Privacy Policy
This Privacy Policy ("Policy") describes how Nxera Digital LLC ("Nxera," "we," "us," "our") collects, uses, discloses, retains, and safeguards information about clients, prospective clients, postcard recipients, website visitors, and other individuals (collectively, "you") in connection with: getnxera.com and all of its subdomains; websites Nxera hosts at *.getnxera.com on behalf of its clients (each, a "Hosted Site"); the Nxera client portal; the Services; and any related platforms, applications, communications, and APIs (collectively, the "Services").
This Policy is incorporated by reference into the Nxera Terms of Service (the "Terms"). Capitalized terms not defined here have the meanings given in the Terms. This Policy is supplemented by the Cookie Policy (cookies and tracking technologies) and the Data Processing Addendum (B2B Processor obligations).
By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, do not use the Services.
1. Scope and Roles
1.1 Information We Collect About You as a Client
For Nxera Clients, Nxera acts as a "controller" (or "business" under the CCPA/CPRA) of Personal Data we collect about the Client and its authorized representatives (e.g., your name, email, business address, payment data, Site usage).
1.2 Information You Provide About Others
For information about other people that you provide to Nxera (e.g., postcard recipient lists, employee photos, customer reviews and testimonials, third-party contact data), Nxera acts as a "processor" (or "service provider" under the CCPA/CPRA) acting on the Client's documented instructions. The Data Processing Addendum applies to that Processing. You represent that you have a lawful basis to provide that information to Nxera.
1.3 Information We Collect About Visitors to Hosted Sites
Information collected via cookies, page views, or forms on a Hosted Site is collected on behalf of the Client operating that Hosted Site. The Client is the controller of that data; Nxera is a processor. Visitors should consult that Client's own privacy policy.
2. Information We Collect
2.1 Information You Provide Directly
- Account and contact data: business name, contact name, email, phone, mailing address, time zone, language preferences.
- Business profile data: industry, services, service area, license numbers, certifications, years in business, photos, logos, brand colors, descriptions, hours, FAQs, reviews, testimonials, team data, social-media handles, USPs, financing/warranty info.
- Payment data: payment method information processed by Stripe, Inc. Nxera does not store full card numbers; Nxera receives and stores only the brand, last four digits, expiration, and a Stripe payment-method ID.
- Communications: the content of emails, in-product chats, support tickets, and other messages you send to Nxera or its AI agents.
- Content you upload to the intake form, portal, or other channels.
- Information you provide about third parties (e.g., recipient lists, customer testimonial sources).
2.2 Information Collected Automatically
- Device and connection data: IP address, device identifiers, browser type and version, operating system, screen size, language, referring URL.
- Usage data: pages visited, features used, links clicked, timestamps, session length, navigation paths.
- Cookies and similar technologies: as described in the Cookie Policy.
- AI visibility scan data: scores, mentions, competitors found, missing elements, snapshots of search and AI-platform output.
- AI platform probe data: We directly query major AI platforms (including OpenAI ChatGPT, Anthropic Claude, and Google Gemini) with questions a real customer might ask about your business, your industry, and your local market. We record whether each platform mentions your business, which competitors it recommends instead, the verbatim text of each response, and the factors each platform cites when making recommendations. These probes run during your initial scan and on the 1st of each month thereafter.
- Entity and knowledge graph data: We query the Google Knowledge Graph Search API and the Wikidata public API to assess how well-established your business identity is across major data sources. We record whether your business has an entity match, the type and confidence of any match found, and related metadata.
- Metro-wide AI sweep data: We run weekly automated probes across AI platforms for your city and industry to track which businesses AI recommends over time. This data is stored to build historical trend analysis and competitive benchmarking for your monthly reports. Sweep data covers all businesses AI mentions in your market, not only your business.
- Website technical analysis data: We use the Google PageSpeed Insights API to measure your website's mobile and desktop performance, accessibility, and SEO scores. We also parse your website's HTML to detect schema.org structured data, meta tags, technology stack, robots.txt directives, sitemap presence, SSL certificate status, security headers, and DNS records (including SPF, DKIM, and DMARC email authentication). We estimate your website's carbon footprint per page view using the Website Carbon methodology.
2.3 Information from Third Parties
- Public data sources: Google Places (business listings), state license registries (where applicable), publicly available web pages.
- Payment processor: Stripe (transaction status, fraud signals, basic card metadata).
- Email provider: Resend (delivery, open, and bounce metadata).
- Postcard provider: Lob (production status, delivery confirmations).
- Identity / verification: if Nxera retains a verification provider in the future, identity-verification responses.
- AI platforms (ChatGPT, Claude, Gemini): AI-generated responses to industry and location-specific queries about your business and competitors. These are API responses, not user conversations.
- Google Knowledge Graph: Entity match data for your business name and domain.
- Wikidata: Public entity data linked to your business or domain.
2.4 Sensitive Categories
You agree not to provide Nxera with sensitive personal data — including health, biometric, government identifier, financial-account, sexual-orientation, religious, trade-union, criminal, or children's data — except as expressly authorized in writing by Nxera. We do not knowingly request or rely on sensitive data and we are not responsible for safeguards specific to such data unless explicitly agreed.
2.5 Children
The Services are intended for adults (18+). Nxera does not knowingly collect Personal Data from individuals under 18. If you believe a minor has provided us Personal Data, contact info@getnxera.com and we will delete it.
3. How We Use Information
We use information for purposes including:
(a) Service delivery: building and hosting your website, generating monthly reports, producing postcards, monitoring AI visibility, providing customer support. (b) Account management: creating and maintaining your account, verifying identity, communicating with you about your account. (c) Billing and fraud prevention: processing payments, retrying failed payments, detecting and preventing fraud, enforcing the Terms. (d) Transactional and operational communications: sending you receipts, billing notices, security alerts, scheduled-maintenance announcements, legal notices, and similar messages. (e) Marketing communications: sending you product updates, promotions, tips, and other marketing content (you can unsubscribe at any time using the link in those messages). (f) Product improvement: analyzing usage to improve features, performance, and stability; training and improving Nxera's internal models, agents, and prompts in aggregated, anonymized, or de-identified form. (g) Analytics and reporting: generating internal analytics and customer-facing visibility reports. (g-1) AI visibility monitoring and competitive analysis: probing AI platforms to determine whether and how they recommend your business; tracking which competitors appear in AI recommendations in your market; analyzing the factors AI platforms cite when making recommendations; building historical trend data to measure your visibility progress over time. (h) Legal compliance: complying with legal obligations, responding to lawful requests, defending Nxera's legal rights, enforcing the Terms. (i) Business operations: corporate development, audits, financial planning, accounting, tax compliance, insurance.
We process information based on the following lawful grounds (where required by law): performance of contract, our legitimate interests (operating the business, security, fraud prevention, product improvement), your consent (where applicable, e.g., marketing emails in some jurisdictions), and compliance with legal obligation.
4. How We Share Information
We share information only as described below. We do not sell or share Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
4.1 Sub-processors / Service Providers
We share information with vetted third-party providers who perform services on our behalf and are bound by contract to use the information only for those services and consistent with our instructions. The current list is published in the Data Processing Addendum (Section 5.2) and at getnxera.com/sub-processors.
4.2 Postcard Recipients
When you direct Nxera to mail postcards, your business name and the content of the postcard appear on those postcards by design. Recipients who receive a postcard see the content you authorized.
4.3 Public Display on Hosted Sites
Information you provide for display on your Hosted Site is publicly visible to anyone who visits the site. That is the inherent nature of having a public website.
4.4 Legal and Safety Disclosures
We may disclose information when we reasonably believe disclosure is necessary to: (a) comply with applicable law, regulation, court order, or other legal process; (b) protect the rights, property, or safety of Nxera, our Clients, or any third party; (c) detect, prevent, or address fraud, security, or technical issues; (d) defend against legal claims.
4.5 Business Transfers
In the event of a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, information may be transferred to the successor or acquirer. We will require any successor to honor this Policy or provide notice and choices.
4.6 With Your Consent
We may share information for any other purpose with your express consent.
4.7 No Sale; No Cross-Context Behavioral Advertising
We do not sell Personal Data for money or other valuable consideration. We do not share Personal Data for cross-context behavioral advertising. If we ever change this practice, we will provide notice and a meaningful opportunity to opt out before the change takes effect.
5. Data Retention
We retain Personal Data for as long as necessary to fulfill the purposes described in this Policy, including:
- Active account data: for the duration of your subscription.
- Billing and tax data: for at least seven (7) years after the last transaction, as required for tax and audit purposes.
- Customer Content: during the subscription, plus thirty (30) days post-termination, after which it is permanently deleted unless you have requested an export.
- AI visibility scan data and historical reports: retained indefinitely for trend analysis and aggregated benchmarking, in identifiable form for the duration of the subscription and aggregated/de-identified thereafter.
- Marketing and contact data: until you opt out, after which we retain a minimal suppression record to honor your opt-out.
- Backups: rolling backups are retained per our infrastructure providers' default schedules and are subject to natural overwriting, typically within 30-90 days.
- Logs: application and access logs are retained for security, fraud, and debugging purposes for up to twenty-four (24) months, except where longer retention is needed for an open investigation.
When we no longer need Personal Data, we will delete or de-identify it, except where retention is required by law, necessary for legal claims, or otherwise within an exception in this Policy.
6. Your Rights and Choices
Depending on your jurisdiction, you may have rights regarding your Personal Data.
6.1 Universal Rights
You may always:
- Update your account information through the portal or by emailing info@getnxera.com.
- Unsubscribe from marketing communications using the link in any marketing email. Transactional and account messages cannot be unsubscribed from while you remain a Client.
- Request export of Customer Content as provided in the Refund Policy and Terms.
6.2 California (CCPA/CPRA)
California residents have rights to: (a) know the categories and specific pieces of Personal Data we have collected about you, the sources, the purposes, and the categories of recipients; (b) delete Personal Data, subject to legal exceptions; (c) correct inaccurate Personal Data; (d) opt out of sale or sharing (we do not sell or share, but the opt-out right exists); (e) limit use of sensitive personal information (we do not knowingly collect sensitive personal information for purposes that would trigger this right); (f) non-discrimination for exercising these rights.
To exercise CCPA rights, email info@getnxera.com with subject line "CCPA Request" and your account email and a description of the request. We will verify your identity (typically via the email on file) before fulfilling the request. We will respond within 45 days, with a possible extension as permitted by law. You may designate an authorized agent in writing.
6.3 Other US States
We extend equivalent rights (access, deletion, correction, portability, opt-out of sale/sharing) to residents of all U.S. states with applicable comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Rhode Island, and any others as they take effect). Same email contact and procedure as Section 6.2.
6.4 International Rights (Future)
Nxera currently provides Services to U.S. clients. If we expand internationally, we will publish jurisdiction-specific rights and procedures (including GDPR rights for the EU/UK and PIPEDA rights for Canada) at that time. We will not enroll non-U.S. clients before those procedures are in place.
6.5 Limits and Exceptions
We may decline a request where: (a) we cannot verify your identity; (b) the request is excessive, repetitive, or manifestly unfounded; (c) fulfilling the request would violate a legal obligation, infringe another person's rights, or compromise an active investigation; (d) the data is necessary to complete a transaction, protect against fraud, comply with law, or for our legitimate business interests as permitted by law. We will explain any denial in writing.
7. Cookies and Similar Technologies
See the Cookie Policy for details on cookies and tracking technologies, including the strictly-necessary, functional, and analytics cookies we use, and your choices.
We do not currently respond to "Do Not Track" browser signals because there is no industry consensus on how to interpret them. We do, however, honor opt-out signals required by applicable law (such as the Global Privacy Control, "GPC," to the extent applicable to our practices).
8. Security
We implement and maintain administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction, including:
- Encryption: TLS 1.2 or higher in transit; encryption at rest provided by underlying cloud infrastructure (Supabase, Vercel).
- Access controls: least-privilege role-based access for Nxera personnel; multi-factor authentication for all staff access to production systems; multi-factor authentication available for Client portal accounts.
- Network and platform security: bot mitigation and DDoS protection via Cloudflare; vulnerability monitoring of dependencies and infrastructure.
- Backups and recovery: regular database backups with point-in-time recovery via Supabase.
- Personnel: confidentiality obligations and security training for staff.
- Vendor risk management: Sub-processors selected with consideration of security and data-protection commitments.
- Incident response: documented procedures for detecting, containing, and notifying on Personal Data breaches.
No security system is impenetrable. Despite our safeguards, we cannot and do not guarantee absolute security. You are responsible for safeguarding your account credentials and notifying Nxera of suspected unauthorized access (Section 2.4 of the Terms).
In the event of a data breach affecting your Personal Data, we will provide notice as required by applicable law.
9. International Data Transfers
We are based in the United States. Personal Data is processed in the United States. By using the Services, you consent to the transfer, processing, and storage of your information in the United States, which may have different data-protection laws than your jurisdiction. If we expand internationally, we will rely on lawful transfer mechanisms (e.g., Standard Contractual Clauses) for any cross-border transfer that requires them.
10. Third-Party Links
The Services may link to third-party websites, apps, or services (including Hosted Sites with embedded third-party widgets at the Client's direction). Nxera is not responsible for the privacy or security practices of those third parties. We encourage you to review their privacy policies before using them.
11. Hosted-Site Visitors
Visitors to a Hosted Site at [clientslug].getnxera.com should consult the privacy policy of the Client operating that site. Nxera processes data on behalf of the Client; the Client decides what data is collected, how it is displayed, and how it is used. For questions about a specific Hosted Site, contact the Client directly.
12. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post the updated Policy on the Site with a new effective date. Material changes will be communicated by email at least thirty (30) days before they take effect. Your continued use after the effective date constitutes acceptance of the updated Policy.
13. Disputes
Any dispute arising out of or relating to this Policy is subject to the dispute-resolution provisions of the Terms (Section 16), including binding individual arbitration, class-action waiver, and the one-year limitations period.
14. Contact
For questions, requests, or complaints about this Policy or our privacy practices:
Nxera Digital LLC — Privacy 1201 E Ponce De Leon Blvd Coral Gables, FL 33134 info@getnxera.com
This Privacy Policy was last updated on April 15, 2026. Version 2.0.