Privacy Policy

Last updated: May 16, 2026

1. Introduction

NexusNest Technologies Private Limited (“NexusNest”, “we”, “us”, or “our”) operates the NexusNest platform, including the PromptWall and NetLens products (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is written with the Indian Digital Personal Data Protection Act, 2023 (DPDP Act) in mind. We do not currently hold SOC 2 or ISO 27001 certifications; certification work is on our roadmap and we will update this page when it lands.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name, email address, and organization name
  • Billing information (processed securely by Razorpay - we do not store card details)
  • Account credentials (passwords are hashed and never stored in plaintext)

2.2 PromptWall - AI Redaction Data

When the PromptWall agent processes AI requests under normal conditions:

  • Original prompts are scrubbed in-line by the redaction pipeline before storage - the version retained on our servers has sensitive fields replaced by category placeholders (e.g., [REDACTED_EMAIL], [REDACTED_CREDENTIAL]). See Section 2.2.1 for the narrow exception that applies when the redaction pipeline is temporarily unavailable.
  • Redacted prompts may be logged for tenant administrator review
  • Redaction is one-way and irreversible - there is no mechanism to recover original data from a redacted output
  • Detection metadata: category of data detected, number of fields redacted, AI tool involved, timestamp

2.2.1 Degraded-Mode Audit Capture (important exception)

The redaction pipeline can be temporarily unavailable for a number of reasons. These include, but are not limited to: your tenant's monthly redaction quota being exhausted, a license becoming inactive or revoked, a machine being de-registered or revoked, network connectivity loss between the agent and our redaction endpoint, transient server-side errors or maintenance windows, malformed responses caused by version skew, or any other condition that prevents the in-line scrubbing pipeline from completing for a given request. In any of these situations the agent does not block your AI request - your work continues. The request is forwarded to the AI provider unredacted.

When the agent forwards an unredacted prompt because redaction was unavailable, the original prompt text is captured and stored in the tenant's audit trail. This is a deliberate transparency feature - administrators need to see precisely what content left employee devices unprotected so they can assess exposure and take corrective action. The captured row is clearly flagged with the reason redaction was skipped (quota exhausted, license inactive, server unreachable, etc.) and is visible only to administrators of the tenant whose machine produced it.

Specifically, in degraded mode:

  • The full unredacted prompt text is stored in the tenant's network and redaction audit logs
  • The row carries a maskingSkipReason indicating why scrubbing was bypassed
  • Tenant administrators see a sticky banner across the dashboard explaining that AI traffic is currently being forwarded unredacted
  • The same retention windows in Section 7 apply - degraded-mode captures are not retained longer than scrubbed captures
  • Degraded-mode captures are never used to train or improve any model, never sold, and never shared outside the tenant

If you do not want unredacted prompts to be captured during degraded periods, the controlling administrator can disable redaction entirely (which stops both interception and capture for AI traffic) via the Privacy panel in your dashboard. Note that disabling redaction removes the protective layer of the product.

2.3 NetLens - Network Monitoring Data

When the NetLens agent logs network activity:

  • Request metadata: URL, domain, HTTP method, status code, response time
  • Device metadata: machine ID, IP address, user agent
  • We do not log request or response bodies for non-AI traffic
  • Network logs are retained for up to 90 days and then automatically deleted

2.4 Usage and Analytics Data

  • Dashboard usage patterns (pages visited, features used)
  • Device and browser information
  • IP address and approximate location

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process AI requests through the redaction pipeline and deliver redacted outputs
  • Generate audit logs and analytics for your tenant administrators
  • Process payments via Razorpay
  • Send transactional communications (account verification, billing, security alerts)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not: sell your data, use your data to train AI models, share your prompts or network logs with third parties, or use your data for advertising purposes.

4. Data Processing and Detection

PromptWall uses a proprietary multi-layered detection engine to identify sensitive data. Key privacy guarantees:

  • All processing occurs on isolated infrastructure we control - your data is never sent to third-party providers
  • Your data is never used to train, fine-tune, or improve any models
  • Detection results are not shared across tenants - each organization's data is strictly isolated
  • Under normal operation, the detection pipeline scrubs sensitive content before any storage. The narrow exception is described in Section 2.2.1 (Degraded-Mode Audit Capture), where unredacted content is retained inside the tenant's audit trail when the pipeline was unavailable to scrub it

5. Data Sharing and Disclosure

We share your information only in the following circumstances:

5.1 Service Providers

  • Razorpay: Payment processing. Razorpay processes your payment information in accordance with their Privacy Policy and is PCI DSS Level 1 compliant. We do not store your full card number, CVV, or bank account details.
  • Microsoft Azure: Cloud infrastructure hosting. Data is stored in Indian data centres (Central India - Mumbai region). Microsoft processes data under their data processing agreement.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of NexusNest, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures:

  • Encryption in transit: All data is encrypted using TLS 1.2+ for data in transit
  • Encryption at rest: All stored data is encrypted using AES-256 encryption
  • Access controls: Role-based access control (RBAC) with least-privilege principles
  • Multi-tenant isolation: Each organization's data is logically isolated at the database level with row-level security
  • Secrets management: All credentials and API keys are stored in Azure Key Vault
  • Audit logging: All administrative actions are logged and retained
  • Network security: Database and internal services are on private subnets with no public internet access
  • Incident response: We maintain a documented incident response plan with defined escalation procedures
  • Password security: Passwords are hashed using scrypt with unique salts

7. Data Retention

  • Account data: Retained for the duration of your subscription, plus 30 days after cancellation
  • Audit logs: Retained for 90 days, then automatically purged
  • Network logs: Retained for 90 days, then automatically purged
  • AI redaction logs: Retained for 90 days, then automatically purged
  • Payment records: Retained as required by Indian tax law (typically 8 years)

Enterprise customers may negotiate custom retention periods. You can request early deletion of your data at any time.

8. Your Rights

8.1 Under the DPDP Act (India)

As a Data Principal, you have the right to:

  • Access a summary of your personal data and processing activities
  • Correct inaccurate or incomplete personal data
  • Erase your personal data (subject to legal retention obligations)
  • Nominate another person to exercise your rights in case of death or incapacity
  • Grievance redressal - contact our Data Protection Officer

8.2 Other jurisdictions

We are an Indian company subject to Indian law. Customers based outside India may have additional statutory rights under their local privacy regulations; reach out to hello@nexusnest.io and we will honour any reasonable request to the extent the law requires.

To exercise any of these rights, contact us at privacy@nexusnest.dev. We will respond within 30 days.

9. International Data Transfers

Our primary data storage is in India (Azure Central India - Mumbai). If your data is transferred outside India, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Data processing agreements with all sub-processors
  • Compliance with applicable data localisation requirements

10. Cookies and Tracking

We use minimal cookies:

  • Essential cookies: Session management and authentication (strictly necessary)
  • Analytics: We use privacy-respecting analytics to understand usage patterns. No cross-site tracking.

We do not use advertising cookies or share cookie data with third parties.

11. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. For significant changes, we will provide additional notice (e.g., email notification or in-dashboard banner).

13. Contact Us

If you have questions about this Privacy Policy or our data practices: