NxtCRM.ai

Privacy Policy

Learn how nxtcrm.ai collects, uses, and protects your personal data while using our services.

Last Updated: March 12, 2025 | Effective Date: March 12, 2030

1. Introduction

nxtcrm.ai ("we," "us," or "our") is committed to protecting the privacy of its users ("you" or "your"). This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal information in compliance with:

  • U.S. Federal Laws: Including the California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA), Children's Online Privacy Protection Act (COPPA), and others.
  • Google Requirements: Adherence to Google API Services User Data Policy, Play Store Developer Policies, and Google Ads Data Processing Terms.
  • Global Standards: General Data Protection Regulation (GDPR) principles for international users.

By using nxtcrm.ai, you consent to the practices described in this policy.

2. Information We Collect

We collect the following categories of data:

A. Personal Information

  • Identifiers: Name, email, phone number, IP address, username, and business contact details.
  • Commercial Data: Purchase history, payment information (processed via PCI-DSS-compliant gateways like Stripe or PayPal).
  • Technical Data: Device type, browser, operating system, cookies, and usage patterns (e.g., pages visited, features used).
  • User Content: Data uploaded to nxtcrm.ai (e.g., customer lists, emails, support tickets).

B. Sensitive Information

  • Authentication: Passwords (hashed and salted), security questions.
  • Biometric Data: Not collected unless explicitly disclosed for specific features.

C. Automatically Collected Data

  • Cookies: First-party (session, persistent) and third-party (e.g., Google Analytics).
  • Logs: Server logs, timestamps, error reports.
  • Location Data: Approximate location derived from IP addresses.

3. How We Use Your Information

We process data for the following purposes:

  • Service Delivery: Account creation, CRM functionality, customer support.
  • Legal Compliance: Fraud prevention, tax reporting, regulatory obligations.
  • Marketing: With consent, send promotional emails (opt-out via unsubscribe link).
  • Analytics: Improve product performance using tools like Google Analytics (anonymized where possible).
  • AI Training: Train machine learning models on aggregated, de-identified data.

4. Legal Basis for Processing (GDPR Compliance)

For EU/UK users, we rely on:

  • Contractual Necessity: To fulfill services you requested.
  • Consent: For marketing emails or sensitive data processing.
  • Legitimate Interests: Fraud prevention, service improvement.

5. Data Sharing & Third Parties

We disclose data only as follows:

A. Service Providers

  • Subprocessors: AWS (hosting), Google Cloud (analytics), Twilio (SMS), etc.
  • Contracts: All third parties sign Data Processing Agreements (DPAs) requiring GDPR/CCPA compliance.

B. Legal Disclosures

  • Law Enforcement: When required by subpoena, court order, or valid legal process.
  • Business Transfers: In mergers, acquisitions, or asset sales (users notified via email).

C. Advertising Partners

  • Google Ads: Non-personalized ads based on aggregated data.
  • No Sale of Data: We do not "sell" data as defined by CCPA.

6. Data Security

We implement safeguards including:

  • Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit.
  • Access Controls: Role-based access, multi-factor authentication (MFA).
  • Audits: Annual penetration testing, SOC 2 compliance.
  • Breach Notification: Notify users and authorities within 72 hours (per GDPR) if a breach occurs.

7. User Rights

A. CCPA Rights (California Residents)

  • Right to know, delete, and opt-out of data "sales" (though we do not sell data).
  • Submit requests via [webform/email] with identity verification (e.g., government ID).

B. GDPR Rights (EU/UK Users)

  • Access, rectification, erasure, portability, and objection.
  • Withdraw consent at any time (email DPO@nxtcrm.ai).

C. COPPA Compliance

  • We do not knowingly collect data from children under 13. Parents may request deletion via [contact form].

8. International Data Transfers

  • EU-U.S. DPF: Data transferred to the U.S. under the EU-U.S. Data Privacy Framework.
  • SCCs: Standard Contractual Clauses with third parties for GDPR compliance.

9. Cookies & Tracking Technologies

  • Types: Essential (session cookies), Functional (preferences), Analytics (Google Analytics).
  • Opt-Out: Adjust browser settings or use our cookie consent banner (GDPR-compliant).
  • Do Not Track: We honor browser "Do Not Track" signals (CalOPPA).

10. Data Retention

  • Retention Period: Data is kept for 3 years post-account closure unless legally required.
  • Deletion: Automatic deletion
Back to Home