Privacy Policy
Effective date: July 1, 2025
Last updated: July 1, 2025
This Privacy Policy explains how Nuvixy collects, uses, stores, and protects your personal data, and describes the rights you have under the EU General Data Protection Regulation (GDPR) and applicable Romanian data protection law. By using the Service, you acknowledge that you have read and understood this policy.
1. Who We Are & How to Contact Us
Nuvixy is a SaaS CRM and email automation platform operated in Romania. For the purposes of EU data protection law, Nuvixy acts as:
- Data Controller — for personal data we collect directly from you (account data, usage data) when you register and use the Service
- Data Processor — for personal data you enter about your own contacts and leads ("Lead Data"), which you control as the Data Controller
If you have any questions about this policy, your data, or wish to exercise your rights, please contact us through the Service. We will respond within 30 days.
2. What Data We Collect & Why
2.1 Account Data (you provide)
| Data | Purpose | Legal Basis |
|---|---|---|
| Name | Account identification, personalisation | Contract performance |
| Email address | Login, service communications | Contract performance |
| Password (hashed) | Authentication | Contract performance |
| SMTP credentials | Email sending on your behalf | Contract performance |
2.2 Lead Data (you provide about third parties)
This includes names, email addresses, phone numbers, company names, notes, and any other data you enter about your contacts. You are the Data Controller for this data. We process it strictly on your behalf to operate the Service.
2.3 Usage & Technical Data (collected automatically)
| Data | Purpose | Legal Basis |
|---|---|---|
| Follow-up send times & status | Service operation, scheduling | Contract performance |
| Server/error logs | Debugging, security monitoring | Legitimate interests |
| Session cookie | Keeping you logged in | Strictly necessary |
3. Legal Bases for Processing
Under the GDPR, we must have a valid legal basis for each type of processing. We rely on the following:
- Contract performance (Art. 6(1)(b) GDPR): Processing your account data and Lead Data is necessary to deliver the Service you have contracted for.
- Legitimate interests (Art. 6(1)(f) GDPR): We process server logs and usage data to maintain security and improve the reliability of the Service. We have assessed that these interests are not overridden by your fundamental rights.
- Legal obligation (Art. 6(1)(c) GDPR): We may process and retain data where required by applicable Romanian or EU law.
We do not rely on consent as a legal basis for processing your account data, as processing is necessary for the contract. You can withdraw consent for any consent-based processing at any time without affecting the lawfulness of prior processing.
4. Your Lead Contacts & Your Responsibilities
When you enter personal data about third parties (your leads and contacts) into Nuvixy, you are acting as the Data Controller for that data. This means:
- You must have a valid legal basis under GDPR (or other applicable law) for storing and processing each contact's data
- You are responsible for informing those individuals that their data is being processed using Nuvixy
- You must respond to any data subject rights requests (access, deletion, etc.) from your contacts directly
- You must not enter sensitive personal data (e.g., health data, financial data) into the Service unless you have explicit consent and appropriate safeguards
Nuvixy, as Data Processor, will assist you in fulfilling data subject requests to the extent technically possible. See our Terms & Conditions (Section 8) for full Data Processor obligations and DPA availability.
5. How We Use Your Data
We use the data we collect exclusively to:
- Create and manage your Account
- Operate the CRM and schedule automated follow-up emails on your behalf
- Authenticate you and protect your Account
- Diagnose technical problems and maintain Service reliability
- Send you essential service communications (e.g., account changes, security alerts)
- Comply with legal obligations applicable to us
We do not:
- Sell your personal data or Lead Data to any third party
- Use your data for advertising, profiling, or marketing by third parties
- Use Lead Data for any purpose other than providing you the Service
- Share data with third parties except as described in Section 6
6. Data Sharing & Third Parties
We do not sell, rent, or trade your data. We share data only in the following limited circumstances:
- Infrastructure & hosting providers: Our hosting provider stores your data on our behalf as a sub-processor. We ensure appropriate data processing agreements are in place with all sub-processors.
- Your SMTP provider: When you configure your own SMTP server, emails and recipient data are transmitted through your chosen provider. That provider's own privacy terms apply to that transmission.
- Legal obligations: We may disclose data if required by a court order, law, or competent authority in Romania or the EU. Where legally permitted, we will notify you before doing so.
- Business transfers: If Nuvixy is acquired, merged, or its assets are transferred, your data may be transferred to the successor entity. We will notify you in advance and the successor will be bound by this policy or an equivalent one.
7. International Data Transfers
Your data is stored and processed in the European Economic Area (EEA). We do not routinely transfer personal data outside the EEA. If any sub-processor is located outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, prior to any such transfer.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Passwords hashed using bcrypt (cost factor 12) — never stored in plain text and never accessible to us
- SMTP credentials encrypted at rest
- HTTPS encryption for all data in transit
- Access to production data restricted to authorized personnel only
- Regular security reviews of the application and infrastructure
No security system is infallible. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.
9. Cookies & Session Data
We use cookies minimally and only as necessary to operate the Service:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| next-auth.session-token | Strictly necessary | Keeps you logged in | Session / 30 days |
| admin_session | Strictly necessary | Admin dashboard access | 7 days |
We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner is required because we only use strictly necessary cookies.
10. Data Retention & Deletion
- Active accounts: We retain your account data and Lead Data for as long as your Account is active.
- Account deletion: When you delete your Account — or when we terminate it — all associated personal data (account data, Lead Data, templates, follow-up records) is permanently and irreversibly deleted within 30 days.
- Server logs: Technical logs are retained for up to 90 days for security and diagnostic purposes, then automatically purged.
- Legal holds: We may retain certain data for longer periods if required by applicable Romanian or EU law (e.g., financial records, legal proceedings).
11. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights regarding your personal data. These rights apply to data for which Nuvixy is the Data Controller (your account data). For Lead Data (where you are the Controller), you must contact us as Data Processor to assist with requests from your own contacts.
Right of access (Art. 15)
Request a copy of the personal data we hold about you and information about how we process it.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17)
Request deletion of your personal data where we no longer have a lawful basis to retain it ('right to be forgotten').
Right to restriction (Art. 18)
Request that we restrict processing of your data in certain circumstances (e.g., while a dispute is resolved).
Right to data portability (Art. 20)
Request your personal data in a structured, commonly used, machine-readable format (where processing is based on contract or consent).
Right to object (Art. 21)
Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent
Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us through the Service. We will respond within 30 days. We may need to verify your identity before processing a request. These rights are not absolute and may be subject to limitations under applicable law.
12. Right to Lodge a Complaint
If you believe we have processed your personal data unlawfully or in violation of GDPR, you have the right to lodge a complaint with a data protection supervisory authority. In Romania, the competent authority is:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Website: www.dataprotection.ro
You may also lodge a complaint with the supervisory authority of your EU Member State of residence or place of work.
13. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it without delay.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Service. For material changes, we will notify registered users by email or in-app notification at least 14 days before the changes take effect. The updated policy will always be available at this URL with the effective date clearly noted. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Governing Law
This Privacy Policy is governed by the laws of Romania and, where applicable, EU data protection law including the General Data Protection Regulation (EU) 2016/679. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the competent courts of Romania, without prejudice to your rights to bring a complaint before your national supervisory authority.
16. Contact
For any questions about this Privacy Policy, to exercise your data rights, or to request a Data Processing Agreement, please contact us through the Service. We are committed to resolving any privacy concerns promptly and transparently.