NexusGrid, Inc. ("NexusGrid", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access our website, web application, mobile apps, and APIs (collectively, the "Service"). We act as the data controller for personal information we collect, and your use of the Service is also governed by our Terms of Service. Please read this Privacy Policy in conjunction with our Terms.
1. Introduction & Scope
This Privacy Policy describes the types of information we collect when you use NexusGrid, how we use that information, with whom we share it, and the choices and controls you have over your data. We have designed our privacy practices to comply with the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
By accessing or using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with our practices, please do not use the Service. If you are a NexusGrid workspace administrator, you may have additional obligations under your agreement with us and applicable law.
2. Information We Collect
We collect several categories of information to provide and improve the Service:
Information you provide directly:
- Account information: Name, email address, password (hashed), and role when you create an account.
- Profile information: Job title, department, profile photo, phone number, and timezone.
- Workspace details: Organization name, billing address, and tax identification numbers.
- Customer Content: Any data, files, messages, or other content you upload, create, or store in the Service.
- Communications: Records of your support requests, feedback, and other correspondence with us.
Information collected automatically:
- Usage data: Pages visited, features used, time spent, click patterns, and search queries.
- Device information: IP address, browser type and version, operating system, screen resolution, and device identifiers.
- Log data: Server logs containing timestamps, request URLs, and HTTP status codes for security and debugging purposes.
- Location data: Approximate location derived from your IP address, never precise GPS coordinates.
3. How We Use Your Information
We use the information we collect for the following legitimate business purposes:
- To provide, operate, maintain, and improve the Service and its features;
- To create and manage your account, authenticate your identity, and enforce security controls;
- To process payments, issue invoices, and prevent fraudulent transactions;
- To communicate with you about product updates, security alerts, and policy changes;
- To monitor and analyze usage trends, performance metrics, and feature adoption;
- To detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms;
- To comply with legal obligations, respond to lawful requests, and protect our rights and property;
- To provide customer support and respond to your inquiries and requests.
We process your information on the legal bases of contract performance, legitimate interests, legal compliance, and your consent where required. You may withdraw consent for optional processing at any time from your account settings.
4. How We Share Information
We do not sell your personal information. We share information only in the following limited circumstances:
- Service providers: Third parties that process data on our behalf, including cloud infrastructure (Amazon Web Services), payment processing (Stripe), email delivery (Postmark), error monitoring (Sentry), and analytics (PostHog). All providers are bound by data processing agreements.
- Within your workspace: Other members of your workspace may see information you share within the Service, including Customer Content and activity.
- Legal compliance: When required by law, court order, or government regulation, or to protect the rights, property, or safety of NexusGrid, our users, or others.
- Business transfers: In connection with a merger, acquisition, asset sale, or similar transaction, we may transfer information to the successor entity, subject to confidentiality obligations.
- Aggregated data: We may share anonymized, aggregated statistics that cannot identify individual users.
5. Cookies & Tracking Technologies
We use cookies and similar tracking technologies (collectively, "cookies") to operate and improve the Service. Cookies are small text files stored on your device. We use the following categories:
- Strictly necessary: Required for the Service to function (e.g., session authentication, load balancing). Cannot be disabled.
- Functional: Remember your preferences, such as theme, language, and last-viewed project.
- Analytics: Help us understand how the Service is used so we can improve performance and design.
- Marketing: Used to measure the effectiveness of campaigns and show relevant content. Opt-in only.
You can control cookies through your browser settings and our cookie preference center. Disabling strictly necessary cookies will prevent you from logging in or using the Service.
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. After account termination, we delete Customer Content within thirty (30) days, except for:
- Records needed to resolve disputes, enforce agreements, and comply with legal obligations (retained for up to seven (7) years);
- Backups that may contain residual copies of your data, which are deleted within ninety (90) days following termination;
- Aggregated and anonymized data that cannot be linked back to you.
When personal information is no longer needed for the purposes described in this policy, we delete it or render it anonymous.
7. Security Measures
We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
- Access controls: Role-based access with least-privilege defaults; all internal access is logged and reviewed monthly.
- Authentication: Multi-factor authentication is enforced for all internal systems and offered to all customers.
- Monitoring: 24/7 intrusion detection, anomaly detection, and automated alerting on suspicious activity.
- Audits: Annual SOC 2 Type II audits and penetration tests by independent third parties.
- Incident response: A documented incident response plan with notification to affected users within 72 hours of a confirmed breach.
No method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
8. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Rectification: Request correction of inaccurate or incomplete information.
- Erasure: Request deletion of your personal information, subject to legal retention requirements.
- Restriction: Request that we limit processing of your information in certain circumstances.
- Portability: Receive your information in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests or for direct marketing.
- Withdrawal of consent: Withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
To exercise any of these rights, contact us at privacy@nexusgrid.io. We respond to verifiable requests within thirty (30) days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
9. International Data Transfers
NexusGrid is based in the United States and processes data globally. If you access the Service from outside the United States, your information may be transferred to and processed in the United States or other countries where we or our service providers operate.
For transfers from the European Economic Area, the United Kingdom, and Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, the UK Information Commissioner, and the Swiss Federal Data Protection and Information Commissioner. We have also implemented supplementary measures, including encryption and access controls, to ensure an adequate level of protection.
10. Children's Privacy
The Service is not directed to, and is not intended for use by, anyone under the age of sixteen (16). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at privacy@nexusgrid.io, and we will promptly delete such information.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email and by prominent notice within the Service at least thirty (30) days before the changes take effect.
We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact Information
If you have any questions, requests, or concerns about this Privacy Policy or our data practices, our Data Protection Officer is available at:
NexusGrid, Inc.
Attn: Data Protection Officer
548 Market Street, #62114
San Francisco, CA 94104
Email: privacy@nexusgrid.io
Phone: +1 (415) 555-0143
For EU residents, our representative under Article 27 of the GDPR can be reached at the same address. We aim to respond to all inquiries within thirty (30) days.
Exercise your privacy rights
To access, correct, delete, or export your personal information, email our Data Protection Officer at privacy@nexusgrid.io or use the privacy controls in your account settings.