Privacy Policy

1. Who we are

NexAgent B.V.(“NexAgent”, “we”, “us”) is the data controller for personal data processed through the NexAgent platform at nexagent.io. We are registered in the Netherlands and subject to the General Data Protection Regulation (GDPR).

Contact for all privacy matters: support@nexagent.io

2. Data we collect

Account data

When you sign up we collect your name, email address, and a hashed password. This data is required to provide the Service. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Conversation data

We store the messages you send to agents and the responses you receive. This data is used to provide conversation history and to train agent memory. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Agent memory

With your awareness, agents automatically extract facts from conversations to personalise future interactions (e.g. your pricing, preferences, or context you share). You can view and delete all stored memories at any time in Settings → Memory. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Integration tokens

If you connect Gmail, Google Calendar, Notion, or Slack, we store the OAuth access tokens required for agents to perform actions on your behalf. Tokens are stored encrypted and are only used to fulfil your requests. Legal basis: consent (Art. 6(1)(a) GDPR) — you can revoke at any time from Settings.

Billing data

Payment details are handled directly by Stripe. We do not store card numbers or bank details. We store your Stripe customer ID to manage your subscription. Legal basis: performance of a contract and legal obligation (Art. 6(1)(b)(c) GDPR).

Usage data

We collect basic usage metrics (message counts, conversation frequency, agent usage by type) to operate and improve the Service. We do not use third-party analytics trackers or advertising platforms. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Email communications

We send transactional emails (account confirmation, scheduled agent results) required for the Service to function. We do not send marketing emails without your explicit consent. Legal basis: performance of a contract and consent where applicable (Art. 6(1)(a)(b) GDPR).

3. How we use your data

• →To create and manage your account.
• →To deliver the AI agent Service and process your conversations.
• →To personalise agent responses using stored memories you have approved.
• →To process payments and manage subscriptions.
• →To send you transactional emails about your account and scheduled agent runs.
• →To monitor usage for rate limiting, fraud prevention, and service stability.
• →To comply with legal obligations.

We do not sell your personal data. We do not use your conversation data to train AI models. Conversation data is sent to Anthropic's API to generate responses, but Anthropic does not use API requests to train their models by default.

4. Third-party processors

We share data with the following sub-processors, all operating under data processing agreements (DPAs) that comply with GDPR:

Several processors are located in the USA. Data transfers to these processors are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards such as the EU-U.S. Data Privacy Framework.

5. Data retention

• →Account data: retained for as long as your account is active, and deleted within 30 days of account closure.
• →Conversation data: retained for as long as your account is active. You can delete individual conversations from within the Service.
• →Agent memory: retained until you delete it from Settings → Memory, or until your account is deleted.
• →Billing records: retained for 7 years to comply with Dutch tax and accounting law (Boekhouding, art. 52 AWR).
• →Integration tokens: deleted immediately when you disconnect an integration.

6. Your rights under GDPR

As a data subject under GDPR, you have the following rights:

To exercise any right, email support@nexagent.io with the subject line “GDPR request”. We will respond within 30 days. We may ask for identity verification before processing sensitive requests.

You also have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens.

7. Cookies

NexAgent uses a single, strictly necessary session cookie to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No consent banner is required for strictly necessary cookies under GDPR.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• →Encryption in transit (TLS/HTTPS) and at rest.
• →Row-level security policies ensuring users can only access their own data.
• →Minimal data access: API tokens and integration credentials are never exposed to the frontend.
• →Agent tokens never stored client-side.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay as required by Art. 33–34 GDPR.

9. Children's data

NexAgent is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@nexagent.io and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy as the Service evolves or as legal requirements change. When we make material changes, we will notify you by email and update the effective date above. We encourage you to review this policy periodically.

11. Contact