Privacy Policy

Introduction

Nexus HQ is an AI-powered advertising platform built for Indian businesses. We provide six AI agents that help you plan, launch, and optimise ad campaigns across Meta, Google, and TikTok. This Policy covers personal data processed in connection with the Service, including data about our customers, their team members, and end-user data that flows through our Service from connected ad platforms.

For DPDP purposes, where you are a customer using Nexus HQ to run ad campaigns, you are generally the Data Fiduciary (controller) of personal data about your end users, and Nexus HQ acts as a Data Processor on your instructions. Where we process personal data about you directly (e.g., your account information), we act as Data Fiduciary.

Information We Collect

Account information

When you sign up for Nexus HQ, we collect your name, email address, password (hashed), organisation name, country, phone number (optional), role, and profile photo (optional). If you sign in with a third-party identity provider, we receive basic profile information from that provider.

Ad-platform data

When you connect a Meta, Google, or TikTok ad account via OAuth, we receive access tokens and the data required to manage your campaigns. This includes campaign structures, ad sets, ads, creatives, targeting settings, performance metrics, budgets, audiences, and spend data. We do not receive your login password for those platforms.

Usage data

We collect information about how you interact with the Service, including pages viewed, features used, buttons clicked, actions performed, timestamps, IP address (truncated for analytics), device and browser type, and approximate location (derived from IP).

Payment information

Payments are processed by Razorpay. We receive limited information about each transaction (such as amount, status, masked card fingerprint, UPI handle hash, and invoice ID). We never see or store your full card number, CVV, or bank credentials.

AI processing data

When you use AI features, we process the prompts, inputs, and outputs associated with each AI call, the AI model used, the token counts, and the latency. We store a summary of these calls for auditing, debugging, cost tracking, and safety monitoring.

Support and communications

If you contact us for support, we retain your messages, attachments, and contact details so we can respond and improve our support quality.

How We Use Information

• Provide the Service: to authenticate you, display your dashboards, run AI agents, communicate with ad platforms, send notifications, and process billing;
• Improve the product: to understand how features are used, diagnose bugs, monitor performance, and plan new features;
• Train internal models (opt-out): we may use anonymised and aggregated usage data to tune internal routing, prompts, and evaluation sets. You may opt out of this use at any time from your workspace privacy settings. We do not use customer prompts to train public third-party models;
• Billing and support: to bill you, send invoices and receipts, handle disputes, and respond to support requests;
• Security and fraud prevention: to detect abuse, prevent fraud, enforce our Terms, and protect our systems and users;
• Legal compliance: to comply with applicable laws, respond to lawful requests from authorities, and enforce our rights.

How We Share Information

We share personal data only with service providers who help us run the Service, and only to the extent required for their role. We do not sell personal data to advertisers or data brokers.

Third-party AI providers

Depending on the task, workspace settings, and model routing, we may send prompts and structured data to the following AI providers:

• Anthropic (Claude models) — reasoning, planning, and writing;
• OpenAI — selected tasks and fall-back;
• Google (Gemini) — selected tasks;
• Groq, Cerebras, DeepSeek, Mistral — fast inference for lower-risk tasks;
• OpenRouter — provider routing.

These providers process data on a short-lived basis per call. Where they offer zero-retention or enterprise data-handling controls, we enable them. We do not grant these providers the right to use customer content to train their public models.

Other service providers

• Supabase — database and authentication (Mumbai, ap-south-1 region);
• Vercel — application hosting and edge compute (Mumbai region primary);
• Razorpay — payment processing;
• Resend — transactional email delivery;
• AiSensy — WhatsApp Business messaging (where enabled by the customer).

Legal disclosures

We may disclose personal data if required to do so by law, court order, subpoena, or other valid legal process, or if we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Corporate transactions

If Nexus HQ is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to standard confidentiality and continued protection under this Policy.

Data Retention

We retain personal data for as long as your account is active and for a reasonable period thereafter in case you reactivate or need records. Specifically:

• Active account data: retained for the life of the account;
• After deletion: personal data is deleted or anonymised within 90 days of account closure, except where longer retention is required by law (for example, tax and accounting records, which we may retain for up to 7 years as required by Indian law);
• Audit logs and security logs: retained for up to 12 months in identifiable form;
• Aggregated/anonymised data: may be retained indefinitely as it no longer identifies you.

Your Rights under the DPDP Act 2023

As a Data Principal under the DPDP Act, you have the following rights with respect to personal data we process about you:

• Right to access: request a summary of the personal data we process about you and the identities of third parties with whom it has been shared;
• Right to correction: request correction of inaccurate or misleading personal data and updating of incomplete data;
• Right to erasure: request deletion of personal data that is no longer necessary for the purpose for which it was collected;
• Right to grievance redressal: raise a complaint with our Grievance Officer (see Section 12) about how your data is being processed;
• Right to withdraw consent: withdraw consent for processing where we rely on consent as the lawful basis. Withdrawal does not affect the lawfulness of processing carried out before withdrawal;
• Right to data portability: request an export of your Customer Data in a commonly used, machine-readable format.

To exercise any of these rights, email us at privacy@nexhq.co. We will respond within the timeframes required by applicable law.

Data Security

We implement technical and organisational measures designed to protect personal data:

• Encryption at rest: secrets (ad-platform tokens, API keys) are encrypted with AES-256-GCM; database storage is encrypted at rest;
• Encryption in transit: all traffic uses TLS 1.2 or higher;
• Row-level security: our Postgres database enforces row-level security (RLS) so that workspace data is isolated at the database layer;
• Least-privilege access: production access is restricted to a small number of authorised engineers, gated by SSO and MFA, and logged;
• Regional data residency: primary storage is in the Supabase Mumbai (ap-south-1) region and hosting is on Vercel’s Mumbai region;
• Audit logs: administrative actions and AI agent actions are recorded in immutable audit logs;
• Backups: automated daily backups with point-in-time recovery.

No security system is perfect. If we become aware of a personal data breach affecting you, we will notify you and the relevant authority in accordance with the DPDP Act.

Data Transfers

We process personal data primarily in India. Some of our sub-processors (such as certain AI providers) may process data in the United States, the European Union, Singapore, or other jurisdictions. We select sub-processors that offer commercially reasonable protections and, where required, we enter into data processing agreements with them. The DPDP Act permits transfers of personal data outside India except to countries specifically restricted by the Central Government; we comply with any such restrictions.

Cookies and Tracking

Nexus HQ uses a minimal number of cookies, primarily for authentication and user preferences. We do not currently use advertising or analytics cookies on our own site. See our Cookie Policy for details.

Children

The Service is not intended for, or directed to, individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it.

Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or in-product notice and update the “Last updated” date at the top of this page. We encourage you to review this Policy periodically.

Grievance Officer

In accordance with Section 10 of the DPDP Act, 2023, we have designated a Grievance Officer to address complaints and requests from Data Principals:

• Name: [GRIEVANCE OFFICER NAME]
• Email: grievance@nexhq.co
• Address: [LEGAL ENTITY NAME], Mumbai, Maharashtra, India
• Response time: We aim to acknowledge grievances within 48 hours and resolve them within the timeframes mandated by the DPDP Act.

Contact

For general privacy questions, write to us at privacy@nexhq.co. For data subject requests and grievances, use grievance@nexhq.co.