Privacy Policy

1. Information We Collect

We collect information to provide and improve the Service. The categories of data we collect depend on how you interact with us.

1.1 Account Data

When you create an account, we collect your name, email address, company name, job title, and password (stored as a salted hash). If you sign up via OAuth (Google or GitHub), we receive your name, email, and profile picture from that provider. You may optionally provide billing address information for invoicing purposes.

1.2 Usage Data

We collect information about how you interact with the Service - pages visited, features used, scan configurations submitted, reports generated, and actions taken within the dashboard. This helps us understand usage patterns and improve the product. Usage events are associated with your account ID, not your name, wherever possible.

1.3 Technical Data

We collect IP address, browser type and version, operating system, device type, referral URL, and timestamps of requests. We use this data for security monitoring, fraud prevention, and service diagnostics. IP addresses are anonymised in analytics logs after 30 days.

1.4 Customer-Provided Security Data

When you use our scanning and testing products (Argus, Aegis, Striker, Phantom), you may provide or grant access to source code repositories, API endpoints, infrastructure details, and configuration files. This data is processed strictly to deliver the Service you requested. We treat it as confidential customer data and do not use it for any purpose beyond service delivery. See Section 4 for retention details.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery - to authenticate you, process your scans, generate reports, and enable all platform features.
• Billing and payments - to process subscription fees and pay-per-scan charges through our payment processor (Stripe).
• Communication - to send transactional emails (scan completed, invoice, password reset) and, where you have opted in, product updates and newsletters.
• Security and fraud prevention - to detect and prevent unauthorized access, abuse, and fraudulent activity on the platform.
• Product improvement - to analyze aggregated usage patterns, improve our AI models and detection capabilities, and fix bugs. We use anonymized or aggregated data for this purpose and do not use customer security scan data to train our models without explicit consent.
• Legal compliance - to comply with applicable laws, regulations, and legitimate legal requests.

3. Data Sharing

We do not sell, rent, or trade your personal data to third parties for marketing purposes. Ever.

We share data only in the following limited circumstances:

3.1 Sub-processors

We use trusted third-party services to operate the platform. Each sub-processor is bound by a Data Processing Agreement (DPA) that restricts them from using your data for any purpose other than providing services to us:

3.2 Legal Requirements

We may disclose information if required by law, court order, or governmental authority. Where legally permitted, we will notify you before making such a disclosure.

3.3 Business Transfers

If NexusVoid AI is acquired, merges with another company, or sells substantially all of its assets, customer data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website at least 30 days before any such transfer and give you the option to delete your account.

4. Data Retention

We retain data only for as long as necessary to provide the Service and comply with our legal obligations:

• Account data - retained for the duration of your active account. Deleted within 30 days of account closure, except where we are legally required to retain records (e.g., billing records, which are kept for 7 years under Indian tax law).
• Security scan data (source code, API responses, scan results) - retained for 90 days from the date of the scan, then permanently deleted. You may export your reports at any time within this window. After 90 days, report summaries without raw payloads are retained for an additional 12 months.
• Usage and analytics data - aggregated, anonymized analytics data may be retained indefinitely. Identifiable usage logs are purged after 12 months.
• Marketing communications - email preferences and opt-out records are retained as long as your account exists to honor your communication preferences.

5. Your Rights

Depending on where you are located, you have various rights regarding your personal data. We honor these rights regardless of your jurisdiction.

GDPR (EU/EEA Residents)

• Right of access - request a copy of the personal data we hold about you.
• Right to rectification - request correction of inaccurate data.
• Right to erasure - request deletion of your personal data (subject to legal obligations).
• Right to portability - receive your data in a structured, machine-readable format (JSON/CSV).
• Right to object - object to processing based on legitimate interests.
• Right to restrict processing - request that we limit how we use your data in certain circumstances.

CCPA (California Residents)

• Right to know - request disclosure of what personal information we collect, use, and share.
• Right to delete - request deletion of personal information we have collected.
• Right to opt-out of sale - we do not sell personal information. No opt-out needed.
• Right to non-discrimination - we will not discriminate against you for exercising your rights.

DPDP Act 2023 (Indian Residents)

• As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the right to access, correct, and erase your personal data, and to nominate a person to exercise your rights in case of incapacity or death.

To exercise any of these rights, email us at privacy@nexusvoidai.com. We will respond within 30 days (GDPR) or 45 days (CCPA/DPDP). We may request identity verification before acting on your request.

6. Security Measures

We take security seriously - it is, after all, what we do. Our technical and organizational measures include:

• AES-256 encryption at rest for all customer data stored in our databases.
• TLS 1.3 in transit - all data transmitted between your browser and our servers is encrypted.
• SOC 2-ready infrastructure on AWS, with logical tenant isolation - your data is never commingled with another customer's data.
• Role-based access control (RBAC) and multi-factor authentication for all internal staff access to production systems.
• Regular security testing - we pentest our own infrastructure quarterly using Striker, our AI-powered VAPT agent.
• Incident response plan - customer notification within 24 hours of any confirmed data breach. See our Security Policy for full details.

No system is impenetrable. While we employ industry-leading security practices, we cannot guarantee absolute security. We encourage you to use a strong, unique password and enable MFA on your account.

7. Cookies and Tracking

We use cookies and similar tracking technologies to operate and improve the Service. The types of cookies we use include essential cookies (required for the platform to function, such as session authentication), preference cookies (to remember your settings), and analytics cookies (PostHog, to understand how users interact with the product).

We do not use advertising or behavioral targeting cookies. You can manage cookie preferences through your browser settings or our cookie consent manager. For full details, see our Cookie Policy.

8. International Data Transfers

NexusVoid AI is incorporated in India and our primary infrastructure is hosted in AWS's ap-south-1 (Mumbai) region. For EU/EEA customers, we offer data residency in AWS eu-central-1 (Frankfurt).

When we transfer EU personal data to sub-processors outside the EEA (such as Stripe and Resend, which are US-based), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal transfer mechanism. You can request a copy of the relevant SCCs by emailing privacy@nexusvoidai.com.

9. Children's Privacy

The Service is not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@nexusvoidai.com and we will promptly delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if you have an account) and by posting a prominent notice on our website at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy team:

If you are an EU/EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.