NEXORA · PRIVACY · UPDATED 2026-05-03

Privacy explained.

This policy describes which personal data we process, when, why — and what rights you have under the GDPR. Switch language: Deutsche Version →

1. Controller

Controller within the meaning of GDPR is:
Nexora GmbH
Postal address, management and commercial register: see the imprint.
Contact: ps@nex-ora.de

2. Hosting & technical delivery

This website is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA) on their global edge network. Database and file storage are operated by Railway (Railway Corp., 651 N Broad Street, Suite 201, Middletown, DE 19709, USA), using EU regions where available. On every page load technically necessary server logs (IP, user-agent, timestamp, requested URL) are kept for at most 30 days (Art. 6 (1) (f) GDPR — legitimate interest in security and availability).

Transfers to the United States. Where personal data is transferred to US providers (Vercel, Microsoft, Resend, Meta), the transfer is based on the EU-US Data Privacy Framework (Adequacy Decision of the European Commission of 10 July 2023) and, where applicable, on Standard Contractual Clauses (SCC) under Art. 46 (2) (c) GDPR. Data Processing Agreements under Art. 28 GDPR are in place with all of the named processors.

3. Cookies and similar technologies

The website uses the following storage technologies (§ 25 TDDDG, Art. 6 GDPR):

  • Strictly necessary cookies: session cookie for the project file (login), theme preference (nx-theme). Legal basis: § 25 (2) no. 2 TDDDG (strictly necessary) in conjunction with Art. 6 (1) (f) GDPR.
  • Local browser storage flags (nx-ebook-popup-shown, nx-ebook-popup-home-shown): stored in the browser's localStorage only, no server round-trip — prevents repeated popup display. Legal basis: § 25 (2) no. 2 TDDDG (strictly necessary for the user-requested convenience).
  • Audience analytics (PostHog): pageviews, click events, anonymised user identification. Hosted by PostHog Inc. on EU servers (Frankfurt), no third-country transfer. Anonymised IP, no profiles for anonymous visitors (person_profiles: identified_only). Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in statistical reach measurement) or Art. 6 (1) (a) GDPR where consent is obtained.
  • Session replay and heatmaps (Microsoft Clarity): recording of mouse movements, scroll depth and click heatmaps to improve usability. Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Sensitive form fields are masked. Transfer to the US based on the EU-US Data Privacy Framework (Microsoft is DPF-certified) and supplementary Standard Contractual Clauses. Legal basis: Art. 6 (1) (a) GDPR (consent), § 25 (1) TDDDG.
  • Meta Pixel and Conversions API (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland; parent company: Meta Platforms, Inc., USA): We use the Meta Pixel and the server-side Meta Conversions API to measure the performance of our advertising on Facebook and Instagram, build audiences and avoid duplicate delivery. Processed data: IP address, browser/device information, visited pages, triggered events (e.g. “Lead”, “Contact”) and — for server-side events — hashed contact data (email, phone) for matching against Meta accounts. We and Meta act as joint controllers within the meaning of Art. 26 GDPR; the agreement is available at facebook.com/legal/controller_addendum. Transfer to the US based on the EU-US Data Privacy Framework (Meta is DPF-certified) and the Standard Contractual Clauses. Legal basis: Art. 6 (1) (a) GDPR (consent), § 25 (1) TDDDG.

Consent & withdrawal. Where consent is required for any of the above tools, you give it via the cookie selector on the home page; you can withdraw your consent at any time with effect for the future — through the cookie settings, by deleting the cookies in your browser, by enabling your browser's “Do Not Track” signal, or by sending an informal message to ps@nex-ora.de. Logged-in features may stop working if you delete strictly necessary cookies.

4. Funding calculator & project file

When you use our heat-pump funding calculator your inputs (postcode, building data, heating situation) are first only evaluated locally in your browser. They are stored in our database only when you open a project file (email + password). Legal basis: Art. 6 (1) (b) GDPR — performance of a contract / pre-contractual measures.

Documents you upload (heating photos, floor plans, energy bills, ID documents) are stored in access-restricted object storage and used solely for your project.

5. E-book request & email delivery

When you request a free e-book we collect your email (step 1), then your name and phone number (step 2, optionally company). Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures). Delivery is performed by Resend.com (Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA) under a Data Processing Agreement pursuant to Art. 28 GDPR; the transfer to the US is covered by the EU-US Data Privacy Framework and supplementary Standard Contractual Clauses. The PDF is sent as an attachment. We do not send marketing emails without explicit consent; every email contains an RFC 8058 unsubscribe link.

Server-side Meta Conversions API. When you submit the e-book form we additionally send a server-side conversion event (“Lead” or “Contact”) to Meta (see section 3). Transmitted data: hashed email address, where applicable hashed name and hashed phone number, IP address, user-agent, event ID, country. Purpose: advertising performance and reach measurement. Transmission does not occur if consent for marketing cookies has not been given.

6. Third parties and external content

  • Google Fonts — self-hosted via next/font; no live connection to Google servers when the page loads.
  • KfW & BAFA — we link to official German agency pages; clicking those leaves our scope.
  • Resend — see section 5.
  • Meta Pixel / Conversions API — see section 3.
  • Microsoft Clarity — see section 3.
  • PostHog — see section 3.
  • Vercel (hosting) & Railway (database/storage) — see section 2.

7. Retention periods

Server logs: 30 days. Lead data without project file: 12 months, then deleted. Project files, contract-relevant correspondence and accounting records: up to 10 years, beginning at the end of the calendar year in which the respective record was created (§§ 257 HGB, 147 AO — German commercial and tax-law retention obligations). On request we delete earlier where no statutory retention obligation prevents this; in such cases data is restricted from further processing until the retention period expires.

8. Your rights

You have the right to:

  • Information (Art. 15 GDPR)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to direct marketing and to processing based on legitimate interest (Art. 21)
  • Lodge a complaint with a supervisory authority — competent for us is the Saxon Commissioner for Data Protection and Transparency, Devrientstraße 5, 01067 Dresden, Germany.

Reach us at ps@nex-ora.de.

9. Security

Transport over TLS 1.3 only. Passwords hashed with Argon2id. Database access over mTLS. S3 storage via signed URLs (max. 7-day validity) with server-side encryption.

10. Changes

We update this policy when our processing activities or applicable law materially change. Current version: 3 May 2026.