Privacy & Data Protection

1. Introduction

NTLi GmbH ("NTLi", "we", "us", "our") is an Austrian-registered IT consultancy serving B2B clients across the European Union. This policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

2. Data controller

The controller responsible for the processing described in this policy is:

• CompanyNTLi GmbH
• RegistrationFN 671761
• Registered officec/o Fieldfisher GmbH, Rotenturmstraße 5–9, Top 512–513, 1010 Vienna, Austria
• RepresentativeHayat Hafia Houoite, CEO & Founder
• Contactcontact@ntli-dev.com · +33 7 68 87 72 34

3. Data we process

Depending on your interaction with us, we may process the following categories of personal data:

• Business contact detailsName, role, company, professional email, phone number.
• CorrespondenceContent of emails, meeting notes, and project-related communications you send us.
• Engagement dataContracts, statements of work, invoices, and records required for accounting and tax obligations.
• Operational data (as processor)Where strictly necessary for delivery, data provided by the client under a written Data Processing Agreement (DPA).
• Technical dataLimited server logs (IP address, user agent, timestamp) collected for security and abuse prevention. No advertising or behavioural tracking is performed on this site.

4. Legal basis for processing

We rely on the following lawful bases under Art. 6(1) GDPR:

• Art. 6(1)(b) — ContractPerformance of a contract with you, or pre-contractual measures taken at your request (e.g. responding to inquiries, delivering engagements).
• Art. 6(1)(c) — Legal obligationCompliance with Austrian and EU legal obligations such as accounting, tax, and record-keeping requirements.
• Art. 6(1)(f) — Legitimate interestsRoutine business administration, IT security, and protecting our rights — balanced against your interests and rights.
• Art. 6(1)(a) — ConsentWhere required, we ask for explicit consent and you may withdraw it at any time without affecting prior processing.

5. Data processing & residency

When NTLi acts as a processor on behalf of a client, we operate under a written DPA that defines the purpose, scope, duration, categories of data subjects, sub-processors, security measures, and assistance obligations as required by Art. 28 GDPR. Wherever technically feasible, processing takes place within the European Economic Area (EEA) using EU-region cloud infrastructure. Production data is logically separated per engagement.

6. Retention

We retain personal data only for as long as necessary for the purposes described above:

• Inquiries without engagementUp to 12 months from last contact, then deleted.
• Active client correspondenceFor the duration of the engagement plus 3 years.
• Contracts, invoices, accounting recordsRetained for 7 years to comply with Austrian commercial and tax law (§ 132 BAO).
• Operational data (as processor)Retained and deleted strictly according to the applicable DPA.

7. Sub-processors & recipients

We use a limited number of vetted sub-processors for hosting, email, and productivity tooling — selected for their GDPR posture and EU data residency where possible. A current list of sub-processors used in client engagements is available on request and is appended to each client DPA. We do not sell personal data and we do not share it with third parties for advertising purposes.

8. International transfers

Where a transfer outside the EEA is unavoidable (for example, specific tooling without an EEA-only option), we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and perform a transfer impact assessment in line with the "Schrems II" ruling (CJEU C-311/18). Additional safeguards (encryption in transit and at rest, access controls) are applied as appropriate.

9. Security measures

We implement appropriate technical and organisational measures under Art. 32 GDPR, including: TLS for data in transit, encryption at rest for stored credentials and operational data, role-based access control with least privilege, multi-factor authentication for administrative access, regular backups, vulnerability monitoring, and documented incident-response procedures. In the event of a personal data breach affecting your data, we will notify the competent supervisory authority within 72 hours where required, and inform affected individuals when the breach is likely to result in a high risk to their rights and freedoms.

10. Cookies & analytics

This website does not use advertising cookies, cross-site tracking, or third-party behavioural analytics. Only strictly necessary cookies required for the site to function are set by default. Optional analytics and preference cookies are off until you explicitly opt in below; you can change your choice at any time.

11. Your rights

Subject to the conditions set out in the GDPR, you have the right to:

• Access (Art. 15)Obtain confirmation and a copy of your personal data.
• Rectification (Art. 16)Correct inaccurate or incomplete data.
• Erasure (Art. 17)Request deletion ("right to be forgotten") where applicable.
• Restriction (Art. 18)Limit how we process your data in defined circumstances.
• Portability (Art. 20)Receive your data in a structured, machine-readable format.
• Object (Art. 21)Object to processing based on legitimate interests.
• Withdraw consentWhere processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Lodge a complaintComplain to the Austrian Data Protection Authority (Datenschutzbehörde, Barichgasse 40–42, 1030 Vienna) or your local supervisory authority.

12. Changes to this policy

We may update this policy to reflect changes in our practices, technology, or legal requirements. The current version is always available at /privacy and is identified by the “Last updated” date below. Material changes will be highlighted on this page.

13. Contact us

For any privacy-related question, request, or to exercise your rights, please contact us at contact@ntli-dev.com. We aim to respond within one business day (Mon–Fri, CET) and, in any case, within the statutory one-month period under Art. 12(3) GDPR.