Nazex is an Enterprise Operating System operated by XReach ("we," "us," or "our"). Nazex provides multi-tenant workspace software that allows organizations to manage inventory, operations, purchasing, people, documents, and other business functions.
Our platform is a business-to-business (B2B) service. When you use Nazex, you are typically acting on behalf of an organization (referred to throughout this policy as your "Organization" or "workspace").
Contact:
Privacy inquiries: privacy@nazex.app
General inquiries: hello@nazex.app
When an individual creates a Nazex account, we collect:
When an Organization is provisioned on Nazex, we collect:
When an Organization administrator invites a team member, we collect the invited person's email address to send the invitation. The invited person's account is created when they accept the invitation and set a password.
The Nazex People module allows Organizations to maintain records of their staff, contractors, or other personnel. This data is entered by the Organization and may include:
This data is Organization-owned content (see Section 7) and is processed on behalf of the Organization that enters it.
Organizations use Nazex to manage their operations. This includes data they enter about:
This data belongs to the Organization (see Section 7).
The platform accepts file uploads for certain workflows (such as the intake process). Uploaded files are currently limited to images (JPEG, PNG, GIF, WebP, HEIC, HEIF). These files are stored in tenant-scoped paths that isolate each Organization's files from others, using Cloudflare R2 object storage in production.
We automatically collect certain technical data when you use the platform:
When you use AI-assisted features (such as AI product enrichment), we log:
This data is used for quota management, abuse detection, and internal operational monitoring. It is not sold or shared with third parties beyond what is described in Section 5.
For security and operational integrity, we maintain an audit log that records the type of event (e.g., login, password reset, file uploaded, channel connected), the user who performed the action, the entity affected, IP address, and a timestamp. The audit log is retained for the duration of the subscription and is accessible to authorized XReach platform personnel for support and security purposes.
We maintain records of in-platform notifications delivered to users, including notification type, title, message content, read status, and timestamps.
When an Organization connects a third-party social media channel (Facebook Page, Instagram, Facebook Marketplace, TikTok, or LinkedIn), we store:
When you create an account, we record that you accepted these Terms and the Privacy Policy, including the version number of each document you accepted, the timestamp, and the IP address from which you registered. This record is maintained as an immutable compliance record.
We use the information we collect to create and maintain your account and workspace, authenticate your identity, deliver activated features, send transactional emails, generate in-platform notifications, and post content to connected social media channels when you instruct us to.
When you use AI-assisted features, we transmit relevant content to our AI provider (currently Anthropic) to generate the requested output. See Section 5 for details.
We use IP addresses, user agent strings, and audit event data to detect unauthorized access attempts, enforce rate limits, identify suspected abuse, and maintain the security and integrity of the multi-tenant environment.
We use aggregated, non-identifying operational data to monitor platform health, manage AI feature quotas, and diagnose technical issues.
We use your email address to send transactional communications necessary to operate your account. We do not currently send promotional or marketing emails. If this changes, you will be given the opportunity to opt out.
For users located in jurisdictions that require a legal basis for processing personal data (including the EU and UK):
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Sending verification and reset emails | Contract performance |
| IP address logging at auth events | Legitimate interests — security and fraud prevention |
| Audit event logging | Legitimate interests — platform integrity and security |
| AI feature processing (transmitting content to Anthropic) | Contract performance — necessary to deliver the AI feature requested |
| Storage of OAuth tokens for connected channels | Contract performance — necessary to maintain channel connections |
| Processing of Organization personnel records (People module) | Processing on behalf of the Organization as data controller |
If you believe we are relying on legitimate interests in a way that overrides your rights, you may object by contacting us at privacy@nazex.app.
We do not sell personal data. We share information only as described below.
When you use AI-assisted features, the content you submit — which may include product descriptions, notes, and uploaded images — is transmitted to Anthropic, PBC for processing. We recommend that you do not submit sensitive personal data, confidential business information, or regulated data through AI-assisted features.
Transactional emails are delivered through Resend, Inc. Your email address and the content of the relevant email are transmitted to Resend for this purpose.
Files uploaded to Nazex are stored in Cloudflare R2 object storage. Cloudflare processes this data according to its data processing terms.
The Nazex application and its database run on infrastructure provided by Fly.io, Inc. Platform application data and database content reside on Fly.io servers. Fly.io processes this data as an infrastructure provider under its data processing agreement.
When you connect a social media channel and instruct Nazex to post content, we transmit the relevant content to that platform (Facebook, Instagram, Facebook Marketplace, TikTok, or LinkedIn) using the OAuth authorization you granted. Each platform's own privacy policy governs how they handle that data.
Authorized XReach platform personnel may access your Organization's workspace when you request support, when we need to investigate a security issue, or when required to comply with a legal obligation. Access is logged. We do not access customer workspaces beyond what is necessary for the stated purpose.
We may disclose information when required by law, court order, or government authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of XReach, our users, or the public.
If XReach is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.
Nazex does not use cookies for authentication or session management. Instead, we use your browser's localStorage to store your session token, display name, role, Organization name, and plan information for UI rendering. This data is stored locally in your browser and is cleared when you log out. We do not use third-party tracking cookies, advertising cookies, or behavioral analytics cookies.
Data that your Organization enters into Nazex — including inventory records, customer records, purchase orders, people records, documents, invoices, and all other operational data — belongs to your Organization. We process this data on your behalf to operate the platform. We do not use your Organization's operational data for any purpose other than providing and operating the services you have activated.
When an Organization's account is terminated, we retain the Organization's data for a limited period to allow for reactivation or data retrieval, after which it is scheduled for deletion. We will provide notice before deletion occurs when we have a valid contact email address on file.
We implement technical and organizational measures to protect the information we process, including:
No security system is perfect. If we become aware of a security incident that affects your data, we will make reasonable efforts to notify you in a timely manner.
Depending on where you are located, you may have rights including: access, correction, deletion, portability, objection, and restriction. To exercise any of these rights, contact us at privacy@nazex.app. We will respond within 30 days.
Account deletion: Email privacy@nazex.app from the email address associated with your account.
| Data Category | Retention Period |
|---|---|
| Account and authentication data | Duration of active account; subject to deletion after account closure |
| Organization and workspace data | Duration of active subscription; subject to deletion after subscription ends |
| Audit event records | Duration of active subscription; deleted with Organization data |
| AI usage records | Duration of active subscription; deleted with Organization data |
| One-time tokens (verification, reset) | Single use or expiry (1–24 hours), whichever occurs first |
| Connected channel OAuth tokens | Retained until you disconnect the channel or close your account |
| Uploaded files | Retained until deleted by the Organization or account closure |
| Support session records | 90 days after the session ends |
Nazex is a business software platform not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@nazex.app and we will delete it promptly.
Nazex is operated from the United States. The platform infrastructure, including the database and application servers, is hosted in the United States via Fly.io. If you access Nazex from outside the United States, your data will be transferred to and processed in the United States.
We do not currently have Standard Contractual Clauses or other formal transfer mechanisms in place for transfers of personal data from the EEA, UK, or Switzerland to the United States. We are evaluating appropriate safeguards as the platform grows. If you have concerns about international data transfers, please contact us at privacy@nazex.app.
We may update this Privacy Policy as the platform evolves. When we make material changes, we will update the "Last Updated" date at the top of this page and, where feasible, notify users by email or in-platform notification before the changes take effect. Your continued use of Nazex after a policy update constitutes your acceptance of the revised terms.
Privacy inquiries and data requests:
Email: privacy@nazex.app
Subject line: Privacy Request — [your name or Organization name]
We aim to respond to all privacy inquiries within 30 days.