> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nextedy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy

> How Nextedy handles personal data — processing scope, GDPR approach, and data residency.

export const LastReviewed = ({date}) => {
  if (!date) return null;
  const formatted = new Date(`${date}T00:00:00Z`).toLocaleDateString("en-US", {
    year: "numeric",
    month: "long",
    day: "numeric",
    timeZone: "UTC"
  });
  return <p className="mt-10 text-sm text-gray-400 dark:text-zinc-500 not-prose">
      Last reviewed on {formatted}
    </p>;
};

## Data Processing Scope

Nextedy products process only the data that exists within Polarion. The scope is limited to:

* **Work item fields** — Reading and writing field values (e.g., risk ratings, requirements text, status)
* **Work item links** — Creating and querying traceability links between items
* **Document structure** — Rendering and organizing LiveDoc content
* **Configuration** — Reading project-level sheet and model configurations from the `.polarion/` directory

Nextedy products do **not**:

* Collect personally identifiable information (PII) beyond what Polarion already stores
* Create or maintain separate user databases or user profiles
* Transmit data to external services, analytics platforms, or third-party APIs
* Store data outside of Polarion's storage layer
* Track user behavior, usage patterns, or telemetry

## Personal Data in Polarion

Polarion stores user information as part of its standard operation (usernames, email addresses, role assignments, activity history). Nextedy products may read this data — for example, displaying the author of a work item or the assignee of a task — but only within the Polarion user interface and only for users who have permission to see it.

Nextedy products do not copy, export, or aggregate this personal data. The data remains in Polarion and is subject to Polarion's access control.

## GDPR Compliance

Because Nextedy products do not independently collect, store, or process personal data, GDPR compliance is managed at the Polarion platform level:

| GDPR Requirement                                         | How It Is Addressed                                                                                                                                                                            |
| -------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Lawful basis for processing**                          | Determined by the customer's Polarion deployment and data processing agreements                                                                                                                |
| **Data subject rights** (access, rectification, erasure) | Handled through Polarion's user management and data administration tools                                                                                                                       |
| **Data protection by design**                            | Nextedy's architecture ensures no additional PII processing beyond Polarion                                                                                                                    |
| **Data processing agreements**                           | Between the customer and Siemens (for Polarion X) or managed internally (for on-premise)                                                                                                       |
| **Data breach notification**                             | Covered by Nextedy's [incident management process](/overview/security-and-privacy/incident-management) for product-related issues; platform-level breaches handled by the infrastructure owner |

Nextedy does not act as an independent data controller or data processor. Each product operates as a component of the Polarion platform, which is governed by the customer's existing data protection framework.

## Data Residency

* **On-premise deployments** — The customer has full control over data residency. All Polarion data, including data managed by Nextedy products, resides on the customer's own infrastructure in the jurisdiction of their choice.
* **Polarion X deployments** — Data residency is determined by the Siemens Polarion X hosting region selected by the customer. Nextedy products do not influence or override the hosting region.

In both cases, no data is transmitted outside the Polarion environment by Nextedy products.

## No Third-Party Data Sharing

Nextedy products do not share data with any third party. There are no:

* Analytics or tracking integrations
* Advertising or marketing data flows
* External API calls from the products to non-Polarion services
* Telemetry or usage reporting to Nextedy servers

The products operate entirely within the Polarion server boundary.

<LastReviewed date="2026-07-08" />
