Skip to content
Close
Contact Us
Contact Us

NextTables Product / SAAS Privacy Notice

TABLE OF CONTENTS
loading...

NextTables Product / SAAS Privacy Notice 

Last modified: 17.12.2025

We at NextTables GmbH (“NextTables”, “we”, “us”) are committed to protecting personal data. This Product / SaaS Privacy Notice (“Product Notice”) explains how we process personal data when providing our SaaS product (“Service”).

NextTables is a web application that connects to existing data platforms and enables business users to maintain data directly in platforms, reducing reliance on separate data silos like spreadsheets. 

If you do not agree with the data practices described in this Product Notice, you should not use the Service.

We may update this Product Notice from time to time. We will post the updated version on this page and update the “Last modified” date. If the changes are material, we may provide a more prominent notice (for example, via the Service or by email).

WHO WE ARE

Controller: NextTables GmbH
Kapellenstrasse 37, 65719 Hofheim am Taunus, Germany
Registered seat (Sitz): Hofheim am Taunus
Managing Director (Geschäftsführer): Sebastian Uhlig
Commercial register: Amtsgericht Frankfurt am Main, HRB 139443
VAT ID: DE 457 704 957

Privacy contact: privacy@nexttables.com
Supervisory authority (Germany): Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Postfach 3163, 65021 Wiesbaden

SCOPE

This Product Notice applies to personal data processed in connection with the Service, including when you:
  • create and administer accounts for the Service,
  • authenticate and access the Service,
  • use the Service and interact with its features,
  • contact us for support, and
  • when we operate, secure, and maintain the Service.
This Product Notice does not cover our website and marketing activities (such as cookies, web analytics, newsletters, and advertising). Those activities are described in our separate “Website & Marketing Privacy Policy”.

ROLES UNDER GDPR (CONTROLLER VS PROCESSOR)

When we act as Processor

We act as a processor where we process personal data as part of “Customer Content” and related data that a customer (our business customer) uploads, inputs, or otherwise makes available in the Service and for which the customer determines the purposes and essential means of processing.

Customer Content may include, for example, ERP-related data, business data, HR data, marketing-related data, customer information, and similar data typically stored in an ERP system or business application. The customer controls what Customer Content is stored and how it is used within the Service.

Where we act as processor, we process personal data only on the customer’s documented instructions and as set out in our Data Processing Agreement (“DPA”).

DPA: Available on Request

When we act as Independent Controller

We act as an independent controller for certain operational data that we process for our own purposes, including to administer accounts, secure the Service, provide support, communicate with customers, and comply with legal obligations. This typically includes:
  • account and user administration data (e.g., name, business email, role),
  • authentication and identity identifiers used for sign-in and access control,
  • security and audit logs,
  • service communications (e.g., availability, security, and change notices),
  • support interactions (tickets, attachments, and—if used—screen recordings), and
  • product usage and diagnostics data (depending on configuration and tooling).

WHAT PERSONAL DATA WE PROCESS

Controller data (operational data)

Depending on your use of the Service, we may process the following categories as controller:
  • Account & profile data: name, business email address, company, role, account status, user IDs.
  • Authentication data: identifiers provided by identity providers (e.g., Microsoft Entra ID identifiers, Google identifiers), plus internal identifiers (e.g. email address) required to manage access.
  • Security & audit data: login events, access logs, timestamps, IP address, device/browser details, audit trails and administrative actions.
  • Usage and diagnostics (telemetry): feature usage, performance metrics, and error data. 
  • Support data: support requests, communications, and attachments; potentially screen recordings.

Processor data (Customer Content)

As processor, we may process Customer Content and related data submitted by the customer or its authorized users. The specific data types depend on the customer’s configuration and use case and may include personal data contained within business records (e.g., employee, customer, supplier, and contact data).

SPECIAL CATEGORIES OF DATA (ART. 9 GDPR)

The Service is not specifically designed for special categories of personal data (e.g., health data, biometric data, political opinions). However, customers control what data is stored and may choose to store such data within Customer Content.

If a customer stores special categories of personal data in the Service:
  • the customer remains responsible for ensuring a valid legal basis and an applicable Art. 9 GDPR condition,
  • we will process such data only as processor under the DPA and the customer’s documented instructions, and
  • depending on the risk and the customer’s requirements, additional safeguards and/or written agreement may be required.

PURPOSES AND LEGAL BASES (FOR CONTROLLER PROCESSING)

We process Controller data for the following purposes and legal bases (as applicable):

  • Account and access administration (Art. 6(1)(b) GDPR – performance of a contract / steps prior to entering into a contract).
  • Operating and securing the Service (Art. 6(1)(f) GDPR – legitimate interests in ensuring security, preventing abuse, and maintaining service reliability).
  • Support and customer communications (Art. 6(1)(b) and/or Art. 6(1)(f) GDPR).
  • Compliance and legal obligations (Art. 6(1)(c) GDPR).
  • Service improvement and analytics (Art. 6(1)(f) GDPR; details depend on telemetry tooling and configuration; we aim to minimize personal data and use aggregation where feasible).

AUTHENTICATION AND IDENTITY PROVIDERS

The Service supports authentication via:
  • Microsoft Entra ID (Azure AD),
  • Google sign-in, and
  • email address and password.
Identity providers typically process authentication data under their own terms and may act as independent controllers for their authentication services. You should review their privacy information for details.

WHO WE SHARE PERSONAL DATA WITH

We may share personal data (Controller data and, where applicable, processor data) with:
  • Service providers supporting hosting, support, monitoring, email delivery, and other operational needs (see “Subprocessors and service providers” below).
  • Professional advisors (legal, audit, tax) where necessary and permitted.
  • Authorities where required by law or to protect rights and security.
We do not sell personal data.

SUBPROCESSORS AND SERVICE PROVIDERS (PRODUCT)

We use (or expect to use) the providers below. Items marked “TBD” will be confirmed and updated.

Provider Purpose Typical data Processing location
Microsoft Azure Hosting and infrastructure Service data, logs, backups

If your custom domin is:

- yourname.eu.app.nexttablesc.om: EU: West Europe
HubSpot Support tooling (tickets, communications) Support data; contact/admin data EU: Germany
Brevo, sendinblue GmbH Service emails (notifications, support) Name, email address, message metadata EU
Microsoft Azure Reliability monitoring, alerting Logs, diagnostics, device/IP

If your custom domin is:

- yourname.eu.app.nexttablesc.om: EU: West Europe
Microsoft Azure Product analytics and diagnostics Usage/error data

If your custom domin is:

- yourname.eu.app.nexttablesc.om: EU: West Europe


INTERNATIONAL TRANSFERS

We aim to process Service data in the region selected for the customer’s deployment. If personal data is transferred outside the EEA/UK (for example, due to certain support arrangements or tooling providers), we will implement appropriate safeguards such as EU Standard Contractual Clauses and supplementary measures where required.

Transfers and safeguards: Atthis stage not applicable as Data is only hosted in EU. 

RETENTION

Unless otherwise agreed in contract and/or the DPA, we apply the following retention approach (may vary by configuration and legal obligations):

  • Customer Content (processor): export available for up to 30 days after termination (if applicable), then deletion within 60 days total (subject to backup cycles and legal requirements).
  • Backups: rolling backups retained up to 30–90 days.
  • Security and audit logs: typically retained 90–180 days.
  • Support tickets: typically retained up to 24 months after closure (or longer if needed for disputes/compliance).

SECURITY

We maintain technical and organizational measures appropriate to the risk. The specific measures in place are subject to change and will be confirmed internally.

Measures may include:
  • encryption in transit
  • encryption at rest
  • access controls and least privilege
  • audit logging
  • tenant separation controls
  • vulnerability management and patching
  • backups and disaster recovery measures
  • incident response procedures
Security details / TOMs: Available per request.

YOUR RIGHTS AND HOW TO CONTACT US

Where we act as controller, individuals may have rights under GDPR (access, rectification, deletion, restriction, objection, portability) depending on the circumstances and applicable law.

Where we act as processor for Customer Content, requests should generally be submitted to the customer (the controller), who can instruct us as needed under the DPA.

If you have questions or want to exercise your rights (where applicable), please contact us:

Email: privacy@nexttables.com
Mail: NextTables GmbH, Kapellenstrasse 37, 65719 Hofheim am Taunus, Germany

You may also lodge a complaint with a supervisory authority, including the competent authority in Germany: Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Postfach 3163, 65021 Wiesbaden, Germany.