Privacy Policy

NEXUS processes two categories of personal information:

(a) Customer Account Data — information about the businesses and individuals who subscribe to the Service. NEXUS acts as a data controller with respect to this information.

(b) End-User Data — information about callers, contacts, and other individuals whose personal information is processed through the Service on behalf of Customers (e.g., a caller's voice, name, and inquiry captured during an AVA call). NEXUS acts as a data processor with respect to this information; the Customer is the data controller.

Customers are responsible for ensuring they have a lawful basis (consent, contract, legitimate interest, etc.) to process End-User Data and for providing appropriate privacy notices to their callers and contacts.

Account Registration: Full name, business name, email address, phone number, billing address, payment information (processed by our third-party payment processor; NEXUS does not store full card numbers).

Service Configuration: Business details (industry, hours, location), agent configurations (voice persona, greeting scripts, instructions), integration credentials, custom workflows and automation rules.

Communications: Support requests, feedback, and any correspondence with NEXUS.

Usage Data: Login times, feature usage, dashboard activity, call volume, call duration, call timestamps, Subscription tier, Minute consumption, overage events.

Device and Technical Data: IP address, approximate geographic location (country/city level), browser type and version, operating system, device identifiers, referring URLs, language preferences.

Cookies: Session cookies for authentication, analytics cookies for performance monitoring, preference cookies for user experience. You can manage cookies via your browser settings.

When the Service handles calls on behalf of a Customer, the following information may be collected: caller phone number (Caller ID), voice audio recordings, call transcripts, information voluntarily provided by the caller (name, reason for call, scheduling details, contact details), and call metadata (duration, time, routing decisions, outcomes).

Integrated services (e.g., calendar platforms, CRM systems, communication tools) provide data we need to deliver functionality. Payment processors provide transaction confirmations and dispute information. Authentication providers provide profile information consistent with their privacy policies.

Operate, maintain, and provide the Service; authenticate users and secure accounts; process calls, schedule appointments, and execute automation workflows; provide customer support.

Process payments and manage Subscriptions; apply overage charges (with Customer approval, per Terms of Service); send billing notifications and receipts.

Diagnose technical issues and monitor performance; analyze usage trends; train and improve AI models in aggregated and anonymized form.

Send Service updates, security alerts, and administrative notices; respond to support requests; with consent, send marketing communications (you may opt out at any time).

Detect, prevent, and investigate fraud, abuse, or security incidents; enforce our Terms of Service; comply with legal obligations; protect the rights, safety, and property of NEXUS, our users, and third parties.

We rely on the following legal bases under the GDPR: Contract — to deliver the Service you have signed up for; Consent — for marketing communications and certain cookies; Legitimate interests — for fraud prevention, Service improvement, and analytics; Legal obligation — to comply with applicable laws.

We share information with carefully vetted third-party service providers that support our operations under strict contractual confidentiality and data protection obligations. These providers fall into the following categories: cloud hosting and infrastructure, voice and communications infrastructure, AI and language processing, workflow automation, payment processing, analytics and monitoring, and customer support platforms.

All sub-processors are bound by data protection terms consistent with this Privacy Policy and applicable law (including GDPR-compliant Data Processing Agreements and Standard Contractual Clauses where required). A list of sub-processor categories is available to enterprise Customers upon request.

End-User Data captured through calls is shared with the Customer who operates the AVA agent that handled the call. Customers are responsible for further use and protection of that data.

We may disclose information when required by law, court order, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to comply with legal obligations, protect safety, investigate fraud, or cooperate with law enforcement.

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to the successor entity. We will notify you of any such transfer affecting your information.

We may share information for any other purpose with your explicit consent.

• •Access — request a copy of the personal information we hold about you
• •Correction — request correction of inaccurate or incomplete information
• •Deletion — request deletion of your personal information (subject to legal exceptions)
• •Opt-out of marketing — unsubscribe from promotional communications at any time

• •Restriction — request that we limit processing of your information
• •Portability — receive your information in a structured, machine-readable format
• •Objection — object to processing based on legitimate interests
• •Withdraw consent — without affecting prior lawful processing
• •Lodge a complaint — file a complaint with your local supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens)

California residents have additional rights, including: the right to know what personal information is collected, used, and shared; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (NEXUS does not sell personal information); and the right to non-discrimination for exercising privacy rights.

Contact us at privacy@nexus.ai. We may need to verify your identity before fulfilling your request. We will respond within the timeframes required by applicable law (typically 30 days under GDPR; 45 days under CCPA, extendable by 45 additional days).

If you are an end user (caller) whose data was processed through a Customer's AVA agent, please contact the Customer directly first, as they are the data controller for that information.

NEXUS may use aggregated and anonymized data to improve the Service's performance and reliability. We do not use identifiable Customer Data or End-User Data to train AI models operated by third parties without explicit consent or contractual permission.

For decisions that produce significant effects on you and are based solely on automated processing (in jurisdictions where this right applies), you have the right to request human review. Contact privacy@nexus.ai to request review.