← Back to Home

Privacy Policy

Last updated: March 20, 2026

1. Data Controller

Nexus Automate AI, S.L. (NIF: B26956565), registered in Spain, is the data controller for personal data collected through this website. For data processed through our AI software platform on behalf of our clients, Nexus Automate acts as a data processor under a Data Processing Agreement (DPA). Contact: anshika@nexus-automate.com.

2. Data We Collect

We collect the following categories of personal data:

• Contact information: Name, email address, company name, and message content submitted through our contact and demo request forms.
• Newsletter subscriptions: Email address provided for our newsletter.
• Usage data: Pages visited, time spent, browser type, device type, and referring URL collected through standard web analytics.
• Cookies: Essential cookies for website functionality. No third-party advertising or tracking cookies are used.

3. Purpose and Legal Basis

We process personal data for the following purposes:

• Responding to inquiries and demo requests — Legal basis: legitimate interest (Art. 6(1)(f) GDPR) and, where applicable, performance of pre-contractual measures (Art. 6(1)(b) GDPR).
• Sending newsletter communications — Legal basis: consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time.
• Website analytics and improvement — Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4. AI Platform Data Processing

When our clients use the Nexus Automate platform, the following data processing occurs on their e-commerce customers' behalf:

• Behavioral data: Page views, clicks, cart actions, and browsing patterns are processed in real time to deliver personalized engagement. Legal basis: legitimate interest of the client (Art. 6(1)(f) GDPR) or consent where required.
• AI-powered decisions: Our system uses automated decision-making including profiling (Art. 22 GDPR) to recommend engagement strategies. Customers have the right to opt out of automated profiling and request human review of any AI decision.
• Consent management: Our platform provides granular consent controls (analytics, profiling, AI engagement, marketing). No AI intervention occurs without appropriate consent.
• Data subject rights: Our platform provides API endpoints for access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and opting out of automated decisions (Art. 22). Requests are processed within 30 days.
• PII protection: Personal data is automatically detected and stripped before being sent to any external AI provider. Customer behavioral data is pseudonymized in audit logs.
• AI transparency: In compliance with the EU AI Act (Art. 50), all AI-generated messages are labeled as such, and customers can request a human-readable explanation of any AI decision made about them.
• Data retention: Behavioral data is retained for 12 months. GDPR audit logs are retained for 36 months as required by AEPD. Strategy outcome data is retained for 36 months. Customers may request early deletion at any time.

For our platform, Nexus Automate acts as a data processor. Our clients (the data controllers) determine the legal basis for processing their customers' data. A Data Processing Agreement (DPA) governs this relationship.

5. Data Sharing and Subprocessors

We do not sell personal data. We may share data with the following processors:

• Web3Forms: Form submission processing (EU).
• Vercel: Website hosting (EU/US, SCCs in place).
• DigitalOcean: Platform infrastructure hosting (EU — Frankfurt/Amsterdam data centers).
• Google Vertex AI (Gemini): AI model inference for real-time decisions (US, SCCs in place). Only pseudonymized behavioral context is sent — never raw personal data.
• Groq: Fallback AI model inference (US, SCCs in place). Same data minimization as above.
• Moonshot AI (Kimi): Batch document processing only (China). No personal data is ever sent to this provider — all PII is automatically stripped before transmission. Used exclusively for product catalog processing and synthetic content generation.

We do not transfer identifiable personal data outside the European Economic Area without adequate safeguards (Standard Contractual Clauses or adequacy decisions). For AI providers outside the EU, we apply data minimization and PII stripping as additional technical safeguards.

6. Data Retention

Contact form submissions and demo requests are retained for up to 24 months or until the inquiry is resolved. Newsletter subscriptions are retained until you unsubscribe. Analytics data is retained in aggregated, anonymized form. Platform data retention periods are described in Section 4 above.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure of your data
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent at any time

To exercise any of these rights, contact us at anshika@nexus-automate.com.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS/SSL) and secure hosting infrastructure.

9. Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at www.aepd.es.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.