/ Privacy Policy

Privacy Policy

Effective Date: June 26, 2026  ·  Last Updated: June 26, 2026


1. Who We Are

Nazex is an Enterprise Operating System operated by XReach ("we," "us," or "our"). Nazex provides multi-tenant workspace software that allows organizations to manage inventory, operations, purchasing, people, documents, and other business functions.

Our platform is a business-to-business (B2B) service. When you use Nazex, you are typically acting on behalf of an organization (referred to throughout this policy as your "Organization" or "workspace").

Contact:
Privacy inquiries: privacy@nazex.app
General inquiries: hello@nazex.app


2. Information We Collect

2.1 Account Registration Information

When an individual creates a Nazex account, we collect:

2.2 Organization Information

When an Organization is provisioned on Nazex, we collect:

2.3 Invited Team Members

When an Organization administrator invites a team member, we collect the invited person's email address to send the invitation. The invited person's account is created when they accept the invitation and set a password.

2.4 People Records (Organization Personnel)

The Nazex People module allows Organizations to maintain records of their staff, contractors, or other personnel. This data is entered by the Organization and may include:

This data is Organization-owned content (see Section 7) and is processed on behalf of the Organization that enters it.

2.5 Operational and Business Data

Organizations use Nazex to manage their operations. This includes data they enter about:

This data belongs to the Organization (see Section 7).

2.6 Uploaded Files

The platform accepts file uploads for certain workflows (such as the intake process). Uploaded files are currently limited to images (JPEG, PNG, GIF, WebP, HEIC, HEIF). These files are stored in tenant-scoped paths that isolate each Organization's files from others, using Cloudflare R2 object storage in production.

2.7 Technical and Security Data

We automatically collect certain technical data when you use the platform:

2.8 AI Feature Usage Data

When you use AI-assisted features (such as AI product enrichment), we log:

This data is used for quota management, abuse detection, and internal operational monitoring. It is not sold or shared with third parties beyond what is described in Section 5.

2.9 Audit Event Data

For security and operational integrity, we maintain an audit log that records the type of event (e.g., login, password reset, file uploaded, channel connected), the user who performed the action, the entity affected, IP address, and a timestamp. The audit log is retained for the duration of the subscription and is accessible to authorized XReach platform personnel for support and security purposes.

2.10 Notification Data

We maintain records of in-platform notifications delivered to users, including notification type, title, message content, read status, and timestamps.

2.11 Connected Channel Data

When an Organization connects a third-party social media channel (Facebook Page, Instagram, Facebook Marketplace, TikTok, or LinkedIn), we store:

2.12 Legal Acceptance Records

When you create an account, we record that you accepted these Terms and the Privacy Policy, including the version number of each document you accepted, the timestamp, and the IP address from which you registered. This record is maintained as an immutable compliance record.


3. How We Use Your Information

3.1 To Provide and Operate the Service

We use the information we collect to create and maintain your account and workspace, authenticate your identity, deliver activated features, send transactional emails, generate in-platform notifications, and post content to connected social media channels when you instruct us to.

3.2 To Process AI Feature Requests

When you use AI-assisted features, we transmit relevant content to our AI provider (currently Anthropic) to generate the requested output. See Section 5 for details.

3.3 For Security and Abuse Prevention

We use IP addresses, user agent strings, and audit event data to detect unauthorized access attempts, enforce rate limits, identify suspected abuse, and maintain the security and integrity of the multi-tenant environment.

3.4 For Internal Platform Operations

We use aggregated, non-identifying operational data to monitor platform health, manage AI feature quotas, and diagnose technical issues.

3.5 Communication

We use your email address to send transactional communications necessary to operate your account. We do not currently send promotional or marketing emails. If this changes, you will be given the opportunity to opt out.


4. Legal Basis for Processing

For users located in jurisdictions that require a legal basis for processing personal data (including the EU and UK):

Processing ActivityLegal Basis
Account creation and authenticationContract performance
Sending verification and reset emailsContract performance
IP address logging at auth eventsLegitimate interests — security and fraud prevention
Audit event loggingLegitimate interests — platform integrity and security
AI feature processing (transmitting content to Anthropic)Contract performance — necessary to deliver the AI feature requested
Storage of OAuth tokens for connected channelsContract performance — necessary to maintain channel connections
Processing of Organization personnel records (People module)Processing on behalf of the Organization as data controller

If you believe we are relying on legitimate interests in a way that overrides your rights, you may object by contacting us at privacy@nazex.app.


5. Information We Share

We do not sell personal data. We share information only as described below.

5.1 AI Provider — Anthropic

When you use AI-assisted features, the content you submit — which may include product descriptions, notes, and uploaded images — is transmitted to Anthropic, PBC for processing. We recommend that you do not submit sensitive personal data, confidential business information, or regulated data through AI-assisted features.

5.2 Email Delivery — Resend

Transactional emails are delivered through Resend, Inc. Your email address and the content of the relevant email are transmitted to Resend for this purpose.

5.3 File Storage — Cloudflare

Files uploaded to Nazex are stored in Cloudflare R2 object storage. Cloudflare processes this data according to its data processing terms.

5.4 Infrastructure — Fly.io

The Nazex application and its database run on infrastructure provided by Fly.io, Inc. Platform application data and database content reside on Fly.io servers. Fly.io processes this data as an infrastructure provider under its data processing agreement.

5.5 Social Media Platforms

When you connect a social media channel and instruct Nazex to post content, we transmit the relevant content to that platform (Facebook, Instagram, Facebook Marketplace, TikTok, or LinkedIn) using the OAuth authorization you granted. Each platform's own privacy policy governs how they handle that data.

5.6 Platform Support

Authorized XReach platform personnel may access your Organization's workspace when you request support, when we need to investigate a security issue, or when required to comply with a legal obligation. Access is logged. We do not access customer workspaces beyond what is necessary for the stated purpose.

5.7 Legal Requirements

We may disclose information when required by law, court order, or government authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of XReach, our users, or the public.

5.8 Business Transfers

If XReach is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.


6. Cookies and Local Storage

Nazex does not use cookies for authentication or session management. Instead, we use your browser's localStorage to store your session token, display name, role, Organization name, and plan information for UI rendering. This data is stored locally in your browser and is cleared when you log out. We do not use third-party tracking cookies, advertising cookies, or behavioral analytics cookies.


7. Organization-Owned Content

Data that your Organization enters into Nazex — including inventory records, customer records, purchase orders, people records, documents, invoices, and all other operational data — belongs to your Organization. We process this data on your behalf to operate the platform. We do not use your Organization's operational data for any purpose other than providing and operating the services you have activated.

When an Organization's account is terminated, we retain the Organization's data for a limited period to allow for reactivation or data retrieval, after which it is scheduled for deletion. We will provide notice before deletion occurs when we have a valid contact email address on file.


8. Data Security

We implement technical and organizational measures to protect the information we process, including:

No security system is perfect. If we become aware of a security incident that affects your data, we will make reasonable efforts to notify you in a timely manner.


9. Your Rights and Choices

Depending on where you are located, you may have rights including: access, correction, deletion, portability, objection, and restriction. To exercise any of these rights, contact us at privacy@nazex.app. We will respond within 30 days.

Account deletion: Email privacy@nazex.app from the email address associated with your account.


10. Data Retention

Data CategoryRetention Period
Account and authentication dataDuration of active account; subject to deletion after account closure
Organization and workspace dataDuration of active subscription; subject to deletion after subscription ends
Audit event recordsDuration of active subscription; deleted with Organization data
AI usage recordsDuration of active subscription; deleted with Organization data
One-time tokens (verification, reset)Single use or expiry (1–24 hours), whichever occurs first
Connected channel OAuth tokensRetained until you disconnect the channel or close your account
Uploaded filesRetained until deleted by the Organization or account closure
Support session records90 days after the session ends

11. Children's Privacy

Nazex is a business software platform not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@nazex.app and we will delete it promptly.


12. International Users

Nazex is operated from the United States. The platform infrastructure, including the database and application servers, is hosted in the United States via Fly.io. If you access Nazex from outside the United States, your data will be transferred to and processed in the United States.

We do not currently have Standard Contractual Clauses or other formal transfer mechanisms in place for transfers of personal data from the EEA, UK, or Switzerland to the United States. We are evaluating appropriate safeguards as the platform grows. If you have concerns about international data transfers, please contact us at privacy@nazex.app.


13. Changes to This Policy

We may update this Privacy Policy as the platform evolves. When we make material changes, we will update the "Last Updated" date at the top of this page and, where feasible, notify users by email or in-platform notification before the changes take effect. Your continued use of Nazex after a policy update constitutes your acceptance of the revised terms.


14. Contact Us

Privacy inquiries and data requests:

Email: privacy@nazex.app

Subject line: Privacy Request — [your name or Organization name]

We aim to respond to all privacy inquiries within 30 days.

← Close this window