Privacy Policy

Last updated: 31 May 2026 · Effective: 1 June 2026

On this page

Who we are
What data we collect
Why we collect it (purposes & legal basis)
Who we share it with
International data transfers
How long we keep it
Your rights under GDPR
How we protect your data
Cookies
Changes to this policy
Contact us

1. Who we are

NexaMails (the "Service") is operated by LinkRoute Logistics International B.V. ("we", "us", "our"), with registered office at Weena 690, 3012 CN Rotterdam, Netherlands, KvK number 84263482.

We are the data controller for personal data processed in connection with the Service, as defined under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

You can contact us at support@nexamails.ai or by writing to the address above.

2. What data we collect

We only collect data needed to operate the Service. Specifically:

2.1 Account & identity

Google account info (when you sign in): your email address, display name, and profile picture as returned by Google's OAuth.
Google OAuth tokens — encrypted access & refresh tokens that let us read and write your email and calendar on your behalf. We store these encrypted at rest.

2.2 Email & calendar content

Inbox metadata cache — sender, subject, snippet, date, labels, and read/unread status of the most recent messages in your inbox, cached briefly so the inbox loads instantly. Stored in our database; refreshed in the background.
Message bodies — fetched from Gmail on demand (when you open a thread or ask Nexa to draft a reply). We don't permanently store full bodies; they're held only as long as needed to serve your request, then discarded.
Attachments — when you ask Nexa about an attached PDF, Word, Excel, or CSV file (Ultimate plan), we read the file's text on demand and send relevant text to our AI provider. We don't store attachments.
Calendar events — read and modified through Google Calendar API as you instruct. We don't store a copy.
Contacts — names and email addresses derived from your inbox to power features like Important Contacts and Smart Search. Stored in our database, scoped to your account.

2.3 AI conversations & memory

Your chat history with Nexa — text messages you send to the assistant, and Nexa's responses. Used to provide conversational context.
Persistent memory — facts you've told Nexa to remember ("Robin is on holiday next week"). You can view, edit, and delete these in Settings → Memory.
Voice mode (Ultimate plan): when you talk to Nexa, audio is streamed to OpenAI's Realtime API for transcription and response. We don't record or store the audio ourselves.

2.4 Subscription & billing

Stripe Customer ID and Subscription ID — references stored in our database so we can identify your subscription.
Subscription status (trialing / active / past due / canceled), current plan, and renewal date.
Card details: we never see your card — it is collected by Stripe's hosted checkout and stays with Stripe. Stripe is responsible for PCI compliance.

2.5 Technical & usage data

Service logs — IP address, browser type, pages visited, errors, and approximate location (city-level), retained for ~30 days for security and debugging.
Feature usage — which features you use and how often, in aggregated form, to improve the product.
Session cookie (essential) — see Cookies.

3. Why we collect it & legal basis

Purpose	Data used	Legal basis (GDPR Art. 6)
Provide the email & AI assistant features	All categories above	Performance of contract
Process payments & subscriptions	Account, billing	Performance of contract
Send essential service emails (invoices, security)	Account, billing	Performance of contract / legal obligation
Detect abuse & secure the Service	Logs, usage	Legitimate interest
Comply with tax, accounting, and legal obligations	Billing data	Legal obligation
Improve features (in aggregate)	Anonymised usage	Legitimate interest

We never train AI models on your data. Your emails, attachments, calendar, and chat with Nexa are not used to train Anthropic's, OpenAI's, or anyone else's general-purpose models. They are processed only to serve your individual requests, then discarded by our AI providers under their zero-retention agreements where available.

To run the Service we use the following data processors. We have data processing agreements in place with each:

Sub-processor	Purpose	Location
Anthropic, PBC	AI chat & drafting (Claude)	USA
OpenAI OpCo, LLC	Voice mode (Realtime API) — Ultimate plan only	USA
Stripe Payments Europe, Ltd.	Subscription billing	Ireland (EU)
Google LLC	OAuth, Gmail API, Calendar API	USA / EU
Render Services, Inc.	Hosting & managed database	USA
Cloudflare, Inc.	DNS & (optionally) edge caching	USA

We don't sell your data, share it with advertisers, or otherwise disclose it for purposes unrelated to running the Service.

5. International data transfers

Some of our sub-processors are located outside the European Economic Area, primarily in the United States. For these transfers, we rely on the European Commission's Standard Contractual Clauses (2021/914) and additional safeguards as required, including (where applicable) the EU-US Data Privacy Framework.

You can request a copy of the safeguards in place at any time.

6. How long we keep your data

Account & preferences: while your account is active. Deleted within 30 days of account deletion.
Inbox cache: rolling — typically the most recent ~30 days of message metadata, refreshed in the background.
Message bodies / attachments: ephemeral — held only while serving your request.
Stripe billing records: 7 years after the last invoice, as required by Dutch tax law (Algemene wet inzake rijksbelastingen, Article 52).
Service logs: ~30 days, then deleted.

7. Your rights under GDPR

You have the right to:

Access the personal data we hold about you (Article 15) — use Settings → Account → Download my data for an instant JSON export.
Rectify inaccurate data (Article 16) — edit it in Settings, or email us.
Erase your data (Article 17) — use Settings → Account → Delete my account. This removes everything except billing records we are legally required to retain.
Restrict processing (Article 18) — email us.
Data portability (Article 20) — the JSON export above is machine-readable.
Object to processing based on legitimate interests (Article 21) — email us.
Withdraw consent at any time, where processing is based on consent.

If you have a complaint, you also have the right to lodge it with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl.

8. How we protect your data

Encryption in transit — all traffic over HTTPS/TLS 1.2+.
Encryption at rest — OAuth tokens are encrypted in our database.
Minimum-scope OAuth — we only request the Google scopes necessary to provide the Service.
Revoke any time — you can revoke our access from your Google account in two clicks; we lose access immediately.
Access controls — only authorised personnel can access production systems.

No system is perfectly secure. If we discover a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours where required, and notify affected users without undue delay.

9. Cookies

We use only essential cookies:

nexa_session — your signed-in session token. Strictly necessary; deleted when you sign out.
nexa_auth_next — short-lived (10 min) cookie used during the Google OAuth flow to remember which page you were trying to reach.

We do not use marketing, advertising, or third-party tracking cookies.

10. Changes to this policy

If we make material changes we will notify you by email and/or via an in-app banner at least 30 days before the change takes effect. The "Last updated" date above always reflects the current version.

11. Contact us

Questions, requests, or complaints? Email support@nexamails.ai.

For data subject rights requests, please include enough information to verify your identity (the email address linked to your NexaMails account is usually enough).