This page tells you exactly what data nis2insights.com collects from you, why, what we do with it, and the rights you have over it. We have written it as concisely as we could without omitting anything material.
The publisher of nis2insights.com — the data controller, in the language of the General Data Protection Regulation (Regulation (EU) 2016/679) — is RENFELD LEBANON, registered in Jounieh, Lebanon. Full publisher details on our legal information page.
What we collect
We collect three things, all of them minimal.
A locale cookie. When you choose a language — explicitly via the language switcher, or implicitly the first time you visit through the Accept-Language header your browser sends — we set a cookie called NEXT_LOCALE to remember your choice. The cookie holds nothing more than a two-letter code (en, fr, de, es, it). It expires after one year. It is treated as a strictly necessary cookie under the ePrivacy Directive — it does not require consent, and we cannot operate the site without it.
Aggregated, cookieless analytics. We use Plausible Analytics to count visits to the site and understand which articles are read. Plausible was specifically chosen because it is cookieless, does not track individuals, does not use fingerprinting techniques, and is itself hosted in the European Union. The data Plausible records is fully aggregated: page URL, referrer (where you came from, if any), country (derived from your IP, which Plausible does not store), browser and operating system family. No identifier is created for you. We rely on legitimate interest as the lawful basis (Article 6(1)(f) GDPR); the balancing test favours processing because the data is irreversibly aggregated and never linked to you as an individual.
Local browser storage for the checklist. When you fill in the 21-point self-assessment, your answers are saved in your browser's localStorage under the key nis2:checklist:v1. They never leave your device. We have no copy. If you switch browsers or devices, you start fresh; if you clear your browser data, your answers are gone.
What we do not collect
We do not run advertising. We do not embed third-party scripts (no Google Analytics, no Facebook Pixel, no Hotjar, no Intercom). We do not sell or share data with anyone. The fonts on this site are self-hosted; the images are served from our own infrastructure. There is no consent banner because there is nothing requiring consent under the strict reading of the ePrivacy Directive and the GDPR.
If you contact us by email — for example to ask a question, request access to your data, or unsubscribe from a future newsletter — we keep the message and our reply for as long as needed to handle the request, and at most three years after the last contact for legal purposes.
Where the data sits
The site itself runs on Cloudflare Workers. Cloudflare, Inc. is established in the United States and is certified under the EU–US Data Privacy Framework. EU traffic is typically served from Cloudflare's European points of presence (Frankfurt, Paris, Amsterdam and others), but the company itself is a US entity. Plausible Analytics is hosted in the European Union (Germany).
Your rights
The data we keep server-side is minimal by design. The locale cookie stores a two-letter language code; the analytics is irreversibly aggregated and cannot be tied back to you; the checklist answers stay in your browser. Clearing your browser cookies and localStorage for nis2insights.com removes everything we hold for you, except aggregate counts that do not identify any individual.
A dedicated contact channel for formal data-protection requests, and the designation of an EU Representative if required, will be published as the publication's European presence is formalised. Independently of that, you retain the right to lodge a complaint with the data-protection supervisory authority of your country of residence at any time.
Updates
This notice is dated at the bottom of the page. Material changes — for example if we add a new processor or a new category of processing — will be highlighted at the top of the page for at least 30 days after the change.