NexusNestNexusNest

Privacy Policy

Last updated: March 18, 2026

1. Introduction

NexusNest Technologies Private Limited (“NexusNest”, “we”, “us”, or “our”) operates the NexusNest platform, including the PromptWall and NetLens products (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy complies with the Indian Digital Personal Data Protection Act, 2023 (DPDP Act), the EU General Data Protection Regulation (GDPR), and SOC 2 Type II requirements.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name, email address, and organization name
  • Billing information (processed securely by Razorpay — we do not store card details)
  • Account credentials (passwords are hashed and never stored in plaintext)

2.2 PromptWall — AI Masking Data

When the PromptWall agent processes AI requests:

  • Original prompts are never stored — we do not log, retain, or transmit the original unmasked text to our servers
  • Masked prompts (with sensitive data replaced by placeholders) may be logged for admin review
  • Masking is one-way and irreversible — there is no mechanism to recover original data from masked output
  • Detection metadata only: category of data detected, number of fields masked, timestamp

2.3 NetLens — Network Monitoring Data

When the NetLens agent logs network activity:

  • Request metadata: URL, domain, HTTP method, status code, response time
  • Device metadata: machine ID, IP address, user agent
  • We do not log request or response bodies for non-AI traffic
  • Network logs are retained for up to 90 days and then automatically deleted

2.4 Usage and Analytics Data

  • Dashboard usage patterns (pages visited, features used)
  • Device and browser information
  • IP address and approximate location

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process AI requests through the masking pipeline and deliver masked outputs
  • Generate audit logs and analytics for your tenant administrators
  • Process payments via Razorpay
  • Send transactional communications (account verification, billing, security alerts)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not: sell your data, use your data to train AI models, share your prompts or network logs with third parties, or use your data for advertising purposes.

4. Data Processing and Detection

PromptWall uses a proprietary multi-layered detection engine to identify sensitive data. Key privacy guarantees:

  • All processing occurs on isolated infrastructure we control — your data is never sent to third-party providers
  • Your data is never used to train, fine-tune, or improve any models
  • Detection results are not shared across tenants — each organization's data is strictly isolated
  • No original sensitive data is stored at any point in the detection pipeline

5. Data Sharing and Disclosure

We share your information only in the following circumstances:

5.1 Service Providers

  • Razorpay: Payment processing. Razorpay processes your payment information in accordance with their Privacy Policy and is PCI DSS Level 1 compliant. We do not store your full card number, CVV, or bank account details.
  • Microsoft Azure: Cloud infrastructure hosting. Data is stored in Indian data centres (Central India — Mumbai region). Microsoft processes data under their data processing agreement.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of NexusNest, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures aligned with SOC 2 Type II requirements:

  • Encryption in transit: All data is encrypted using TLS 1.2+ for data in transit
  • Encryption at rest: All stored data is encrypted using AES-256 encryption
  • Access controls: Role-based access control (RBAC) with least-privilege principles
  • Multi-tenant isolation: Each organization's data is logically isolated at the database level with row-level security
  • Secrets management: All credentials and API keys are stored in Azure Key Vault
  • Audit logging: All administrative actions are logged and retained
  • Network security: Database and internal services are on private subnets with no public internet access
  • Incident response: We maintain a documented incident response plan with defined escalation procedures
  • Password security: Passwords are hashed using scrypt with unique salts

7. Data Retention

  • Account data: Retained for the duration of your subscription, plus 30 days after cancellation
  • Audit logs: Retained for 90 days, then automatically purged
  • Network logs: Retained for 90 days, then automatically purged
  • AI masking logs: Retained for 90 days, then automatically purged
  • Payment records: Retained as required by Indian tax law (typically 8 years)

Enterprise customers may negotiate custom retention periods. You can request early deletion of your data at any time.

8. Your Rights

8.1 Under the DPDP Act (India)

As a Data Principal, you have the right to:

  • Access a summary of your personal data and processing activities
  • Correct inaccurate or incomplete personal data
  • Erase your personal data (subject to legal retention obligations)
  • Nominate another person to exercise your rights in case of death or incapacity
  • Grievance redressal — contact our Data Protection Officer

8.2 Under GDPR (EU/EEA)

If you are located in the EU/EEA, you additionally have the right to:

  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at privacy@nexusnest.dev. We will respond within 30 days.

9. International Data Transfers

Our primary data storage is in India (Azure Central India — Mumbai). If your data is transferred outside India, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Data processing agreements with all sub-processors
  • Compliance with applicable data localisation requirements

10. Cookies and Tracking

We use minimal cookies:

  • Essential cookies: Session management and authentication (strictly necessary)
  • Analytics: We use privacy-respecting analytics to understand usage patterns. No cross-site tracking.

We do not use advertising cookies or share cookie data with third parties.

11. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. For significant changes, we will provide additional notice (e.g., email notification or in-dashboard banner).

13. Contact Us

If you have questions about this Privacy Policy or our data practices: