Data Protection Policy

1. Data Protection Principles

• Lawfulness, fairness, and transparency — we process data lawfully and transparently
• Purpose limitation — data is collected for specified, explicit, and legitimate purposes only
• Data minimisation — we collect only what is necessary for the stated purpose
• Accuracy — we take reasonable steps to ensure data is accurate and up to date
• Storage limitation — data is not kept longer than necessary
• Integrity and confidentiality — we protect data against unauthorized access or loss
• Accountability — we take responsibility for compliance and can demonstrate it

2. Roles and Responsibilities

Nexiva AI acts as a Data Controller for personal data collected through our website and marketing activities. For client projects where we process client customer data, we act as a Data Processor under the client's instructions. A Data Processing Agreement (DPA) is available upon request for such engagements.

3. Data We Process

• Website visitor data: IP addresses, browser information, and behavioral data via cookies
• Lead and prospect data: names, email addresses, phone numbers, company names
• Client data: business information, project requirements, system access credentials
• Communication data: emails, WhatsApp messages, and call records
• Payment data: processed by third-party payment providers; we do not store payment card details

4. Legal Bases for Processing

• Consent: for marketing communications and non-essential cookies
• Contract performance: to deliver the services you have engaged us for
• Legitimate interests: for business development, fraud prevention, and service improvement
• Legal obligation: to comply with applicable laws and regulations

5. Data Retention

We retain personal data only for as long as necessary. Client project data is retained for 3 years post-project completion. Marketing contact data is retained until you unsubscribe or request deletion. Financial records are retained for 7 years as required by Indian tax law.

6. Data Security Measures

• Encrypted data transmission using TLS/SSL protocols
• Access controls limiting data access to authorized personnel only
• Regular security assessments and vulnerability checks
• Secure cloud storage with reputable providers
• Staff training on data protection best practices
• Incident response procedures for data breaches

7. Data Breach Response

In the event of a personal data breach, we will assess the risk, contain the breach, and where required, notify affected individuals and relevant authorities within 72 hours of becoming aware. We maintain a breach register and conduct post-incident reviews.

8. Third-Party Processors

We use carefully selected third-party processors (cloud providers, analytics tools, communication platforms) who comply with data protection standards. We maintain Data Processing Agreements with all third-party processors and conduct due diligence before onboarding them.

9. Cross-Border Data Transfers

Where personal data is transferred outside India, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions, to maintain equivalent protection of your data.

10. Your Data Rights

You have the right to access, correct, delete, or restrict processing of your personal data. You may also request data portability or object to processing. To exercise these rights, contact us at contact@nexiva.dev. We will respond within 30 days.

11. Policy Review

This policy is reviewed annually and updated as necessary to reflect changes in our practices, technology, or legal requirements. Significant changes will be communicated to affected parties.