Privacy Policy

1. Who We Are (Data Controller)

NexusAD AI (referred to as "we", "us", or "the Company") is the data controller responsible for your personal data. We are based in the United Arab Emirates.

• Company Name: NexusAD AI
• Data Protection Officer (DPO): privacy@nexusad.ai
• Address: United Arab Emirates

2. Information We Collect

We collect information you provide directly to us, including:

• Account information: Name, email, company (optional), phone (optional)
• Usage data: AI queries, preferences, conversation history
• Technical information: Device type, IP address (hashed), browser type
• Vault documents: Files you upload to your secure vault
• Billing data: Processed by third-party payment providers (we do not store card data)

3. Legal Basis for Processing

We process your data based on the following legal grounds:

• Contract performance: To provide our services to you
• Consent: For analytics cookies and marketing communications
• Legitimate interest: To improve our services and ensure security
• Legal obligation: To comply with applicable laws and regulations

4. How We Use Your Information

We use your information to:

• Provide and improve our AI services
• Personalize your experience and preferences
• Communicate with you about the service and updates
• Ensure security and prevent fraud
• Process billing and payments
• Analyze usage to improve the service (with your consent only)

5. Data Security

We employ advanced security measures to protect your data:

• Encryption: AES-256-GCM for all stored and transmitted data
• Distribution: Your data is split and stored across multiple UAE nodes
• TLS 1.3: All communications encrypted in transit
• Access controls: Role-based permissions with audit logging
• Encryption keys: Generated locally on your device; we never see your private key

6. Data Retention

We retain your data according to the following periods:

• Account data: As long as your account is active, plus 30 days after deletion
• Conversation history: Per your plan (30-365 days)
• Vault documents: Until you delete them
• Audit logs: 90 days
• Billing data: 7 years (legal obligation)
• Backups: Purged within 30 days of account deletion

7. Your Rights

Under data protection laws (GDPR/PDPL), you have the right to:

• Access: Request a copy of your data
• Rectification: Correct inaccurate data
• Erasure: Delete your account and all your data
• Portability: Export your data in machine-readable format (JSON, CSV)
• Restrict processing: Limit how we process your data
• Object: Object to processing based on legitimate interest
• Withdraw consent: Withdraw your consent at any time

To exercise these rights, visit Settings or contact us at privacy@nexusad.ai. We will respond within 30 days.

8. Third-Party Data Sharing

We share your data with the following categories only:

• AI providers: Queries are split and privacy-scrubbed before being sent. No single provider receives more than 24% of any query
• Vercel: Application hosting and analytics (with your consent only)
• Payment processors: Stripe for payment processing

We never sell your data. We do not share your data for advertising purposes.

9. International Data Transfers

All your data is stored in UAE data centers. When queries are sent to AI providers, personal information is removed first. For any international data transfer, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): Executed with all AI providers and sub-processors outside the UAE
• Adequacy decisions: Where the receiving jurisdiction has been recognized as providing adequate data protection
• Data minimization: PII is stripped before any cross-border transfer; no single provider receives more than 24% of any query
• UAE PDPL compliance: All transfers comply with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection

10. Cookies

We use the following types of cookies:

• Essential (required): Session, CSRF, language preference -- cannot be disabled
• Analytics (optional): Vercel Analytics -- requires your explicit consent
• Functional (optional): Theme and display preferences

You can manage your cookie preferences at any time via the consent banner.

11. Children's Privacy

Our services are not directed to children under the age of 16. We do not knowingly collect personal information from anyone under this age. If we discover that we have collected data from a child, we will delete it immediately.

12. Data Breach Procedures

In the event of a data breach:

• We will notify the relevant supervisory authority within 72 hours
• We will notify affected users without undue delay
• We will provide details about the nature of the breach and actions taken
• We will document all incidents in internal audit logs

13. Changes to This Policy

We may update this policy from time to time. We will notify you of any material changes via email and/or a prominent notice in the service at least 30 days before the changes take effect.

14. Contact Us

For any questions about this Privacy Policy or to exercise your rights:

• Email: privacy@nexusad.ai
• Data Protection Officer: dpo@nexusad.ai

You have the right to lodge a complaint with a supervisory data protection authority if you believe your data has not been processed correctly.