Privacy Policy

1. Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service.
• Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to NORTHSTAR LABS (NEXO), Kushal Vatika, Ahinsa Marg, Jugsalai, Jamshedpur 831006, Jharkhand, India.
• Personal Data is any information that relates to an identified or identifiable individual.
• Service refers to the Website (getnexo.in) and the NEXO Application.
• Sub-processor means any third-party data processor engaged by the Company to process Personal Data on its behalf.
• Third-party Social Media Service refers to any website or social network through which a User can log in or create an account to use the Service (specifically Google).

2. Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information is limited to:

• Full Name
• Email Address
• Mobile Number
• Usage Data (timestamps of signup and interaction logs)

Information from Third-Party Services (Google Integration)

NEXO allows You to create an account and log in through Google. If You grant us access to Your Google Account, We collect information solely to automate and provide Your core CRM experience. We request the following specific scopes:

• Google Contacts (https://www.googleapis.com/auth/contacts.readonly): Names, email addresses, phone numbers, and job titles of Your connections. This data is used exclusively to populate your NEXO contact list so you can manage your professional network without manual data entry. No data is written back to your Google Contacts.
• Google Calendar (https://www.googleapis.com/auth/calendar.readonly): Metadata of calendar events — specifically event titles, attendee email addresses, and event timestamps. This data is used exclusively to build the Interaction History timeline displayed on each contact's profile page inside NEXO. The timeline shows You when You last met or have an upcoming scheduled meeting with a specific person, enabling You to maintain relationships proactively. No event descriptions, attachments, meeting links, or private notes are read or stored. No calendar data is written, modified, or deleted.

Important: Google data accessed via these scopes is stored only within Your secured NEXO account. It is never shared with other users, never used to train AI or machine learning models, and never processed by advertising networks or data brokers. See Section 3 for full Limited Use disclosures.

LinkedIn Contact Import

You may optionally import contacts into NEXO by uploading a LinkedIn connections export (CSV file) that You obtain directly from LinkedIn. NEXO does not connect to LinkedIn's API and does not store Your LinkedIn credentials. The uploaded CSV file is processed in memory to extract contact information (name, email address, company, job title, and LinkedIn profile URL) and is discarded immediately after processing. Extracted records are stored within Your NEXO account only and are subject to the same protections as all other contact data.

WhatsApp Notification Integration

NEXO offers an optional WhatsApp notification channel for reminders and task alerts. If You enable this feature in Settings, You provide Your WhatsApp-registered mobile number. We use this number solely to deliver outbound notifications from NEXO via the Meta WhatsApp Business Cloud API. We do not read, store, or process any of Your WhatsApp messages, conversations, or contact lists. You may disable WhatsApp notifications at any time from the Settings page.

User-Generated Content

We collect data that You manually input to provide Relationship Intelligence:

• Personal notes about Your contacts.
• Relationship tags (e.g., "Founder," "VC," "Strategic Lead").
• Important dates (birthdays and anniversaries) to trigger milestone reminders within the app.
• Reminders and tasks linked to specific contacts, including scheduled due times.

3. Google API Services Disclosure & Limited Use

NEXO's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• No Advertising: We do not use Your Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• No Data Brokers: We do not sell or transfer Your Google user data to data brokers, information resellers, or any other third parties.
• Strictly For Functionality: We only use Google data to provide the user-facing features directly visible in the NEXO interface — specifically Contact Management, Interaction History (calendar events timeline on contact profiles), and Network Search.
• No AI / ML Training: We do not use Your Google user data to develop, improve, or train generalized artificial intelligence or machine learning models. Google data is used only to deliver personalized in-app functionality scoped exclusively to Your individual account.
• No Cross-User Aggregation: Your Google data is never combined with, compared against, or visible to any other NEXO user's data.
• Human Access: We do not allow humans to read Your Google user data unless (a) we have Your affirmative agreement for specific messages, (b) it is necessary for security purposes such as investigating abuse, or (c) to comply with applicable law. In all permitted cases, access is logged and limited to the minimum necessary data.
• OAuth Token Security: OAuth 2.0 refresh tokens issued by Google are stored in encrypted form (AES-256) on Our servers and are accessible only to the authenticated account holder's server-side session. Tokens are never exposed in client-side code, browser storage, or application logs.

4. AI-Powered Features & Data Processing

NEXO uses artificial intelligence to provide the following features. In all cases, AI processing is strictly scoped to Your individual account. Your data is never used to train AI models and is never visible to other users.

Nexo AI (Relationship Intelligence & Network Search)

Your contact data — names, job titles, companies, and notes You have added — is used to generate AI-powered relationship summaries and to answer natural-language queries about your network (e.g., "Who do I know at Sequoia?"). To enable semantic search, NEXO generates vector embeddings of your contact records using Google's Gemini Embedding model and stores them in Pinecone, a vector database. Each embedding is tagged with Your unique account identifier only. Embeddings are mathematical representations and do not contain raw personally identifiable data. They are used solely to compute search relevance within Your own account.

Merge & Fix (Contact Deduplication)

NEXO uses AI to identify and merge duplicate contact records within Your own account. The system first applies deterministic rules — if two contacts share an identical email address, phone number, or LinkedIn URL, they are flagged as definite duplicates without any AI involvement. Only contacts where no exact identifier match exists are submitted for AI-assisted fuzzy name and company matching. Contact data used in this AI comparison is processed via Google's Gemini API under Our service agreement and is not retained by the AI provider for model training purposes.

Google Calendar Data in Interaction History

Calendar event metadata (event title, attendee email addresses, and date/time) retrieved via the calendar.readonly scope is used exclusively to populate the Interaction History panel on each contact's profile page within NEXO. This panel displays when You last met a specific person and any upcoming scheduled meetings, helping You maintain relationships without manually logging interactions. Calendar data is not used for any purpose beyond constructing this user-facing timeline, and no calendar data is ever written, modified, or deleted by NEXO.

5. Use of Your Personal Data

The Company uses Personal Data strictly for the following purposes:

• To provide and maintain our Service: Including to monitor the usage of our Service and ensure its stability.
• To manage Your Account: To manage Your registration as a user of the Service.
• To send Notifications: Reminder and task alerts are delivered via email (AWS Simple Email Service) and/or WhatsApp (Meta WhatsApp Business Cloud API) based on Your notification preferences configured in Settings. You may disable either channel at any time.
• To contact You: By email regarding critical system updates, security alerts, or informative communications directly related to the functionalities of the Service.

6. Sub-processors & Third-Party Services

To deliver the Service, We engage the following sub-processors who may process Your Personal Data on Our behalf. All sub-processors are bound by data processing agreements consistent with this Policy.

7. Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.

• Synced Google Data: If You disconnect Your Google Account from our Service, all synced contacts and calendar data are automatically purged from our active databases within 30 days.
• AI Embeddings (Pinecone): Vector embeddings generated from Your contact data are permanently deleted from Pinecone within 30 days of account disconnection or account deletion.
• Account Data: We will retain Your name and email for as long as Your account is active.
• Account Deletion: Upon self-service deletion (via Settings) or a written request, all Personal Data — including contacts, notes, reminders, AI vector embeddings, OAuth tokens, and account records — is permanently and irrecoverably deleted within 30 days.

8. Security of Your Personal Data

The security of Your Personal Data is important to Us. We employ the following measures:

• AES-256 encryption for all data at rest.
• TLS 1.2+ for all data in transit.
• Encrypted OAuth token storage — Google refresh tokens are stored encrypted and are never exposed in client-side code, browser storage, or application logs.
• Role-based access controls to limit internal access to Personal Data.

No method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to using industry-standard protections.

9. Your Rights (India DPDP Act / IT Act)

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act (DPDP) 2023, you have the right to:

• Access / Review: Request a copy of the Personal Data we hold about You.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure (Right to be Forgotten): Request permanent deletion of Your Personal Data, including AI vector embeddings stored in Pinecone. You may also delete Your account directly from within the app via Settings → Delete My Account.
• Revoke Google Access: You may revoke NEXO's access to Your Google Account at any time via Google Account Permissions. Upon revocation, synced data is purged within 30 days per Section 7.
• Disable Notifications: You may disable email and/or WhatsApp notifications at any time from Settings within the app.

To exercise any of these rights, or to request complete deletion of your account and all associated data, please contact us at naman@getnexo.in. We will process all data deletion requests within 30 days.

10. Children's Privacy

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under 18. If You are a parent or guardian and are aware that your child has provided Us with Personal Data, please contact us at naman@getnexo.in and we will take steps to remove that information promptly.

11. Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by updating the "Last updated" date at the top of this page and, where changes are material, by sending a notification to the email address associated with Your account. Changes are effective when posted.

12. Contact Us

If you have any questions about this Privacy Policy, You can contact us:

• By email: naman@getnexo.in
• By post: NORTHSTAR LABS (NEXO), Kushal Vatika, Ahinsa Marg, Jugsalai, Jamshedpur 831006, Jharkhand, India