Book a Demo
Legal

Privacy Policy

Last updated: 27 April 2026  ·  Effective: 27 April 2026  ·  Controller: Nexio  ·  Contact: [email protected]

1. Who we are

Nexio ("we", "our", "us") operates the business messaging platform available at ne-xio.net. We provide a unified inbox that connects Facebook Messenger, Instagram Direct, and WhatsApp Business into a single dashboard for businesses.

For the purposes of EU data protection law (GDPR), Nexio is the data controller for personal data collected through our website and platform.

2. What data we collect

Data you give us directly:

  • Name and email address submitted through our contact form
  • Message content you submit via the contact form
  • Meeting date and time preferences (if requesting a demo)

Data collected when you use the platform (registered customers):

  • Facebook, Instagram, and WhatsApp account identifiers (page IDs, phone number IDs) linked through OAuth
  • OAuth access tokens — stored AES-256-GCM encrypted, never in plain text
  • Session data (encrypted cookie, 30-day expiry)
  • Message metadata: sender ID, timestamp, platform, read status
  • Message content: the text of inbound and outbound messages processed through your dashboard
  • AI analysis results: order detection flags and extracted data from messages
  • Internal notes your team adds to conversations

Data collected automatically:

  • Server access logs (IP address, request path, timestamp, HTTP status) — retained for 30 days
  • No tracking pixels, no third-party analytics scripts

3. How we use your data

  • Contact form submissions — to respond to your inquiry or schedule a demo. Legal basis: legitimate interest (responding to an inbound request).
  • OAuth tokens — to authenticate API calls to Meta's platforms on your behalf. Legal basis: performance of contract.
  • Message data — to display conversations in your dashboard and run AI order detection. Legal basis: performance of contract.
  • Session data — to keep you logged in. Legal basis: performance of contract.
  • Server logs — to diagnose errors and detect abuse. Legal basis: legitimate interest.

We do not use your data for advertising. We do not sell your data to third parties. We do not use your message content to train AI models.

4. Third parties and sub-processors

We use a small number of third-party services to operate the platform:

  • Meta Platforms (Facebook/Instagram/WhatsApp) — our platform connects to Meta's Graph API and WhatsApp Business API. Your channel data is subject to Meta's own terms and privacy policies.
  • OpenAI — message content is sent to OpenAI's API for AI order detection analysis. OpenAI processes this data as a data processor under our agreement with them. OpenAI's data usage policies apply.
  • Hetzner Cloud — our servers are hosted on Hetzner Cloud (Germany, EU). All data is processed and stored within the EU.
  • Cloudflare — public traffic passes through Cloudflare's CDN and DDoS protection. Cloudflare processes IP addresses and request headers.

5. Data retention

  • Contact form submissions — retained until the inquiry is resolved, then for up to 12 months in email archives.
  • Message data — retained for the lifetime of your account, plus 30 days after account deletion.
  • OAuth tokens — deleted immediately when you disconnect a channel or delete your account.
  • Server logs — automatically deleted after 30 days.
  • Session data — expires after 30 days of inactivity.

6. Your rights (GDPR)

If you are located in the EU or EEA, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data (subject to legal retention obligations)
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interest
  • Complaint — lodge a complaint with your national data protection authority

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Security

We take reasonable technical and organisational measures to protect your data. OAuth access tokens are encrypted with AES-256-GCM before storage. All traffic is encrypted in transit via TLS. Access to production systems is restricted and logged.

No system is perfectly secure. If you discover a security vulnerability, please report it to [email protected].

8. Cookies

We use a single session cookie to keep you logged in. This cookie is:

  • Strictly necessary — no consent required
  • HttpOnly and Secure — not accessible to JavaScript
  • Expires after 30 days of inactivity

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. Children

Nexio is a B2B platform intended for business use. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have collected such data, contact us immediately.

10. Changes to this policy

We may update this policy as our service evolves. Material changes will be communicated by email to registered customers at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For any privacy-related questions or requests: [email protected]