Legal

Privacy Policy

How Nexalab processes data when you visit our website, evaluate the platform, or operate Nexalab on behalf of your organization. We act as a data processor for customer marketing data and a controller for our own contact and billing data.

Last updated February 23, 2026

Introduction

This Privacy Policy describes how Nexalab Digital Management ("Nexalab", "we", "us") collects, uses, discloses, and protects information when you use the Nexalab marketing data platform and related websites, APIs, and services (collectively, the "Services").

Nexalab is an enterprise B2B platform. The Services are made available to organizations under a subscription agreement, and most personal data we process is processed on behalf of our customers as part of providing the Services to them.

If you have questions or wish to exercise a right, contact us at info@nexalab.tech. For data processing inquiries from customer end users, the controller is typically the Nexalab customer that contracted with us, not Nexalab itself.

1

Our Role: Controller vs. Processor

Nexalab acts in two distinct capacities, depending on the data involved:

As a data processor. When our customers connect their advertising, CRM, warehouse, or product analytics systems and instruct Nexalab to ingest, transform, attribute, and surface that data, Nexalab processes that data on behalf of the customer. The customer is the data controller; Nexalab follows the customer's documented instructions under a Data Processing Agreement ("DPA") signed at onboarding.

As a data controller. For data we collect directly from website visitors, prospects, and customer account administrators — names, work emails, billing details, support communications, marketing preferences — Nexalab acts as the controller and this Privacy Policy governs that processing.

2

Data We Process

Account and contact data. Names, work email addresses, job titles, company names, and authentication identifiers for users you authorize to access the platform.

Customer marketing data. Whatever advertising spend, campaign, attribution, conversion, and revenue data you choose to route through Nexalab via our connectors or APIs. This is processed under your instructions only.

Billing data. Company name, billing contact, VAT/Tax ID, and invoice records. Payment card details are handled by our payment processor and never stored by Nexalab.

Usage and technical data. IP address, browser type, device identifiers, pages viewed, actions taken inside the platform, and server logs. Used to operate the Services, detect abuse, and improve product reliability.

Communications. Support tickets, emails to info@nexalab.tech, scheduled-call notes, and any content you share with our team.

3

Purposes & Legal Bases

Purpose Legal Basis
Providing the Services to our customer Performance of contract
Customer support and account administration Performance of contract
Billing, invoicing, and tax compliance Legal obligation
Securing the platform, fraud and abuse prevention Legitimate interest
Improving product features and reliability Legitimate interest
Marketing communications to prospects and customers Consent / Legitimate interest
Compliance with applicable laws and regulator requests Legal obligation
4

Sub-processors

Nexalab uses a small number of vetted sub-processors to run the Services. Categories include:

  • Cloud infrastructure — AWS / GCP / Azure regions selected per customer data residency requirements.
  • Data warehouse runtimes — when a customer routes processing to their own Snowflake / BigQuery / Redshift instance, that warehouse is the runtime; Nexalab does not duplicate data.
  • AI service providers — used selectively for natural-language query and anomaly summarization features. Customer raw data is never used to train third-party AI models. AI providers operate under DPAs that prohibit training and require minimum-necessary retention.
  • Email and customer support tooling — for transactional emails, demo scheduling, and ticketing.
  • Payment processing — for subscription billing and invoicing.

A current sub-processor list and notification mechanism for new sub-processors are provided under the DPA. Customers can subscribe to sub-processor change notifications at info@nexalab.tech.

5

Security

Nexalab implements administrative, technical, and physical safeguards designed to protect data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest, role-based access controls, audit logging, regular vulnerability scanning, and a least-privilege production-access model.

We undergo regular third-party security assessments and can provide a current security overview, sub-processor list, and penetration-test summary to customers under NDA. Report a security concern at info@nexalab.tech.

6

Retention & Deletion

Customer data is retained for the duration of the subscription and for a short additional period to allow re-activation, after which it is deleted or returned to the customer at their option, as specified in the DPA.

Account and contact data is retained while the account is active and for a reasonable post-termination period to satisfy legal, accounting, and audit requirements.

Billing data is retained for the period required by applicable tax law (typically 5–10 years depending on jurisdiction).

Marketing prospect data is retained until consent is withdrawn or the contact becomes inactive.

Customers may request deletion of their data at any time via info@nexalab.tech. Deletion requests are completed within thirty (30) days unless retention is required by law.

7

International Data Transfers

Nexalab is headquartered in Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates and operates across multiple regions. Data may be transferred to and processed in countries other than the one in which it was collected.

Where personal data is transferred from the European Economic Area, the United Kingdom, or other jurisdictions with cross-border transfer restrictions, Nexalab relies on appropriate safeguards including Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent mechanisms.

Customer data residency can be configured at subscription time. Contact info@nexalab.tech for region-specific deployment options.

8

Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion (subject to legal retention requirements)
  • Object to or restrict certain processing
  • Receive a portable copy of your data
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority

For requests concerning data we process as controller, contact info@nexalab.tech. For requests concerning customer data we process as processor, direct your request to the customer that operates the Nexalab account; we will assist them in responding.

9

Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email to account administrators and reflected in the "Last Updated" timestamp at the top of this page. Continued use of the Services after a change indicates acceptance of the updated policy.

10

Contact

Nexalab Digital Management Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates

Email: info@nexalab.tech

For data processing requests, please include "Privacy" or "DPA" in the subject line so the request is routed correctly.

Have a privacy question?

We respond within one business day. Mark your email with "Privacy" or "DPA" and it'll route correctly.

Email info@nexalab.tech