Privacy Policy

When you interact with NexusPoint, we collect the following categories of information:

1.1 Account Information

• Registration data: First name, last name, email address, and an encrypted (bcrypt-hashed) password when you create an account.
• Optional profile data: Company name, notification preferences (email, usage alerts, security alerts, marketing communications).
• Authentication tokens: We store a secure, HttpOnly JWT cookie in your browser to maintain your session for up to 7 days.

1.2 Payment & Billing Information

• Stripe customer profile: When you sign up, we create a Stripe customer record linked to your email and name. All payment card data (card numbers, CVV, expiration dates) is collected, processed, and stored exclusively by Stripe, Inc. — NexusPoint never receives or stores your full card details.
• Transaction records: We store Stripe payment intent IDs, session IDs, transaction amounts (in USD cents), credit pack purchased, payment status (pending, succeeded, failed, refunded), and timestamps.
• Credit balance: Your current credit balance is maintained in our database. New accounts receive 50 free credits upon registration.

1.3 Usage & Consumption Data

• API usage logs: Every AI feature call is logged, including: the specific feature used (e.g., Background Removal, Object Detection), the number of credits consumed, the source of the request (dashboard vs. API token), the API token ID (if applicable), and a timestamp.
• Image URLs: When you submit an image via external API using an image URL (rather than uploading a file), the URL is stored in the consumption record. Images uploaded directly through the dashboard are processed in-memory and are not stored on our servers.

1.4 API Tokens

• When you create an API token, we store the token name, token value (cryptographically generated), creation date, last-used timestamp, and active status.
• You may create up to 10 API tokens per account. The full token value is displayed only once at creation time.

1.5 Technical & Device Data

• Standard web server logs including IP address, browser type, operating system, referring URLs, and request timestamps.
• We use a single essential cookie for authentication — no third-party tracking cookies, advertising pixels, or analytics SDKs are deployed on NexusPoint.

1.6 Communications Data

• If you contact us via our contact form or email, we retain the content of your messages and any information you provide for support purposes.

We use the information collected for the following purposes:

• Service delivery: To provide, operate, and maintain the NexusPoint platform and all AI-powered computer vision features.
• Authentication & security: To verify your identity, protect your account, prevent unauthorized access, and detect fraudulent activity.
• Billing & credits: To process credit purchases via Stripe, manage your credit balance, track consumption, process refunds, and provide transaction history.
• Usage analytics: To generate aggregated, anonymized analytics accessible via your dashboard (daily usage, feature breakdown, API vs. dashboard usage).
• Admin operations: Authorized administrators may access user data, payment history, and consumption records for platform monitoring, support resolution, and fraud prevention.
• Communications: To send transactional emails (password changes, payment confirmations), system notifications, and — only with your explicit opt-in — marketing communications.
• Platform improvement: To analyze aggregate usage patterns, optimize performance, plan capacity, and develop new features.
• Legal compliance: To comply with applicable laws, enforce our Terms of Service, and protect our rights, privacy, safety, or property.

NexusPoint integrates with the following third-party services. We share only the minimum data necessary for each service to function:

Given the nature of our computer vision services, we want to be fully transparent about how your images are handled:

• Dashboard uploads: Images uploaded through the NexusPoint dashboard are transmitted directly to SentiSight.ai for processing, held only in server memory during processing, and immediately discarded. They are never written to disk or stored in our database.
• API URL submissions: When you use the external API and provide an image URL, that URL is logged in your consumption record for debugging and audit purposes. The image at that URL is fetched by SentiSight for processing.
• API file uploads: Images uploaded as binary data via the external API are forwarded to SentiSight in-memory and are not stored.
• SentiSight processing: SentiSight.ai processes images under their own data handling policies. NexusPoint does not control SentiSight's data retention practices for processed images.
• AI-generated outputs: Results returned by AI models (classifications, bounding boxes, segmentation masks, key points, etc.) are delivered to you in real-time and are not stored by NexusPoint beyond the active session.

We implement industry-standard security measures to protect your information:

• Password encryption: All passwords are irreversibly hashed using bcrypt with 12 salt rounds. Plaintext passwords are never stored or logged.
• Session security: Authentication uses HttpOnly, SameSite=Lax cookies with the Secure flag enabled in production, preventing XSS and CSRF attacks.
• API token security: Tokens are generated with cryptographically secure random bytes for maximum strength. Full tokens are shown only once at creation time.
• Transport encryption: All data in transit is protected by TLS/HTTPS encryption.
• Database encryption: MongoDB Atlas provides encryption at rest (AES-256) and in transit (TLS).
• Payment security: All payment card data is handled by Stripe (PCI-DSS Level 1 compliant). NexusPoint only receives non-sensitive card metadata (brand, last 4 digits, expiration).
• Access controls: Role-based access control separates regular user and administrator privileges. Administrative functions are protected by server-side middleware verification.
• Webhook verification: All Stripe webhook events are verified using cryptographic signatures to prevent tampering.

We retain your data according to the following policies:

• Account data: Retained for as long as your account is active. If you request account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax/financial records).
• Payment records: Transaction records are retained for a minimum of 7 years to comply with tax, accounting, and financial regulations.
• Usage/consumption logs: Retained for the duration of your account for billing verification and analytics. Upon account deletion, consumption logs are anonymized but aggregate data may be retained for platform analytics.
• API tokens: Deleted immediately upon your request or upon account deletion.
• Server logs: Standard web server logs are retained for up to 90 days for security monitoring and then automatically purged.
• Uploaded images: Not retained — processed in-memory and immediately discarded (see Section 4).

NexusPoint uses a minimal set of cookies and browser storage:

We do not use any third-party tracking cookies, advertising cookies, analytics pixels, or social media tracking scripts. We do not participate in any ad networks or cross-site tracking.

Depending on your jurisdiction (including GDPR, CCPA/CPRA, and other applicable laws), you may have the following rights:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Update or correct your personal information through your dashboard settings or by contacting us.
• Right to erasure ("Right to be forgotten"): Request deletion of your account and associated personal data, subject to legal retention requirements.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data under certain circumstances.
• Right to object: Object to processing of your personal data for specific purposes.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to opt out of marketing: Marketing communications are opt-in by default. You can toggle marketing notifications off at any time in your dashboard settings.
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at support@nexuspoint.ai. We will respond within 30 days (or sooner as required by applicable law). We may require identity verification before processing your request.

NexusPoint is not directed at individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take immediate steps to delete such information. If you believe a child has provided us with their data, please contact us at support@nexuspoint.ai.

Your data may be processed in the United States and other countries where our service providers operate. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.
• Reliance on adequacy decisions for countries recognized as providing adequate data protection.
• Contractual obligations with all third-party providers to maintain equivalent levels of data protection.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: What personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to delete: Request deletion of your personal information.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: We only use sensitive personal information (such as account credentials) as necessary to provide the services.

Categories of personal information collected in the past 12 months: Identifiers (name, email), commercial information (transaction history), internet activity (usage logs), and professional information (company name, if provided). We do not collect biometric data, geolocation data, or sensitive categories beyond what is described in this policy.

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this page.
• We will notify registered users via email and/or an in-platform notification for significant changes.
• Your continued use of NexusPoint after any changes constitutes acceptance of the updated policy.
• We encourage you to review this Privacy Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: