NexuseAI

Privacy policy

Last updated: 2026-05-20

Overview

NexuseAI is a SaaS business-intelligence tool for e-commerce. This policy explains what data we collect, why we use it and how we protect it. Questions? Write to privacy@nexuseai.com.

Data we collect

We collect only the data needed to operate the service:

  • Account data: email, name, password (hashed with argon2), language, country.
  • Business profile: vertical, MRR range, target audience, brand voice, goals. Optional, gathered through the onboarding wizard.
  • OAuth tokens: Shopify, Meta Ads, Google Ads, WhatsApp Business. Encrypted at rest with AES-128-CBC + HMAC-SHA256.
  • Data imported from your integrations: Shopify catalog, orders, competitor products scraped from public sources, marketplace signals.
  • Operational telemetry: errors (Sentry), structured logs, usage metrics. PII obfuscated where possible.

How we use it

  • Run the features you asked for (arbitrage, recommendations, audit, AdForge).
  • Generate personalized signals from your data + public market data.
  • Billing + plan usage enforcement.
  • Customer support when you contact us.
  • Abuse detection + legal compliance.

Third parties that process your data

We share data only with the services NexuseAI depends on to operate:

  • ShopifyRead/write your catalog + orders via the official API.
  • Meta (Facebook + Instagram + WhatsApp)OAuth + campaign creation + WhatsApp Business messages when you enable those features.
  • Google AdsOAuth + Google Ads campaign creation when you enable that feature.
  • DeepSeek / AnthropicPrompt processing for analyses + campaign copy. We NEVER send your end customers' data to these models.
  • SentryError reporting. Sensitive data obfuscated.
  • ResendTransactional email (verification, alerts).

Data retention

We keep your data while your account is active + 90 days post-cancellation for audit + recovery. Then it's deleted. You can request earlier deletion in writing.

Your rights

You have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your account + associated data.
  • Export your data in JSON.
  • Object to processing for specific purposes.

To exercise any of these rights write to privacy@nexuseai.com. We respond within 30 days.

Security

Encryption at rest (OAuth tokens via Fernet) and in transit (TLS required in production). Three-layer multi-tenant isolation (middleware + ORM listener + Postgres Row-Level Security). Continuous access auditing. Report vulnerabilities to security@nexuseai.com.

Per-jurisdiction compliance

GDPR (EU/EEA): your data is processed on the basis of consent + contract execution. Contact your local DPO with concerns.

LGPD (Brazil) and equivalent LatAm regulations: we apply the same principles of purpose + minimization + transparency.

Changes to this policy

If we change this policy materially, we notify you via email + banner in the app at least 30 days before it takes effect.