← Back to Home
Records of Processing Activities
Article 30 GDPR | Last updated: March 2026
Controller/Processor: Nexus Automate AI, S.L. (NIF: B26956565)
Contact: anshika@nexus-automate.com
Supervisory Authority: Agencia Española de Protección de Datos (AEPD)
The following records document all processing activities carried out by Nexus Automate, both as a data controller (for its own operations) and as a data processor (on behalf of clients).
Processing Activity 1: Website Contact & Demo Requests
| Role |
Controller |
| Purpose |
Responding to inquiries, scheduling demos, pre-contractual communications |
| Legal Basis |
Art. 6(1)(b) pre-contractual measures; Art. 6(1)(f) legitimate interest |
| Data Subjects |
Prospective clients, website visitors |
| Data Categories |
Name, email, company name, message content |
| Recipients |
Web3Forms (form processor), Google Workspace (email) |
| Transfers |
EU only |
| Retention |
24 months or until inquiry resolved |
| Security |
TLS encryption, access controls |
Processing Activity 2: Website Analytics
| Role |
Controller |
| Purpose |
Website performance analysis, user experience improvement |
| Legal Basis |
Art. 6(1)(f) legitimate interest |
| Data Subjects |
Website visitors |
| Data Categories |
Pages visited, time on site, browser type, device type, referring URL |
| Recipients |
Vercel (hosting analytics) |
| Transfers |
EU/US (SCCs in place with Vercel) |
| Retention |
Aggregated/anonymized (indefinite) |
| Security |
TLS encryption, no advertising cookies |
Processing Activity 3: Platform — Behavioral Analytics
| Role |
Processor (on behalf of client/Controller) |
| Purpose |
Real-time behavioral analysis, customer segmentation, personalized engagement |
| Legal Basis |
Determined by Controller; typically Art. 6(1)(f) legitimate interest or Art. 6(1)(a) consent |
| Data Subjects |
End customers of the Controller’s e-commerce platform |
| Data Categories |
Pseudonymized visitor IDs, page views, clicks, cart actions, browsing patterns, transaction data (no payment cards), device/browser metadata, consent preferences |
| Recipients |
DigitalOcean (infrastructure), Google Vertex AI (inference — pseudonymized only), Groq (fallback inference — pseudonymized only) |
| Transfers |
EU primary (DigitalOcean Frankfurt/Amsterdam); US for AI inference (SCCs + PII stripping) |
| Retention |
Behavioral data: 12 months. Audit logs: 36 months. Strategy outcomes: 36 months. |
| Security |
TLS 1.2+, AES-256 at rest, automatic PII stripping, pseudonymization, RBAC, Docker isolation, UFW firewall |
| Automated Decisions |
Yes — profiling for engagement (Art. 22 GDPR). Opt-out and human review available. |
Processing Activity 4: Platform — AI Customer Support (RAG)
| Role |
Processor (on behalf of client/Controller) |
| Purpose |
Automated customer support via RAG pipeline, knowledge retrieval, chat responses |
| Legal Basis |
Determined by Controller; typically Art. 6(1)(b) contract performance or Art. 6(1)(f) legitimate interest |
| Data Subjects |
End customers of the Controller interacting with chat support |
| Data Categories |
Chat messages, session context, pseudonymized user IDs |
| Recipients |
DigitalOcean (infrastructure), Google Vertex AI (LLM inference — PII stripped), Groq (fallback — PII stripped) |
| Transfers |
EU primary; US for LLM inference (SCCs + automatic PII stripping before transmission) |
| Retention |
Chat logs: 12 months. Audit records: 36 months. |
| Security |
TLS 1.2+, automatic PII detection and stripping, pseudonymization, semantic caching (no PII cached), AI disclosure labeling (EU AI Act Art. 50) |
Processing Activity 5: Platform — Batch Document Processing
| Role |
Processor (on behalf of client/Controller) |
| Purpose |
Product catalog ingestion, content enrichment, knowledge base construction |
| Legal Basis |
Art. 6(1)(b) contract performance (platform onboarding) |
| Data Subjects |
None (no personal data processed) |
| Data Categories |
Product descriptions, catalog metadata, brand content, FAQ documents. No personal data. |
| Recipients |
Moonshot AI / Kimi (batch LLM processing — no personal data sent) |
| Transfers |
China (Moonshot AI) — no personal data transferred |
| Retention |
Processed content retained for duration of Agreement |
| Security |
TLS encryption, strict data segregation, no personal data in pipeline |
Processing Activity 6: Platform — GDPR Compliance Operations
| Role |
Processor (on behalf of client/Controller) |
| Purpose |
Managing consent records, processing data subject requests (access, erasure, portability, objection), maintaining audit trails |
| Legal Basis |
Art. 6(1)(c) legal obligation (GDPR compliance) |
| Data Subjects |
End customers exercising GDPR rights |
| Data Categories |
Consent timestamps, consent categories, data subject request records, pseudonymized audit logs |
| Recipients |
DigitalOcean (infrastructure) — no external transfers |
| Transfers |
EU only (Frankfurt/Amsterdam) |
| Retention |
Consent records and GDPR audit logs: 36 months (as required by AEPD guidance) |
| Security |
TLS 1.2+, AES-256 at rest, RBAC, immutable audit log entries, Docker isolation |