Privacy Policy

This Privacy Policy explains how NexoHub (“NexoHub,” “we,” “us,” or “our”) collects, uses, stores, discloses, and protects personal information when merchants, administrators, and authorized users use the NexoHub software-as-a-service platform, websites, Shopify application, Google Workspace integrations, AI agents, automations, dashboards, APIs, and related services (collectively, the “Service”).

NexoHub helps Shopify merchants operate AI agents and business automations, including cart recovery, customer winback, inventory-related workflows, order analysis, and other merchant-configured automations. The Service connects to Shopify, Google Workspace, Supabase, Gadget.dev, Vercel, Inngest, and AI model providers such as OpenAI and Anthropic.

Important data-role statement.For personal information relating to a Shopify merchant's customers, the merchant is generally the data controller that determines the purposes and means of processing, and NexoHub acts as a data processorthat processes that information on the merchant's documented instructions. For personal information relating to our own website visitors, prospects, account administrators, and Service users, NexoHub may act as an independent controller.

1. Information We Collect

1.1 Merchant and User Account Information

When a Merchant creates or uses a NexoHub account, we may collect names, business email addresses, company name, Shopify store domain, role or title, login identifiers, authentication metadata, support requests, product feedback, and communication history.

1.2 Shopify Store and Protected Customer Data

When a Merchant connects their Shopify store, NexoHub may access and process Shopify data permitted by the Merchant's selected scopes and configuration. This may include orders, customers, inventory, products, abandoned checkouts, purchase history, store settings, fulfillment status, and related metadata. Protected Customer Data (such as first name, email address, order history, and checkout data) is processed only to provide Merchant-configured automations.

1.3 Google Workspace and Gmail Integration Data

If a Merchant connects Google Workspace or Gmail, NexoHub processes Google account data only as needed to provide the email-sending and automation features selected by the Merchant. This may include OAuth tokens, account identifiers, email address of the sending account, message IDs, delivery or error metadata, and the content of emails that NexoHub creates or sends on the Merchant's behalf.

NexoHub sends emails from the Merchant's connected Gmail or Google Workspace account, on behalf of the Merchant, and under the Merchant's instructions. The Merchant remains responsible for message content, recipient selection, consent, unsubscribe handling, and compliance with email marketing laws.

1.4 AI Agent Inputs and Outputs

When a Merchant enables AI agents, NexoHub may send limited data to AI model providers (OpenAI, Anthropic) to generate outputs such as email drafts, classifications, recommendations, or workflow decisions. NexoHub designs AI data flows to use the minimum information reasonably necessary for the configured workflow.

1.5 Session, Token, and Technical Data

NexoHub stores encrypted sessions, API tokens, OAuth tokens, integration status, webhook logs, IP addresses, device and browser information, error logs, audit logs, and timestamps. This information is used to operate integrations, maintain security, and support compliance.

2. How We Use Personal Information

We use personal information to:

• Provide, secure, maintain, and improve the Service
• Connect Shopify and Google Workspace accounts and run automations
• Send Merchant-configured emails through connected Gmail accounts
• Execute AI agent workflows on Merchant instructions
• Authenticate users and maintain security
• Respond to support requests and troubleshoot issues
• Comply with legal obligations

We do not use Merchant Customer data for unrelated advertising or sell data to third parties.

3. Merchant Responsibilities

Merchants control the data they connect to NexoHub and the automations they enable. Each Merchant is responsible for providing appropriate privacy notices to their customers, obtaining required consents or establishing another lawful basis, and ensuring that email content, recipient selection, and unsubscribe handling comply with applicable laws (including CAN-SPAM, GDPR, and ePrivacy rules).

4. Shopify Protected Customer Data

NexoHub accesses Shopify Protected Customer Data only to provide the specific app functionality requested by the Merchant. We apply data minimization, purpose limitation, access controls, encryption, monitoring, and retention controls in accordance with Shopify's requirements. We do not sell Shopify customer data or use it for unrelated third-party advertising.

5. Google API and Gmail Data

NexoHub's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including limited-use requirements. We use Google user data only to provide user-facing features such as sending Merchant-configured emails through the connected Gmail account, maintaining integration status, and troubleshooting authorized workflows.

6. How We Share Personal Information

NexoHub shares personal information only as described in this Policy or as required by law.

• Infrastructure providers: Vercel (hosting), Supabase (database/storage), Gadget.dev (Shopify backend), Inngest (background job processing)
• AI model providers: OpenAI, Anthropic — used for Merchant-configured AI outputs
• Connected platforms: Shopify, Google Workspace/Gmail — authorized by the Merchant
• Legal and regulatory authorities: Where required by law, court order, or regulator request
• Business transaction parties: In connection with a merger, acquisition, or sale of assets, subject to appropriate confidentiality protections

7. Data Retention

• Active systems: Merchant Customer Data is deleted or anonymized within 30 days after uninstall or termination, subject to legal obligations.
• Encrypted backups: Deleted according to backup rotation schedules, typically within 90 days.
• Security and audit logs: Retained for 90–180 days unless a longer period is required.
• Email sending records: Retained up to 24 months for auditability, suppression, and compliance.
• OAuth tokens: Retained while the integration is connected; deleted after disconnection.

8. Security

NexoHub implements encryption in transit and at rest, encrypted token storage, least-privilege access controls, audit logging, secure development practices, environment separation, incident response procedures, and vendor review. No internet-based service can guarantee absolute security. Merchants are responsible for maintaining secure credentials and protecting their connected accounts.

9. Security Incident Notification

NexoHub will notify affected Merchants without undue delay after becoming aware of a confirmed security incident involving Merchant Customer Data. Merchants are responsible for determining whether notification to regulators, their customers, or other parties is required.

10. Privacy Rights

Depending on location and applicable law, individuals may have rights to access, correct, delete, restrict, port, or object to processing of their personal information, and to lodge complaints with a supervisory authority. Because NexoHub usually acts as a processor for Merchant Customer data, Merchant Customers should submit requests directly to the relevant Merchant.

11. GDPR and EU/UK Rights

Where GDPR or UK GDPR applies, data subjects may have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Where NexoHub acts as a processor, the Merchant is responsible for responding to data subject requests. Individuals may also lodge a complaint with a competent supervisory authority.

12. California Privacy Notice (CCPA/CPRA)

For Merchant Customer data, NexoHub acts as a service provider or contractor to the Merchant. NexoHub does not sell Merchant Customer personal information and does not share it for cross-context behavioral advertising. California residents may have rights to know, delete, correct, opt out of sale or sharing, and non-discrimination.

13. Israel Privacy Notice

Where Israeli privacy law applies, NexoHub processes personal information in accordance with applicable requirements, including purpose limitation, data security, and individual rights. Individuals in Israel may have rights to review information about them and request correction or deletion, subject to applicable legal conditions.

14. International Data Transfers

NexoHub and its subprocessors may process personal information in the United States, Israel, the European Economic Area, the United Kingdom, and other jurisdictions. Where required, NexoHub uses appropriate transfer safeguards such as standard contractual clauses.

15. Cookies

NexoHub may use cookies and similar technologies to operate the Service, authenticate sessions, and analyze performance. Where required by law, we will request consent before using non-essential cookies and provide a mechanism to manage preferences.

16. Children's Privacy

NexoHub is a business-to-business SaaS platform and is not intended for use by children. We do not knowingly collect personal information directly from children under 16.

17. Data Processing Addendum

Where required by applicable privacy law, NexoHub makes available a Data Processing Addendum governing NexoHub's processing of Merchant Customer Data on behalf of Merchants.

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our Service, integrations, or legal requirements. The “Last updated” date indicates when this Policy was last revised. Material changes will be communicated to account administrators.

19. Contact Us

For privacy questions or data protection requests, contact us at:

• Email: privacy@nexohub.app
• Website: nexohub.app

If you are a Merchant Customer, please contact the Shopify Merchant from whom you purchased goods or whose store collected your information.