Privacy Policy

1. Introduction

NexonTech ("we," "us," or "our") operates the platform at nexontech.org. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection regulations, including the General Data Protection Regulation (GDPR).

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Name
• Email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Google account ID (if you sign in with Google)

2.2 Content You Provide

When you use the platform, we store:

• AI agent configurations (name, instructions, welcome message)
• Documents you upload to agent knowledge bases
• Conversation logs between your AI agents and end users

2.3 Usage Data

We automatically collect:

• Pages visited and features used
• Browser type, device type, and operating system
• Referring URL and session duration
• IP address (for rate limiting and security)
• Anonymous visitor identifier (stored in your browser's local storage)

2.4 Contact and Communication Data

When you contact us or subscribe to our newsletter, we collect:

• Email address
• Message content and topic
• Preferred language

2.5 Demo Data

When you use our interactive demo, we store your chatbot configuration and conversation messages for the duration of the demo session.

2.6 B2B Outreach Contact Data

Separately from the Service, NexonTech conducts limited cold outreach to businesses we believe would benefit from our chatbot platform. For this activity we collect, from public sources only:

• Business name and website URL
• Role-based or publicly published business email addresses (e.g. contact@, info@, named addresses listed on the company's public contact page)
• The decision-maker's name and public job title where listed
• The country and language of the business website

Sources we use: the company's own public website, public business registries (such as idno.md and termene.ro), public LinkedIn company pages, and official press releases. We do not purchase contact lists, scrape content behind a login, or process consumer / private email addresses.

We do not collect special categories of personal data (health, political opinions, religious beliefs, biometric data, etc.) for outreach purposes under any circumstances.

3. How We Use Your Data

We use your personal data to:

• Provide and maintain the Service, including account management and authentication
• Process and store your AI agent configurations and knowledge bases
• Enable conversations between your AI agents and end users
• Send transactional emails (welcome emails, password resets)
• Respond to your inquiries and support requests
• Analyze usage patterns to improve the Service
• Detect, prevent, and address security issues and abuse
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use your uploaded documents or conversation data to train AI models.

For B2B outreach contact data (§2.6): we use this data solely to send occasional cold email introducing our chatbot product to businesses that fit our ideal customer profile, via the dedicated outbound subdomain eu.nexontech.org (sender: petru@eu.nexontech.org). Volume is capped (no more than 25 messages per day across the program; no more than three messages to any one address per 90-day period). We do not share this data with third parties for marketing, do not enrich it with consumer data, and do not use it for automated decision-making or profiling that produces legal effects.

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you signed up for (account management, agent hosting, conversation processing)
• Legitimate interest: Analytics, security monitoring, and service improvement
• Consent: Newsletter subscriptions and optional cookies
• Legal obligation: Where required by applicable law
• Legitimate interest for B2B outreach (Art. 6(1)(f)): sending limited cold email to businesses that fit our customer profile. This processing is documented in an internal balancing memo (purpose, necessity, balancing, safeguards) which is available on request to a supervisory authority. The interest is balanced against your rights by sourcing data only from public business sources, capping volume, honouring one-click opt-outs, retaining data for no more than 12 months from last contact, and never processing special-category data

Your right to object to direct marketing is absolute. If you object to our use of your business contact data for outreach, we stop immediately and add your address to a permanent suppression list. See §9.

5. Cookies and Tracking

We use the following cookies and similar technologies:

• Session cookie (session) — HTTP-only, secure cookie containing your authentication token. Essential for staying logged in. Expires after 7 days.
• OAuth state cookie (oauth_state) — Temporary cookie used during Google sign-in to prevent cross-site request forgery. Expires after 10 minutes.
• Language preference — Stored in your browser's local storage to remember your selected language.
• Visitor identifier — A random anonymous ID stored in local storage for analytics. Not linked to your account or personal identity.

We use Umami for privacy-focused web analytics. Umami does not use cookies, does not track users across websites, and does not collect personally identifiable information. Analytics data is self-hosted on our own servers.

6. Third-Party Services

We share data with the following third-party services as necessary to operate the platform:

• Google OAuth (Google LLC) — When you sign in with Google, we receive your name, email, and Google account ID. See Google's Privacy Policy.
• Sentry (Functional Software Inc.) — Error tracking and performance monitoring. May receive anonymized error reports including browser type and page URL. See Sentry's Privacy Policy.
• Resend or SendGrid — Email delivery for transactional messages (welcome emails, password resets). Your email address is shared with the active email provider.
• Hetzner (Hetzner Online GmbH) — Cloud infrastructure provider. All data is stored on servers located in the European Union. See Hetzner's Privacy Policy.
• Resend (Resend, Inc.) — Email delivery for transactional messages and the cold-outreach motion described in §2.6. Recipient email address, subject, and body are processed by Resend solely to deliver the message. See Resend's Privacy Policy.

7. Data Storage and Security

Your data is stored on servers in the European Union (Hetzner, Germany/Finland). We implement appropriate security measures including:

• Encryption in transit (HTTPS/TLS for all connections)
• Secure password hashing (bcrypt with salt rounds)
• HTTP-only, secure session cookies
• Rate limiting on authentication endpoints
• CSRF protection for OAuth flows
• Role-based access controls for data isolation between customers

8. Data Retention

• Account data: Retained as long as your account is active. Deleted upon account deletion, subject to any legal retention requirements.
• Agent data and conversations: Retained as long as your account is active. Deleted when you delete an agent or your account.
• Demo sessions: Automatically expire and are deleted after 24 hours.
• Analytics data: Aggregated and anonymized. Retained indefinitely in anonymized form.
• Password reset tokens: Expire after 1 hour and are marked as used.
• B2B outreach contact data (§2.6): retained for at most 12 months from the last successful contact, then automatically purged. Suppression-list entries (addresses that have opted out) are retained indefinitely for the sole purpose of honouring those opt-outs.

9. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

• Access — Request a copy of the personal data we hold about you
• Rectification — Request correction of inaccurate personal data
• Erasure — Request deletion of your personal data ("right to be forgotten")
• Data portability — Request your data in a structured, machine-readable format
• Restriction — Request that we limit processing of your data
• Objection — Object to processing based on legitimate interest
• Withdraw consent — Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@nexontech.org. We will respond within 30 days.

If you received a cold-outreach email from us (see §2.6) and want it to stop, you can:

• Click the one-click unsubscribe link at the bottom of the message (RFC 8058 list-unsubscribe is also supported, so most mail clients let you unsubscribe directly from the email header)
• Reply to the email with the word STOP or unsubscribe
• Email support@nexontech.org and ask us to remove your address

Opt-out is honoured within 24 hours. The address is then permanently added to our suppression list and will not be contacted again, regardless of the source it came from. You do not have to give a reason; the right to object to direct marketing is absolute under GDPR Art. 21(2).

10. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it promptly.

11. International Data Transfers

Your data is primarily stored within the European Union. Some third-party services (Google, Sentry) may process data in the United States. Where data is transferred outside the EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. We encourage you to review this page periodically.

13. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at support@nexontech.org or through our contact page.