Last updated: 18 December 2025
This Privacy Policy explains how Nexa AI ERP Ltd (“Nexa”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data when you use our websites, applications, APIs, and cloud-based enterprise resource planning platform (together, the “Services”).
We are committed to protecting privacy and complying with applicable data protection laws, including the UK GDPR and the Data Protection Act 2018.
1) Who we are (Data Controller)
Data Controller (for website and Nexa’s own business processing):
Nexa AI ERP Ltd
Unit 17 Orbital 25 Business Park, Dwight Road, Watford, England, WD18 9DA
Company number: 16863050
Email: info@nexaai.co.uk
Important note (processor role): When your organisation uses Nexa’s platform and uploads personal data about employees, customers, suppliers, or other individuals, your organisation is typically the data controller and Nexa acts as a data processor on your behalf. (See Section 6.)
2) The personal data we collect
We collect different types of personal data depending on how you interact with Nexa.
2.1 Data you provide to us
This may include:
•Name, job title, company name
•Email address, phone number, and business contact details
•Account registration details (including role/permission assignments in the platform)
•Billing details (and payment status/transaction references)
•Support requests and communications
•Content you submit through the Services (for example, notes, records, attachments, and documents) where you choose to upload them
2.2 Data we collect automatically
This may include:
•Device and browser information
•IP address and approximate location derived from IP
•Log data (timestamps, pages viewed, feature usage, API calls, error logs)
•Security and audit logs (for example, sign-in events and administrative actions)
2.3 AI/automation feature data (if you use these features)
If you use AI-enabled or automation features, we may process:
•prompts/instructions you submit,
•relevant context from the data you are working with (as needed to perform the requested task),
•outputs produced by the feature, and
•operational logs required for security, troubleshooting, and reliability.
We do not sell personal data.
3) How we use personal data
We use personal data to:
•Provide and operate the Services (including authentication and access control)
•Set up and administer accounts and Authorised Users
•Provide customer support, onboarding, and training
•Process subscriptions, billing, and payments
•Maintain security, prevent fraud/abuse, and monitor platform integrity
•Maintain auditability and logs where required for operational/security purposes
•Communicate service notices, security updates, and changes to the Services
•Comply with legal obligations (for example, accounting and tax requirements)
4) Our lawful bases for processing
Where we act as a controller, we process personal data under one or more of these lawful bases:
•Contract: to provide the Services you request or your organisation purchases
•Legitimate interests: to secure, maintain, improve, and operate the Services (balanced against your rights)
•Legal obligation: to meet legal, tax, accounting, and regulatory requirements
•Consent: where required (for example, certain cookies and some marketing in certain contexts)
5) How we share personal data
We may share personal data with:
•Service providers that help us run the Services (e.g., cloud hosting, email delivery, support tooling, monitoring/alerting)
•Payment providers (where you purchase paid Services)
•Professional advisers (legal, accounting, audit) where necessary
•Authorities where required by law or to protect rights, safety, and security
We require service providers to protect personal data and only process it for permitted purposes.
6) Customer data: when Nexa is a processor
If your organisation uses Nexa’s platform and uploads or enters personal data (for example, employee HR records, payroll data, customer contact details), then:
•Your organisation is typically the controller
•Nexa is typically the processor
•We process that data in line with your organisation’s documented instructions (including configuration and use of the platform) and the relevant customer contract/DPA.
If you are an individual whose data has been uploaded by a Nexa customer (e.g., an employee), you should direct requests (access, deletion, correction) to the relevant customer organisation first. We will support our customer to fulfil valid requests.
7) International transfers
Your data may be processed in countries outside the UK/EEA depending on where our service providers operate. Where international transfers occur, we use appropriate safeguards (such as approved contractual protections) as required by applicable law.
8) Data retention
We keep personal data only as long as necessary for the purposes described in this Policy, including:
•Account data: while the account is active, and for a reasonable period thereafter for security, dispute resolution, and continuity
•Billing/finance records: for as long as needed to meet legal and tax obligations
•Security and audit logs: for a period appropriate to security needs and operational requirements
•Backups: retained for limited periods and overwritten on a rotating schedule
If you are a customer and want specific retention periods for your tenant/workspace, contact us at info@nexaai.co.uk.
9) Security
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.
No method of transmission or storage is completely secure. You are responsible for securing your own credentials, devices, and access by Authorised Users.
10) Your rights
Depending on the context and applicable law, individuals may have rights including:
•Access to personal data
•Correction of inaccurate personal data
•Erasure (in certain circumstances)
•Restriction of processing (in certain circumstances)
•Data portability (in certain circumstances)
•Objection to processing (in certain circumstances)
Where Nexa is the controller, you can exercise rights by contacting info@nexaai.co.uk. Where Nexa is a processor, you should contact the relevant Nexa customer organisation (the controller) first. 
11) Cookies and similar technologies
We use cookies and similar technologies to operate the website and Services, including:
•essential cookies (for core functionality such as sessions/security),
•preference cookies (where applicable), and
•analytics/performance measurement (where applicable).
You can control cookies through your browser settings and any cookie controls presented on our site (where implemented).
12) Marketing communications
We may send:
•service communications (important notices about accounts, security, changes, billing) — these are necessary to operate the Services.
•marketing communications where permitted by law — you can opt out at any time using the unsubscribe link or by emailing info@nexaai.co.uk.
13) Children’s data
The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from individuals under 18.
14) Third-party links
Our website or Services may contain links to third-party websites. We are not responsible for third-party privacy practices. Please review their policies.
15) Changes to this Policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. If changes are material, we may also provide additional notice (for example, in-app or by email).
16) Contact us and complaints
If you have questions or want to exercise your rights, contact:
Nexa AI ERP Ltd
Unit 17 Orbital 25 Business Park, Dwight Road, Watford, England, WD18 9DA
Email: info@nexaai.co.uk
If you are not satisfied with how we handle personal data, you have the right to complain to the UK Information Commissioner’s Office (ICO).