Effective: May 23, 2026
Version 2026-05-23.1 · Draft document — not legal advice. Counsel review recommended before production launch.
1. Who is responsible for this Policy
Nyxce Core (operated under the commercial name Nyxce Core; legal entity: [Legal Entity Name], [Registered Address]) is responsible for personal data described here when we act as a controller—for example, for account holders and website visitors. When you use the service to process your callers’ data, you are typically the controller toward those callers and we process data on your behalf as a processor, as described in your agreement with us and applicable law.
Legal review required before production commitments.
2. Scope
This Policy applies to the Nyxce Core website, application, and related services. It does not cover third-party websites or services you link to. The service is intended for business users, not children.
3. Categories of personal data
We may process: account data (name, email, workspace membership, roles); authentication identifiers; billing and subscription metadata (payment is handled by Lemon Squeezy—we do not store full payment card numbers); call and message metadata (phone numbers, timestamps, duration, status); audio recordings and transcripts when you enable them; AI prompts and knowledge you configure; WhatsApp or SMS content when enabled; support and contact form messages; technical logs and error reports (e.g., via Sentry); and audit logs of security-sensitive actions.
4. Sources of data
We collect data you provide directly, data generated through use of the service, data from callers interacting with your connected numbers, and data from integrations (e.g., Twilio telephony events, Supabase authentication, OpenAI for AI features).
5. Purposes and legal bases
We process data to provide and secure the service, authenticate users, bill subscriptions, operate AI and telephony features, comply with law, and improve reliability. Depending on your region, legal bases may include performance of a contract, legitimate interests (such as security and product improvement), consent where required, and legal obligations. Where we rely on consent, you may withdraw it without affecting lawfulness of prior processing.
6. Subprocessors and sharing
We use service providers that process data on our instructions, including: Supabase (authentication), cloud database hosting, Twilio (voice/SMS/WhatsApp), OpenAI (AI inference and summaries), Lemon Squeezy (payments), Sentry (error monitoring), Resend (contact email, when configured), and infrastructure hosts. We do not sell personal data. We may disclose data if required by law or to protect rights and safety. A current subprocessor list is maintained in our internal compliance documentation and may be provided on request.
7. AI processing
Audio and text may be sent to AI providers to run realtime conversation, translation assist, or summaries. Configure provider settings to limit retention and training where available. We do not use your content to train our own proprietary models. AI outputs may be stored in your workspace according to your retention settings.
8. Cookies and similar technologies
We use essential cookies and local storage for authentication sessions. We may use error monitoring that sets technical identifiers. We do not use advertising cookies on the core product today. If we add non-essential analytics, we will update this Policy and, where required, obtain consent.
9. Retention
We retain account data while your account is active and for a reasonable period afterward for legal and security purposes. Call and message content retention follows your workspace settings and plan. Billing records may be retained as required for tax and accounting. You may request deletion as described below.
10. Security
We use measures such as access controls, encryption in transit, tenant isolation in application logic, and audit logging for sensitive actions. You are responsible for protecting your passwords and API keys.
11. International transfers
Data may be processed in the United States and other countries where our providers operate. Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms—confirm with counsel for your deployment.
12. Your rights
Depending on your location, you may have rights to access, correct, delete, restrict or object to processing, data portability, and to lodge a complaint with a supervisory authority. California residents may have rights under the CCPA/CPRA, including knowing categories of data collected and requesting deletion, subject to exceptions. Brazilian data subjects may have rights under the LGPD. We do not sell or share personal information for cross-context behavioral advertising as defined under California law.
13. How to exercise your rights
Signed-in users may submit export, deletion, or correction requests from Profile settings in the application. You may also contact privacy@nyxcecore.com (placeholder). We will verify your identity and respond within timeframes required by applicable law. For caller data where you are not the account holder, contact the business that answered your call.
14. Marketing communications
If we send marketing email, you may opt out via the unsubscribe link. Responding to a contact form does not automatically subscribe you to marketing lists.
15. Calls, recordings, and messaging
When you enable recording or transcripts, caller voice and content may be stored. You must provide notices and obtain consents required in your jurisdiction. Nyxce Core provides configuration options but does not guarantee your compliance—consult qualified counsel for your use cases.
16. Children
The service is not directed to individuals under 18. We do not knowingly collect children’s personal data. Contact us if you believe we have collected such data inadvertently.
17. Changes to this Policy
We may update this Policy with a new effective date. Material changes will be communicated as appropriate. Continued use after the effective date constitutes notice of the update where permitted by law.
18. Contact
Privacy inquiries: privacy@nyxcecore.com (placeholder). Data protection contact / DPO: [DPO Contact] — to be appointed where required. General support: Contact page on our website.
19. Regional notices
United States: See sections on CCPA rights above; state laws may provide additional rights. EEA/UK: You may contact your local supervisory authority. Brazil: You may contact the ANPD regarding LGPD rights. These summaries are informational; local law prevails.
20. Document status
This Policy is version 2026-05-23.1 and should be reviewed by qualified legal counsel before being treated as final for regulatory or contractual purposes.
