Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Nexbree ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our website, applications, and services (the "Service"). We are committed to protecting your privacy and being transparent about our data practices.

The short version

• We never train AI models on your data. Your decisions, conversations, and business context are never used to train, fine-tune, or improve any AI model — ours or anyone else's.
• You own your data. We process it only to provide the Service. You can export or delete everything at any time.
• No ads, no selling. Nexbree is a subscription product. We do not sell, rent, or share your personal data with advertisers or data brokers.
• You control retention. Choose how long conversations are stored: 30 days, 90 days, 1 year, or indefinitely. Or use session-only mode.

1. Information we collect

Information you provide

• Account information: Name, email address, password (hashed), profile image, organization name.
• Decision content: Questions, conversations, business context, documents, and files you submit for AI analysis.
• Organization data: Team members, roles, workspace settings, NexGuard rules, and governance configurations.
• Payment information: Billing details processed by Stripe and Razorpay. We do not store full credit card numbers.
• Communications: Messages you send to our support team.

Information collected automatically

• Usage data: Features used, pages visited, decisions created, time spent — to improve the Service and provide analytics.
• Device information: Browser type, operating system, screen resolution, IP address (for security and approximate geolocation).
• Cookies: Essential authentication cookies and optional analytics cookies. See "Cookies" section below.
• AI interaction metadata: Model used, tokens consumed, latency, error rates — for quality monitoring, not content analysis.

Information from third-party connectors

If you connect data sources (Slack, Jira, Google, GitHub), we access data in real-time to provide contextual AI analysis. We do not permanently store connector data — it is queried on-demand and discarded after the session unless you explicitly save it to Brain memory.

2. How we use your information

• Provide the Service: Process your questions through AI models, generate analysis, store decisions, enable collaboration.
• Improve the Service: Analyze aggregate usage patterns (not individual content) to improve features, performance, and reliability.
• Communicate: Send transactional emails (account verification, password reset, billing), product updates, and security notifications.
• Protect: Detect and prevent abuse, fraud, and security threats.
• Legal compliance: Respond to legal requests, enforce our Terms, and comply with applicable laws.

3. How AI processes your data

When you submit a question or conversation, Nexbree sends your prompt to third-party AI providers (Anthropic Claude, OpenAI GPT) for processing. Important details:

• Your data is sent to the AI provider only for real-time processing — it is not stored by the provider beyond the API session.
• Neither Nexbree nor our AI providers use your data to train, fine-tune, or improve any AI model.
• We have data processing agreements with all AI providers that prohibit model training on customer data.
• AI-generated outputs are stored in your Nexbree account and treated as your data.
• You can use your own API keys (Pro plan and above) for direct control over AI processing.

4. Data storage and security

• All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Database credentials and API keys are encrypted with per-organization keys managed via cloud KMS.
• Infrastructure is hosted on SOC 2 Type II certified cloud providers.
• Access to production systems requires multi-factor authentication and is limited to authorized personnel.
• We conduct regular security audits and vulnerability assessments.

For more details, see our Security page.

5. Data retention

• Conversations: Retained per your settings (30 days, 90 days, 1 year, or indefinitely). Configurable in Settings → Data & Privacy.
• Decision records: Retained until you delete them or your account is terminated.
• Account data: Retained while your account is active. Deleted within 30 days of account termination.
• Backups: Encrypted backups are purged within 90 days of data deletion.
• Audit logs: Retained for 1 year (Enterprise) or 90 days (other plans).
• Session-only mode: When enabled, conversations are not persisted to the database. Only the final decision artifact is saved.

6. Data sharing

We do not sell your personal data. We share data only with:

• AI providers: Anthropic and OpenAI — for processing your prompts (not for training).
• Payment processors: Stripe and Razorpay — for subscription billing.
• Email delivery: Resend — for transactional emails.
• Infrastructure: Cloud hosting providers — for data storage and computation.
• Legal requirements: When required by law, court order, or to protect our rights and safety.

We maintain a list of sub-processors in our Data Processing Agreement.

7. Cookies

Nexbree uses:

• Essential cookies: Authentication session, CSRF protection, workspace selection. Required for the Service to function. Cannot be disabled.
• Analytics cookies: Anonymous usage tracking to improve the Service. Can be disabled in Settings → Privacy.

We do not use advertising cookies, tracking pixels, or third-party ad networks.

8. Your rights

Depending on your location, you have the following rights:

All users

• Access: Export all your data from Settings → Data & Privacy → Export.
• Deletion: Delete all conversations, decisions, or your entire account.
• Correction: Update your information in Settings → Profile.
• Portability: Export your data in machine-readable JSON format.

EU/EEA residents (GDPR)

You additionally have the right to restriction of processing, objection to processing, withdrawal of consent (where processing is based on consent), and to lodge a complaint with your local data protection authority. Our legal basis for processing is contract performance (providing the Service you signed up for) and legitimate interest (improving the Service, preventing fraud).

India residents (DPDPA)

Under the Digital Personal Data Protection Act, 2023, you have the right to access, correction, erasure, and grievance redressal. Our Grievance Officer can be reached at grievance@nexbree.com. See our Grievance Redressal page for the full process.

California residents (CCPA)

We do not sell personal information. You have the right to know what personal information we collect, request deletion, and non-discrimination for exercising your rights.

9. Children's privacy

Nexbree is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we discover we have collected data from a child under 16, we will delete it promptly.

10. International data transfers

Your data may be processed in countries outside your residence where our infrastructure and AI providers operate. Such transfers are protected by Standard Contractual Clauses (SCCs) or equivalent legal mechanisms. Enterprise customers can specify data residency requirements.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email and/or in-app notification at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or to exercise your rights:

• Email: privacy@nexbree.com
• Grievance Officer (India): grievance@nexbree.com
• Support: nexbree.com/support

We respond to all privacy requests within 72 hours.