisions producing legal or similarly significant effects on you based solely on automated processing without appropriate safeguards. Where profiling occurs (for example, loyalty segmentation or personalized offers), it is operated by, or on behalf of, the relevant business and is subject to your applicable rights.

9. Payments and Financial Data

When you pay for a Service, or when the Services facilitate in-venue or marketplace payments, payment-card and financial-instrument data is collected and processed by licensed, PCI-DSS-compliant third-party payment processors (such as Stripe, Adyen, MercadoPago, and PayPal). We receive only limited transaction details (such as a tokenized reference, the last digits of a card, billing contact, and payment status) needed for billing, accounting, fraud prevention, and support. We do not store full payment-card numbers on our systems.

10. Cookies and Tracking

Our website uses cookies and similar technologies only to:

  • Essential functions: session management, security, and anti-bot tokens (such as CAPTCHA).
  • Analytics: we use Plausible — privacy-friendly, cookieless analytics — to understand how visitors interact with the website.

We do not use marketing or advertising cookies and there is no cross-site ad tracking on this website. There is no consent banner because there are no consent-gated trackers. You can manage your preferences through your browser settings.

11. Data Sharing, Sub-processors, and Transfers

We do not sell personal data. We may share data with:

  • Infrastructure and hosting providers operating under data-processing agreements.
  • Service providers and sub-processors that assist with analytics, email and messaging delivery, telephony/SMS, payments, AI model processing, and customer support, each bound by contractual confidentiality and data-protection obligations.
  • Third-party services you connect (point-of-sale, payments, advertising, messaging, calendars, content-management, and accounting), to which we send data as needed to provide the Services you configure.
  • NCS Group affiliates, to operate and support the Services.
  • Legal authorities, when required by law, court order, or to establish, exercise, or defend legal rights.
  • Business transfers, in connection with a merger, acquisition, or sale of assets, subject to this policy.

We maintain a current list of sub-processors — see the subprocessors list. Where data is transferred outside the European Economic Area (EEA) or the UK, we ensure adequate safeguards, including European Commission adequacy decisions or Standard Contractual Clauses (SCCs), together with supplementary measures where required.

12. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

DataRetention
Form submission stored as email24 months from submission
Communication recordsUp to 3 years
Anonymous analytics36 months aggregate
Server logs30 days
Account dataDuration of the business relationship plus up to 5 years for legal and audit purposes
Tenant operational and conversation dataAs defined in your DPA — typically the active subscription term plus 90 days backup retention

You may request deletion at any time, subject to legal retention obligations and, where we act as a processor, to the controlling customer's instructions.

13. Your Rights

Under the GDPR, UK GDPR, LGPD, and other applicable data-protection laws, you may have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") where applicable, subject to legal retention obligations.
  • Restrict or object to processing in certain circumstances, including direct marketing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local data-protection authority (Spain: AEPD; Portugal: CNPD; Brazil: ANPD; Norway: Datatilsynet; UK: ICO).

To exercise these rights, contact privacy@nordixsystems.com. We will respond within the timeframe required by applicable law (generally within 30 days). Where we process your data on behalf of a customer or Partner (as a processor), we will refer your request to that controller and assist them in responding.

14. Security Measures

We implement industry-standard technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest (AES-256).
  • Role-based access controls and the principle of least privilege.
  • Multi-tenant isolation, audit logging, and secrets stored in a managed vault/KMS.
  • Regular security assessments.
  • Incident-response and breach-notification procedures consistent with GDPR Articles 33/34 and equivalent laws.

Report a suspected security incident to security@nordixsystems.com.

15. Where We Store It

By default, all data is stored inside the European Union (Ireland or Stockholm region, depending on the service). For customers outside the EU we can negotiate a different residency. We may serve users in the EEA, the UK, Norway, Brazil, and elsewhere; for users in Brazil we process personal data in accordance with the LGPD, for users in the UK in accordance with the UK GDPR, and for users in the EEA and Norway in accordance with the GDPR and Norwegian implementing law.

16. Children's Privacy

Our Services are designed for business and professional use and are not directed at individuals under the age of 16 (or the applicable age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us so we can take appropriate action.

Our website and Services may link to, or integrate with, third-party websites and services that we do not control. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third-party service you use or connect.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or legal requirements. We will post the updated policy with a revised effective date and, where changes are material, provide additional notice through the Services or by email; material changes are also announced at the top of this page and dated.

19. Contact

If you have questions about this Privacy Policy or our data practices, please contact:

You also have the right to lodge a complaint with your local data-protection authority (for example, the Spanish AEPD, the Portuguese CNPD, the Brazilian ANPD, the Norwegian Datatilsynet, or the UK ICO) if you believe your data has been processed in violation of applicable law.

This policy was last updated on 2026-06-21. Material changes are announced at the top of this page and dated.