1. Overview
VelocIT Systems LLC (“VelocIT,” “we,” “us,” or “our”) operates the NSite platform (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it.
“Customer” means the MSP or IT organisation that holds an NSite account. “End Client” means the Customer's own clients whose Windows environments are scanned using the Service. “You” means a Customer, an Authorized User of a Customer account, or a visitor to our marketing website.
2. Data we collect
Account data
When you sign up we collect your name, work email address, company name, and billing information (handled by Stripe — we never see raw card numbers).
Scan and assessment data
The NSite scanner collects data from Windows endpoints in End Client environments: hostname, IP address, OS version and patch level, user account names, security configuration state (firewall, BitLocker, AV status, etc.), and disk metadata. This data is uploaded to our servers and associated with the Customer's account.
Usage data
We log authenticated API requests (IP address, user-agent, timestamp, endpoint, response code). We use these logs for security monitoring, debugging, and to enforce rate limits. We retain raw access logs for up to 90 days.
Marketing-site data
When you visit velocitsystems.com we use Plausible Analytics — a cookie-free, privacy-preserving analytics tool. No personal identifiers are stored. We also collect any information you voluntarily submit via the contact form (name, company, email, phone, message).
3. How we use your data
- Provision and operate the Service under your subscription.
- Send transactional emails: scan completion notifications, report delivery, billing receipts, security alerts.
- Respond to support and sales enquiries submitted through the contact form.
- Detect, investigate, and prevent abuse, fraud, and security incidents.
- Improve and develop the Service using aggregate, de-identified usage patterns.
- Comply with legal obligations.
We do not use scan or assessment data for any purpose other than providing the Service to the Customer who collected it.
4. Sharing
We share personal data only with the sub-processors listed in Section 12, each bound by a data-processing agreement with us. We do not sell, rent, or trade personal data. We may disclose data if required by law or to protect our legal rights, and we will notify you of any such disclosure where permitted.
5. Retention
Customer account data is retained for the life of the subscription plus a 30-day export window after termination, followed by deletion within 60 days. Scan and assessment data follows the same schedule. Contact-form submissions are retained for up to 24 months. Raw access logs are retained for up to 90 days.
6. Security
All data in transit is protected by TLS 1.2+. Data at rest is encrypted with AES-256 using KMS-managed keys. Row-Level Security is enforced on every database table containing personal data. TOTP-based MFA is mandatory for all user accounts. We conduct annual third-party penetration tests and publish the summary under NDA on request.
7. Your rights
Depending on your jurisdiction you may have the right to access, correct, delete, or port your personal data, or to restrict or object to its processing. You may exercise these rights by emailing privacy@velocitsystems.com. We will respond within 30 days. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority.
8. Cookies & analytics
The NSite application (app.velocitsystems.com) uses strictly necessary session cookies for authentication. No third-party tracking cookies are set. The marketing site (velocitsystems.com) uses Plausible Analytics, which is cookie-free and does not collect any personal identifiers.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. International transfers
VelocIT is based in Georgia, USA, and our primary data storage is in the US. Customers in the EEA, UK, or Switzerland should refer to our Data Processing Addendum, which incorporates the EU Standard Contractual Clauses and the UK Addendum, to understand the lawful basis for any cross-border data transfer.
11. Changes
We may update this Policy. Material changes will be posted on this page and communicated to Customer account owners by email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
12. Subprocessors
| Subprocessor | Service | Region |
|---|---|---|
| Amazon Web Services / Supabase | Database, auth, file storage | US (us-east-1) |
| Vercel, Inc. | Application hosting | US, global edge |
| Stripe, Inc. | Payment processing | US, Ireland |
| Resend, Inc. | Transactional email | US |
| Functional Software (Sentry) | Error monitoring | US |
| Plausible Insights OÜ | Cookie-free site analytics | EU (Estonia) |
13. Contact
VelocIT Systems LLC
Georgia, USA
Privacy enquiries: privacy@velocitsystems.com
General: sales@velocitsystems.com