Privacy Notice
Draft — not final notice
This page identifies the disclosures the final NexoAI Privacy Notice must contain. Legal review is required to add the controller identity, effective date, lawful bases, exact retention periods, processors, transfer safeguards, and rights procedures.
Scope and controller
The final notice should cover the NexoAI dashboard, wallet and payment flow, support interactions, website, and API gateway. It must identify [Data controller legal name], its address, privacy contact, and any services outside the notice's scope.
Data NexoAI may process
The production notice should describe the actual categories collected, which may include:
- account and verification details supplied during registration;
- virtual-key metadata such as key name, creation time, status, and configured limits;
- API telemetry such as timestamp, model, token counts, latency, status, and request identifiers;
- prompts, outputs, files, or tool data to the extent technically required to provide and secure the requested model service;
- wallet, top-up, currency quote, transaction reference, and payment-status information;
- device, browser, IP address, security events, cookies, and dashboard session data;
- support messages and the diagnostic material a user chooses to provide.
The final text must distinguish data NexoAI stores from data processed transiently or handled directly by a payment or model provider.
Why data is used
Purposes should be tied to the applicable lawful basis and include providing API access, authenticating users, routing requests, metering usage, maintaining the wallet, preventing fraud and abuse, supporting users, complying with law, and improving reliability.
NexoAI should not claim a purpose or lawful basis that has not been validated against the implemented system and jurisdiction.
Providers and international transfers
The final notice must list or categorize the model providers, hosting vendors, analytics services, support tools, and payment processors that receive personal data. It should explain where processing occurs and which transfer mechanism or safeguard applies when data crosses borders.
Retention and deletion
Add specific retention schedules for account records, key metadata, API logs, prompt or output content if retained, security events, support tickets, and financial records. Explain how deletion requests interact with fraud prevention, disputes, legal holds, backups, and statutory accounting duties.
User choices and rights
Depending on applicable law, users may have rights to access, correct, delete, restrict, object to, or export personal data, and to complain to a supervisory authority. The final notice must give a verified request channel, identity-check process, response timeframe, and any lawful exceptions.
Security
NexoAI should describe safeguards at an appropriate level without publishing information that weakens them. Users remain responsible for secret storage, least-privilege key caps, and prompt content they choose to send.
Do not send keys in privacy requests
A live API key is not needed to locate an account or verify a transaction. Revoke any key that was accidentally included in correspondence.
Changes and contact
Before publication, add the effective date, how material updates are communicated, the privacy contact, and the relevant supervisory authority or escalation route.
