Terms and Conditons

Thank you for visiting our website and for your interest in our services. NTH considers the protection of personal data to be a matter of great importance and handles it accordingly. This Privacy Policy is intended to provide website visitors with information about what personal data is collected during visits to the website, how it is processed, and what measures are taken to protect it.

All terms used in this Privacy Policy have the same meaning as in Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Data Controller

Data Controller: NTH Mobile d.o.o.

Address: Hallerova aleja 6E, Varaždin, Croatia

Email: info@nth.ch

As the data controller for this website, we are obliged to inform you about the purposes for collecting your personal data. When visiting our website, you voluntarily provide us with certain data in accordance with the purposes described below in this Privacy Policy.

Questions Regarding Personal Data Protection

If you have any questions regarding the processing or protection of your personal data, feel free to contact us at: dataprotection@nth.ch

You may withdraw any consent given at any time by sending a request to: dataprotection@nth.ch

Why and on What Basis We Process Your Data

Visiting Our Website

When you visit our website, we use third-party services such as Google Analytics to collect standard internet log information and details about visitor behavior patterns. We do this to learn things such as the number of visitors to different parts of the website. This information is processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to identify visitors to our website. We also use LinkedIn Analytics. Please refer to the relevant privacy notice for additional information.

When you browse our website, we automatically place necessary cookies on your browser. You may choose to accept advertising or analytics cookies. The data we collect helps us maintain and improve our website and business. This usually includes your IP address, browser type, pages visited and the order in which they were visited, as well as whether you are a new or returning visitor.

Visiting Our Social Media Pages

NTH uses certain social media platforms. If you contact us through one of our social media channels, we will store your data and use it in accordance with this Privacy Policy.

We are present on the following social media platform:

LinkedIn: https://www.linkedin.com/company/nth-mobile-payment

Inquiries About Business Cooperation or Services We Provide

When you contact us regarding our services, we use the following contact information:

We use this information for the purpose of carrying out actions prior to entering into a contract and later concluding the contract. Processing this data also represents our legitimate interest in developing business relationships and potential business cooperation. We will retain your data for three years from the date we receive it. In the event that a contract is concluded between you and NTH, we are legally obliged to retain your data for a longer period.

Who Has Access to Your Data

Only authorized employees have access to your data and solely for the purpose of performing their duties. NTH will not forward your data to third parties or allow them access to your data unless otherwise stated in this Policy or based on a legally founded request by a competent public authority.

Where and How We Store Your Data

All data we collect is stored on our internal IT infrastructure, which is appropriately protected against all risks according to the highest standards.

Your Rights

Based on Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and the law implementing it, you have the following rights:

Control ObjectiveMeasures
(1) Access ControlThe following measures are used to prevent unauthorized persons from physically accessing the server infrastructure for data processing, and specifically for identifying authorized persons.
• The data center is separated from other more easily accessible areas
• Access is granted only to authorized employees (as a rule, access is not permitted)
• Biometric access control system using access credentials
• Alarm system and code-locking system
• 24-hour security services with integrated alarm system
• Video surveillance (external, for all doors, and for corridors)
• Separate storage areas with the possibility of using separate locks or keys
• Only authorized employees are responsible for securing the premises
(2) Access Control (User Control)Unauthorized persons must be prevented from using data processing systems.
• Use of firewalls and intrusion detection systems
• Access to data processing systems via SSH and web interfaces for administrative purposes (e.g., infrastructure and system maintenance) is granted only to a limited group of internal administrators. Only encrypted communication channels are used for these purposes. Connections are established through VPN, TLS, and LDAP
• Authentication is always performed using a username and password, in accordance with the internal password policy
• User identity is verified using personal login credentials. Sharing these credentials with other persons is prohibited
• Secure password management, including the use of centralized device administration software with encryption
• In emergency situations (if normal user authentication does not function correctly), system administrators may access servers using root accounts. Use of root login is logged
(3) Access and Storage ControlPersons authorized to use the systems must only have access to the data necessary to perform their tasks and those subject to their access authorization. It must also be ensured that user data (including personal data) is processed and used in such a way that unauthorized reading, copying, modification, or deletion is prevented.
• Protection against unauthorized internal and external access through firewalls, authentication processes, and encryption
• Secure password assignment in accordance with the internal password policy. Depending on the system or application, regular password changes and automatic account locking are implemented
• Prohibition of granting privileged administrative access to clients/customers or external parties for administrative purposes
• External access rights to systems and applications are granted only when necessary and exclusively to authorized entities for the purpose of creating user profiles and assigning user rights. These rights must be contractually agreed upon or at least documented within the service project according to the authorization concept
• Authorization is granted exclusively by the person responsible for the service/application unless otherwise specified in the authorization concept for a particular service or application. The number of administrators is always reduced to the minimum necessary. Assignment of additional access rights at the request of the client or customer must be made in writing
• At the system level, all access is logged by default. In the case of particularly sensitive data, if required by law or at the request of the client or customer, access is also logged at the application level (entry, modification, deletion, and retrieval of data)
• Secure storage and disposal of data carriers
(4) Separation ControlSeparate processing of data collected for different purposes must be ensured.
• Physical separation of functionally and purposefully different systems, databases, and data carriers
• Defined processes regarding where and how systems, services, or applications are installed, delivered, and managed according to the company-wide authorization concept
• Separation of production and test environments
• Functional and logical separation of clients
• Definition of database rights
(5) Distribution Control (Disk Control, Transport Control, and Data Disclosure Control)It must be ensured that customer data (including personal data) cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on data carriers. It must also be possible to verify and determine the points at which customer data (including personal data) is transferred by data transmission facilities.
• Data transfer is always carried out using secure encryption, especially for personal data
• Privileged administrative activities, such as migrations, may only be performed through VPN access. VPN access with such privileges is granted only to a limited group of employees
• All privileged system-level activities are logged in activity logs. Logging may also occur at the application level
• Documents requiring protection may only be sent in encrypted form (e.g., compressed email attachments protected by a password, where the password is sent separately through another channel)
(6) Input Control and LoggingIt must be possible to subsequently verify and determine who entered, modified, or deleted customer data (including personal data) within data processing systems.
• Assignment of access rights for entering, modifying, and deleting data based on the authorization concept
• Logging of data entry, modification, and deletion is always provided at the system level through activity logs, and at the service/application level when necessary (depending on the application purpose and sensitivity of the data)
• Monitoring of data entry, changes, and deletion through individual usernames
(7) Availability Control and RecoveryUser data (including personal data) must be protected against accidental or intentional destruction and loss.
• Uninterruptible power supply (diesel generator and UPS device)
• Air-conditioned server rooms equipped with temperature and humidity monitoring devices and PDU power protection strips
• Comprehensive fire protection using the Inergen fire suppression system
• Development of backup and recovery concepts
• Hard disk mirroring, e.g., using RAID methods
• Contingency plans detailing failure scenarios, precautionary measures, and available actions
• Server rooms are not located beneath sanitary facilities
• Monitoring of the complete infrastructure and data center services
• Redundant infrastructure
(8) Order ControlIt must be ensured that personal data processed on behalf of the customer is processed exclusively according to the client’s instructions.
• If maintenance work on data processing systems may potentially affect personal data, NTH will inform the client of the maintenance period
• Change and migration requests containing personal data must be submitted by the client in writing
• Data processing takes place within NTH’s data center unless the customer explicitly requests other locations (e.g., specific hosting providers)
• Ensuring destruction of data after completion of the order
(9) Organizational and Implementation ControlProcesses and workflows for data processing are defined to effectively implement data protection principles and security safeguards in order to meet data protection requirements and protect the rights of affected individuals.
• Regular employee training and awareness regarding data protection principles and information security
• Confidentiality obligations relating to business operations and trade secrets
• Proper and careful handling of data, files, data carriers, and other documents
• Verification of the implementation and effectiveness of technical and organizational protective measures through controls and random checks
• Incident response management process and documentation of security incidents within the ticketing system
• Formalized procedure for handling information requests from data subjects
• NTH guarantees the provision of services in accordance with data protection laws

Technical and organizational measures are subject to technical progress and continuous development. In this regard, NTH may implement alternative but appropriate measures that comply with the level of security and technical requirements defined in this data protection statement.