Data Protection Policy

1. Our Commitment

We are committed to protecting the personal data of our customers, users, and the end-customers of businesses that use the NxAi platform. Data protection is not only a legal obligation for us — it is a core part of how we build and operate our product.

We operate as both a Data Controller (for data we collect about our own customers) and a Data Processor (for personal data that our business customers process using our platform, such as their end-customers' contact information).

2. Scope

This policy applies to:

• All personal data collected and processed by NxAi in connection with its website and platform.
• All employees, contractors, and third-party service providers who handle personal data on behalf of NxAi.
• All customers who use NxAi to process their own customers' personal data via the platform.

3. Data Protection Principles

We adhere to the following core data protection principles:

• Lawfulness, fairness, and transparency: We process personal data only on a valid legal basis and are transparent with individuals about how their data is used.
• Purpose limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
• Data minimisation: We collect only the personal data that is necessary for the stated purpose.
• Accuracy: We take reasonable steps to keep personal data accurate and up to date.
• Storage limitation: We do not retain personal data for longer than necessary.
• Integrity and confidentiality: We process personal data with appropriate security measures to protect against unauthorized access, loss, or destruction.
• Accountability: We are responsible for demonstrating compliance with these principles.

4. Lawful Basis for Processing

We rely on the following lawful bases for processing personal data:

• Contract: Processing is necessary to perform the contract we have with you (for example, to provide platform access and billing services).
• Consent: Where you have given explicit consent (for example, for marketing emails or non-essential cookies).
• Legitimate interests: Where processing is necessary for our legitimate interests (such as security monitoring, fraud prevention, and product improvement), provided those interests are not overridden by your rights.
• Legal obligation: Where processing is required by law (for example, tax records and regulatory reporting).

5. Types of Personal Data We Process

As a Data Controller (our own customers):

• Identity data: name, company name, job title.
• Contact data: email address, phone number.
• Billing data: payment method details (handled via our payment processor).
• Technical data: IP address, browser type, session logs.
• Usage data: platform features used, campaign activity, support history.

As a Data Processor (our customers' end-customers):

• Phone numbers and names of WhatsApp contacts imported or collected via NxAi.
• Message content and conversation history.
• Custom field data added by the business customer.

As a Data Processor, we process this data only on documented instructions from our customers (the Data Controllers) and not for our own purposes.

6. International Data Transfers

NxAi's primary infrastructure is hosted in India. Some of our third-party service providers may process data in other countries. Where such transfers occur, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent transfer mechanisms recognized under applicable law.

WhatsApp messages sent via NxAi are routed through Meta's WhatsApp Business API infrastructure, which operates globally. Meta's own data transfer policies and safeguards apply to that portion of data processing.

7. Sub-Processors

We use carefully selected sub-processors to deliver our services. All sub-processors are contractually required to handle personal data securely, follow our data protection instructions, and comply with applicable data protection laws. Our key sub-processor categories include:

• Cloud infrastructure provider (hosting and storage)
• Payment processing provider
• Email delivery provider (transactional notifications)
• Customer support tool
• Analytics provider

Customers who require a full list of current sub-processors may request it at dpo@nxai.in.

8. Security Measures

NxAi implements technical and organisational measures to protect personal data, including:

• TLS encryption for all data in transit.
• Encryption at rest for databases containing personal data.
• Access controls based on the principle of least privilege.
• Multi-factor authentication for internal systems.
• Regular penetration testing and security reviews.
• Employee data protection training and confidentiality obligations.
• Documented incident response and business continuity procedures.

9. Data Subject Rights

Individuals whose personal data we process as a Data Controller have the following rights:

• Right to access: Request a copy of personal data we hold about you.
• Right to correction: Request corrections to inaccurate data.
• Right to erasure: Request deletion of personal data where there is no legal basis to retain it.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for marketing purposes.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Submit data subject rights requests to privacy@nxai.in. We will respond within 30 days. Where requests relate to end-customer data processed by our business customers, we will direct you to the relevant Data Controller.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:

• Notify affected customers within 72 hours of becoming aware of the breach where required by applicable law.
• Notify affected individuals where the breach is likely to result in a high risk to their rights.
• Document the breach, its impact, and the steps taken to address it.

To report a potential security issue, email security@nxai.in.

11. Data Protection Officer

NxAi has designated a Data Protection Officer (DPO) to oversee our data protection compliance programme. The DPO is responsible for monitoring compliance with this policy, managing data subject rights requests, and acting as the primary point of contact for data protection authorities.

Contact our DPO at dpo@nxai.in.

12. Contact Us

If you have any questions about our data protection practices, please contact us: