Privacy Policy

Last updated: April 2026

1. Who We Are

NCP Media ("we", "us", "our") operates the NCP Media Client Portal at https://www.ncp-media.com/portal. We are the data controller for personal data processed through this portal. Contact: info@ncp-media.com

2. What Data We Collect

• Account data: Name, email address, company name, phone number, postal address
• Authentication data: Encrypted password hash, two-factor authentication (TOTP) shared secret, hashed single-use backup codes, 2FA verification timestamps
• Tax identification data: VAT number you enter, plus — when you choose to verify it — the registered company name and address returned by the European Commission's VIES service. This VIES response is retained to evidence that reverse-charge treatment applied at the time of invoicing was justified.
• Usage data: Login timestamps, IP addresses, browser user agent
• Ad performance data: Campaign metrics, spend, ROAS synced from your connected ad accounts
• Lead data: Contact information from Meta Lead Ads forms (stored AES-256 encrypted)
• Support data: Tickets, messages, attachments you submit
• Billing data: Invoice records, VAT rate applied, reverse-charge flag and legal note (no card data stored — handled by Stripe)

3. Legal Basis for Processing

• Contract performance (Art. 6(1)(b) GDPR): To provide the services you have engaged us for
• Legitimate interests (Art. 6(1)(f) GDPR): Security, fraud prevention, service improvement
• Legal obligation (Art. 6(1)(c) GDPR): Invoicing, tax compliance
• Consent (Art. 6(1)(a) GDPR): Marketing communications (where applicable)

4. How We Use Your Data

• Providing access to the client portal and its features
• Sending transactional notifications (reports, invoices, support updates, security alerts for 2FA events)
• Two-factor authentication (time-based one-time passwords) for account security
• Validating VAT numbers through the European Commission's VIES system to determine correct VAT treatment (reverse charge for intra-EU B2B supplies)
• Syncing and displaying your advertising campaign performance
• Generating weekly performance reports
• Security monitoring and fraud prevention

5. Data Storage & Security

Your data is stored on servers located in Nuremberg, Germany (EU) hosted by Hetzner Online GmbH, an EU-based provider. We implement the following security measures:

• AES-256-CBC encryption for personal lead data at rest
• TLS/HTTPS encryption for all data in transit
• Firewall with restricted port access
• Brute force protection via fail2ban and per-user rate limiting on 2FA attempts
• Time-based one-time password (TOTP) two-factor authentication; backup codes are stored as bcrypt hashes and single-use
• Session regeneration on successful authentication to prevent session fixation
• CSRF token verification on all state-changing actions
• Audit logging of data access events and security-relevant actions

6. Data Retention

• Account data: Retained for the duration of the contract + 2 years
• 2FA credentials (TOTP secret + backup codes): Retained while 2FA is enabled; cleared immediately if 2FA is disabled or reset
• VIES verification responses: Retained for 7 years alongside the invoices they support (required to evidence reverse-charge treatment to tax authorities)
• Lead data: Retained for 12 months from collection date
• Ad metrics: Retained for 24 months
• Audit logs: Retained for 12 months
• Invoices: Retained for 7 years (tax law obligation)

7. Third-Party Services

• Brevo (Sendinblue): Email & SMS delivery — Privacy Policy
• Meta (Facebook): Ad account & lead data sync — Privacy Policy
• Google: Ad account sync & OAuth login — Privacy Policy
• TikTok: Ad account sync — Privacy Policy
• Stripe: Payment processing — Privacy Policy
• Hetzner: Server hosting (EU) — Privacy Policy
• European Commission — VIES: VAT number validation for EU intra-community transactions. When you click "Verify VAT", we send your VAT number to the EC's VIES service; the EC returns the registered company name and address, which we store alongside your account to evidence correct VAT treatment. See EC's VIES information page.

8. Your Rights Under GDPR

As an EU data subject, you have the following rights:

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate data
• Right to erasure (Art. 17): Request deletion of your data
• Right to restriction (Art. 18): Restrict processing of your data
• Right to data portability (Art. 20): Receive your data in a portable format
• Right to object (Art. 21): Object to processing based on legitimate interests

To exercise any of these rights, visit your Privacy Dashboard or contact us at info@ncp-media.com. We will respond within 30 days as required by GDPR.

9. Cookies

We use strictly necessary cookies for session management and authentication. No tracking or advertising cookies are used in the portal. See our Cookie Policy for details.

10. Complaints

NCP Media is an Estonian-registered entity, so our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee/en. Under GDPR's one-stop-shop mechanism you may also lodge a complaint with your local supervisory authority — for example the Greek Data Protection Authority (HDPA): www.dpa.gr, Tel: +30 210 6475 600.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email. Continued use of the portal after changes constitutes acceptance.