GDPR & Data Policy

Last updated: 1 May 2026

This page describes how Infrajet (operated by Nexgen Tech Labs) complies with the UK GDPR and EU GDPR, and how we handle the rights of data subjects.

1. Data Controller

Nexgen Tech Labs, registered in England and Wales, is the data controller for all personal data processed through Infrajet. Contact: dpo@ngtl.tech.

2. Lawful Basis for Processing

Processing activityLawful basis
Creating and managing your accountContract performance (Art. 6(1)(b))
Delivering IaC generation and deploymentContract performance (Art. 6(1)(b))
Sending transactional emailsContract performance (Art. 6(1)(b))
Platform security and fraud preventionLegitimate interests (Art. 6(1)(f))
Product analytics and improvementLegitimate interests (Art. 6(1)(f))
Legal and compliance obligationsLegal obligation (Art. 6(1)(c))

3. Data Retention Periods

Data categoryRetention period
Account and profile dataUntil account deletion + 30 days
Generated IaC code and project historyUntil account deletion + 30 days
Authentication logs (security events)12 months
Billing and payment records7 years (legal obligation)
Anonymised analyticsIndefinite (not personal data)

4. Your Rights Under GDPR

As a data subject you have the following rights, which you may exercise free of charge:

  • Right of access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17) — request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent. Delete your account from Settings to initiate this. We will complete erasure within 30 days.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON export available on request).
  • Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling.
  • Right not to be subject to automated decision-making (Art. 22) — no purely automated decisions that significantly affect you are made without human review.

To exercise any right, email dpo@ngtl.tech with subject line “GDPR Request — [Your Right]”. We will respond within 30 days. Identity verification may be required before we can process your request.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EU (including the United States, where Anthropic and GitHub operate). Where such transfers occur, we rely on standard contractual clauses (SCCs) or equivalent safeguards approved under UK GDPR to protect your data.

6. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify affected individuals without undue delay where the breach is likely to result in high risk.

7. Cookies and Tracking

Infrajet uses a single first-party session cookie (infrajet_token) to maintain your authenticated session. We do not use tracking pixels, advertising cookies, or third-party analytics SDKs that collect personal data.

8. Supervisory Authority

If you are based in the UK and believe we have breached GDPR obligations, you have the right to complain to the Information Commissioner's Office (ICO). If you are based in the EU, please contact your local data protection authority.

9. Contact

Data Protection Officer: dpo@ngtl.tech
General privacy queries: privacy@ngtl.tech

See also: Terms & Conditions · Privacy Policy