Privacy Policy

NexaBots ("we", "us", or "our") operates the NexaBots platform, which provides an AI-powered WhatsApp commerce assistant for merchants. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our website (nexabots.io) and our merchant dashboard platform.

By using our services, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of our services.

We collect the following categories of information:

a) Information you provide directly

• Account registration details: name, email address, business name
• API credentials and configuration you enter during onboarding
• WhatsApp Business number you connect to our platform
• Contact form submissions and support communications
• Waitlist sign-ups (email address only)

b) Information collected automatically

• Log data: IP address, browser type, pages visited, timestamps
• Usage data: features accessed, dashboard interactions, error events
• Device information: operating system, screen resolution
• Cookies and similar tracking technologies (see Section 8)

c) Data from third-party integrations

• WhatsApp Business API (Meta): message content, customer phone numbers, conversation metadata transmitted through your connected WhatsApp Business account
• E-commerce platform data (Salla or custom APIs): product catalogue, order details, customer information you authorise us to access

d) End-customer data (processed on your behalf)

When your customers interact with your AI agent on WhatsApp, we process their messages and related metadata as a data processor acting on your instructions. You, as the merchant, are the data controller for your end-customers' data.

We process your data on the following legal grounds:

• Contract performance: processing necessary to provide the service you signed up for
• Legitimate interests: improving our service, fraud prevention, security monitoring
• Consent: marketing communications (you may withdraw consent at any time)
• Legal obligation: compliance with applicable law

We use the information we collect to:

• Provide, operate, and maintain the NexaBots platform
• Process and respond to messages on behalf of your WhatsApp Business account
• Authenticate users and maintain account security
• Send transactional communications (account alerts, service updates)
• Send marketing communications where you have opted in
• Analyse usage patterns to improve features and performance
• Detect, investigate, and prevent fraudulent or abusive activity
• Comply with legal and regulatory obligations

We do not sell your personal data or your customers' data to third parties. We do not use WhatsApp message content to train AI models beyond the scope of providing your service.

We share information only in the circumstances described below. We do not sell personal data.

• Meta Platforms (WhatsApp Business API): message data is transmitted through Meta's infrastructure as required to deliver the WhatsApp messaging service. This is governed by Meta's WhatsApp Business Policy and Meta Privacy Policy.
• Analytics and observability: aggregated, anonymised telemetry for performance monitoring
• Legal requirements: when required by law, court order, or to protect the rights and safety of our users
• Business transfers: in the event of a merger, acquisition, or asset sale, with advance notice to affected users

NexaBots integrates with the WhatsApp Business Platform operated by Meta Platforms, Inc. By connecting your WhatsApp Business account, you acknowledge that:

• Messages sent and received through WhatsApp are subject to Meta's terms and privacy policies in addition to this policy.
• You are responsible for obtaining any consents required from your end-customers under applicable law before messaging them via WhatsApp.
• NexaBots acts as a service provider on your behalf and does not initiate conversations with your customers independently.
• Message content may be stored by NexaBots for a period of up to 90 days to provide conversation history, after which it is deleted unless you request otherwise.

We retain data for the following periods:

• Account data: retained for the duration of your subscription plus 30 days after account closure (to allow reactivation)
• Conversation and message data: 90 days from the date of the conversation, then permanently deleted
• Billing and financial records: 7 years as required by applicable accounting and tax law
• Server logs: 30 days, then automatically purged
• Waitlist emails: until the waitlist programme ends or you unsubscribe

You may request earlier deletion at any time (see Section 10 — Your Rights).

We use the following types of cookies:

• Strictly necessary: session cookies required for authentication and security (cannot be disabled)
• Functional: remember your language preference (EN/AR)
• Analytics: anonymised usage data to improve the platform (you may opt out)

We do not use advertising or cross-site tracking cookies. You can manage cookies through your browser settings; disabling strictly necessary cookies will prevent login.

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted via TLS 1.2 or higher
• API keys and authentication secrets are encrypted at rest using AES-256 (Fernet envelope encryption)
• Webhook payloads are verified using HMAC-SHA256 signatures
• Access to production systems is restricted to authorised personnel only
• Regular security reviews and dependency audits

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Rectification: correct inaccurate or incomplete data
• Erasure: request deletion of your personal data ("right to be forgotten")
• Portability: receive your data in a structured, machine-readable format
• Restriction: ask us to restrict processing of your data in certain circumstances
• Objection: object to processing based on legitimate interests
• Withdraw consent: at any time, for processing based on consent (without affecting past processing)

To exercise any of these rights, email privacy@nexabots.io. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

You can request deletion of your account and associated data at any time by:

• Using the "Delete Account" option in your dashboard settings, or
• Emailing privacy@nexabots.io with subject line "Data Deletion Request"

Upon receiving a verified request, we will permanently delete your account data within 30 days, except where retention is required by law (e.g. financial records). You will receive a confirmation email when deletion is complete.

If you connected your Facebook or WhatsApp account via Meta Login, you may also submit a deletion request through Facebook's data deletion request page. We will process any requests forwarded to us by Meta within 30 days.

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a minor, please contact us at privacy@nexabots.io and we will delete it promptly.

NexaBots is operated from the Kingdom of Saudi Arabia. If you access our service from outside Saudi Arabia, your data may be transferred to and processed in Saudi Arabia and other countries (including the United States via Google Cloud Platform). We take appropriate measures to ensure such transfers comply with applicable data protection law.

NexaBots is established in the Kingdom of Saudi Arabia and complies with the Personal Data Protection Law (PDPL) issued by Royal Decree M/19 and supervised by the Saudi Data and AI Authority (SDAIA). If you are a resident of Saudi Arabia, the rights described in Section 10 apply to you under PDPL.

Cross-border transfers of personal data outside Saudi Arabia are carried out only where permitted by PDPL Article 29 and any subsequent SDAIA implementing regulations, including where the destination country provides an adequate level of protection or appropriate safeguards are in place.

If you believe we have not adequately addressed a privacy concern, you may file a complaint with SDAIA at sdaia.gov.sa.

We use the following categories of sub-processors to deliver our service. Each is bound by a written agreement requiring them to protect personal data to a standard at least equivalent to ours:

• Cloud infrastructure: Google Cloud Platform (compute, storage, databases)
• Edge & CDN: Cloudflare (DDoS protection, DNS, edge caching)
• Messaging delivery: Meta Platforms (WhatsApp Business Platform)
• AI model providers: the LLM provider(s) used to generate AI replies, processing message content under strict no-training agreements
• Email and notifications: the transactional email provider used to deliver account communications

A current list with provider names is available on request from privacy@nexabots.io.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the platform at least 14 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when it was last revised.

For any privacy-related questions, requests, or concerns, please contact our Data Privacy team:

• Email: privacy@nexabots.io
• General inquiries: info@nexabots.io
• Website: nexabots.io

We aim to respond to all privacy enquiries within 5 business days.