Last updated: 2025.08.13

---

1. Introduction

Gradion is the new brand identity of NFQ Asia and NFQ Solutions.
NFQ Asia includes NFQ Asia Pte. Ltd. (Singapore HQ) and subsidiaries in Vietnam, Thailand, and Egypt, while NFQ Solutions GmbH is based in Germany.
Although we operate under the Gradion brand, “NFQ” remains the official registered name for legal purposes until local entities are updated.

This Privacy Notice explains how we collect, use, and protect your personal data when you visit our global website (gradion.com), in compliance with:

• General Data Protection Regulation (EU) 2016/679 (“GDPR”)
  
  
• German Telecommunications Telemedia Data Protection Act (TTDSG)
  
  
• Singapore Personal Data Protection Act 2012 (“PDPA Singapore”)
  
  
• Thailand Personal Data Protection Act B.E. 2562 (2019) (“PDPA Thailand”)
  
  
• Vietnam Decree No. 13/2023/ND-CP on Personal Data Protection (“Vietnam PDPD”)
  
  
• Other applicable laws in the countries where we operate or where our users are located.
  
  

Where a local law offers stricter protection than GDPR, the stricter protection will apply.

---

2. Data Controllers & Contact Details

For visitors in Asia, Middle East, and Africa:

• NFQ Asia Pte. Ltd. – 77 High Street, #09-11 High Street Plaza, Singapore 179433 – privacy@gradion.com
  
  
• NFQ Vietnam Ltd. – Saigon Pearl, Sapphire 2, 92 Nguyen Huu Canh, Ho Chi Minh City, Vietnam – privacy@gradion.com
  
  
• NFQ (Thailand) Co., Ltd. – 7 Summer Point Building, Level 2, Suite 12, Bangkok 10110, Thailand – privacy@gradion.com
  
  
• NFQ MENA (Egypt) – 57 Abbas El-Akaad, Nasr City, Cairo, Egypt – privacy@gradion.com
  
  

For visitors in Germany & the EU:

• NFQ Solutions GmbH – Deliusstraße 7, 24114 Kiel, Germany – privacy@gradion.com
  
  

Data Protection Officer (DPO) for GDPR and PDPA: privacy@gradion.com

---

3. Data We Collect

Identity & Contact Information: name, job title, company, email, phone number

Technical Data: IP address, browser type, device info, cookie IDs

Usage Data: pages visited, session duration, navigation patterns

Marketing Preferences & Consent Records

Information from Forms:

• Contact forms
  
  
• Event registrations
  
  
• Newsletter subscriptions
  
  
• Job applications (via Lever)
  
  
• Download requests
  
  

---

4. How We Collect Data

• Directly from you (forms, calls, event registrations, newsletter sign-ups, job applications)
  
  
• Automatically via cookies and tracking tools (see Section 9)
  
  
• From public business sources (e.g., LinkedIn)
  
  

---

5. What Do We Mean by ‘Legal Basis’?

Under Article 6 GDPR and equivalent provisions in PDPA Singapore, PDPA Thailand, and Vietnam PDPD, we process your personal data on one or more of the following bases:

1. Consent (Art. 6(1)(a) GDPR) – You have given us your consent for a specific purpose. You may withdraw it at any time without affecting prior processing.
   
   
2. Contract (Art. 6(1)(b) GDPR) – Processing is necessary for a contract with you or to take steps before entering into a contract.
   
   
3. Legal Obligation (Art. 6(1)(c) GDPR) – Processing is necessary to comply with legal requirements.
   
   
4. Vital Interests (Art. 6(1)(d) GDPR) – Processing is necessary to protect your or another person’s vital interests.
   
   
5. Public Task (Art. 6(1)(e) GDPR) – Processing is necessary for a public interest task or official authority.
   
   
6. Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary for our or a third party’s legitimate interests, provided they are not overridden by your rights.
   
   

Note: If your data is processed under a contract or legal obligation and you do not provide it, we may be unable to provide the requested service.

---

6. Purposes of Processing

Purpose	Example	Legal Basis
Respond to inquiries	Contact form replies	Contract, Consent
Provide services	Consulting engagement	Contract
Manage job applications	Lever job portal	Consent, Contract
Send marketing	Newsletter	Consent
Register for events	Event registration forms	Consent, Contract
Analyze performance	Google Analytics	Consent
Security & fraud prevention	Log file analysis	Legitimate Interests
Legal compliance	Tax & audit	Legal Obligation

---

7. Data Storage & Transfers

• We store data in HubSpot (hosting, CRM, forms, marketing automation).
  
  
• Job applications are processed via Lever.
  
  
• Cross-border transfers comply with:
  
  
  • GDPR: Standard Contractual Clauses (SCCs), EU–US Data Privacy Framework (if applicable)
    
    
  • Singapore PDPA: Transfer Limitation Obligation
    
    
  • Thailand PDPA: Security assessments
    
    
  • Vietnam PDPD: Cross-border Data Processing Impact Assessment & notification requirements

---

8. Third-Party Tools

Some personal data is processed by trusted third parties:

• HubSpot – hosting, forms, CRM, marketing automation
  
  
• Lever – job applications and recruitment process
  
  
• Google Ads / Google Analytics – analytics & advertising
  
  
• Usercentrics – consent management platform
  
  

Each provider processes data according to their own privacy policy and retention periods. We do not control their internal retention schedules. For more information, see their privacy policies:

• Usercentrics Privacy Policy
  
  
• HubSpot Privacy Policy
  
  
• Lever Privacy Policy
  
  
• Google Privacy Policy

---

9. Cookies & Tracking

This website uses the Usercentrics Consent Management Platform to obtain and record your cookie preferences in compliance with:

• GDPR (EU Regulation 2016/679)
  
  
• TTDSG (Germany)
  
  
• PDPA Singapore (Personal Data Protection Act 2012)
  
  
• PDPA Thailand (B.E. 2562 / 2019)
  
  
• Vietnam Decree 13/2023/ND-CP on Personal Data Protection
  
  

Our Usercentrics configuration is set to the GDPR framework, which meets or exceeds the consent requirements of the above laws.

Cookies are used for:

• Essential site functionality
  
  
• Analytics (e.g., HubSpot, Google Analytics)
  
  
• Marketing & remarketing purposes
  
  

You can withdraw or change your consent at any time via the “Cookie Settings” link in the page footer.

For details about cookies used, their purpose, and lifespan, see the cookie list displayed within the Usercentrics consent banner when you visit this site.

 

---

10. Retention

• Inquiries: 24 months after last contact
  
  
• Marketing: Until consent withdrawn or after 24 months inactivity
  
  
• Job applications: Up to 24 months after application closure, unless law requires longer retention
  
  
• Event registration data: 24 months after event end
  
  
• Legal records: Up to 10 years where required by law
  
  

Note: Third parties such as HubSpot, Lever, and Google may retain certain data according to their own legal obligations. See their privacy policies for details.

---

11. Your Rights

GDPR & TTDSG (EU/Germany)

• Right of Access (Art. 15 GDPR) – Confirm if we process your data and access it.
  
  
• Right to Rectification (Art. 16 GDPR) – Correct inaccurate or incomplete data without undue delay.
  
  
• Right to Erasure (Art. 17 GDPR) – Delete your data in certain cases (e.g., consent withdrawn).
  
  
• Right to Restrict Processing (Art. 18 GDPR) – Restrict processing under specific conditions.
  
  
• Right to Data Portability (Art. 20 GDPR) – Receive your data in a machine-readable format.
  
  
• Right to Object (Art. 21 GDPR) – Object to processing based on legitimate interests or for marketing.
  
  
• Right to Withdraw Consent (Art. 7(3) GDPR) – Withdraw consent at any time.
  
  

Singapore PDPA

• Access Right (Section 21) – Access your personal data and learn how it has been used/disclosed.
  
  
• Correction Right (Section 22) – Request corrections to your personal data.
  
  
• Withdrawal of Consent (Section 16) – Withdraw consent at any time, with reasonable notice.
  
  

Thailand PDPA

• Right to Access (Section 30) – Access your personal data.
  
  
• Right to Rectification (Section 31) – Correct inaccurate/incomplete data.
  
  
• Right to Erasure (Section 33) – Request deletion/destruction of personal data.
  
  
• Right to Data Portability (Section 36) – Obtain and reuse your data across services.
  
  
• Right to Object (Section 32) – Object to certain processing.
  
  
• Right to Withdraw Consent (Section 19) – Withdraw consent at any time.
  
  

Vietnam PDPD (Decree 13)

• Right to Know (Article 9) – Be informed about data processing activities.
  
  
• Right to Consent/Withdraw (Article 11) – Give or withdraw consent at any time.
  
  
• Right to Access (Article 13) – Access personal data held about you.
  
  
• Right to Correction (Article 14) – Request correction of inaccurate data.
  
  
• Right to Deletion (Article 15) – Request deletion in certain cases.
  
  
• Right to Restrict Processing (Article 16) – Request restrictions under specific circumstances.
  
  

---

12. Exercising Your Rights

Email: privacy@gradion.com – We will respond within the timelines required by applicable law.

---

13. Security

Encryption, access control, and monitoring to protect your data.

---

14. Changes

We may update this notice and post the revision date.