Privacy Policy

NebulaHex Pvt Ltd (“NebulaHex,” “we,” or “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, APIs, embeddable chat widgets, and any associated services (collectively, the “Service”).

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

We collect the following categories of information:

• Account Information: name, email address, organization name, and billing details provided during registration.
• Usage Data: pages visited, features used, timestamps, IP addresses, browser type, device information, and referral URLs.
• Chat Data: conversations between end users and your AI-powered bots, including message content, metadata, and any files shared within a conversation.
• Uploaded Content: documents, URLs, and other materials you provide to train your knowledge base, including PDFs, web pages, and YouTube transcripts.

We use the information we collect to:

• Provide the Service: operate and maintain your bots, knowledge bases, chat widgets, and integrations.
• Improve our Product: analyze aggregate product telemetry (page-views, feature-clicks, performance metrics) to enhance features, fix bugs, and develop new capabilities. We do not analyze the content of chat messages, knowledge sources, or integration-sourced data (such as Google Sheets rows, Salesforce records, or Shopify orders) for product improvement.
• Communicate with You: send transactional emails, product updates, security alerts, and respond to support requests.
• Ensure Security: detect, prevent, and respond to fraud, abuse, and security incidents.

We take the security of your data seriously. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. We run on infrastructure provided by industry-standard cloud providers including Vercel, Supabase, and Upstash. NebulaHex Pvt Ltd does not currently hold an independent SOC 2 or ISO 27001 attestation; we rely on the security posture of our infrastructure providers and our own controls described in this section and at our Security page.

We implement access controls, audit logging, regular vulnerability assessments, and automated backups to protect against unauthorized access, alteration, or destruction of your data. While no method of transmission or storage is 100% secure, we strive to use commercially acceptable means to protect your personal information.

When you use the Bring Your Own Key (BYOK) feature, your messages and prompts are sent directly from our servers to your chosen AI provider (e.g., OpenAI, Anthropic) using your own API key. In this configuration:

• NebulaHex does not store the content of AI requests or responses beyond what is necessary for conversation history.
• Your API key is encrypted at rest and is never exposed to other users or third parties.
• The data processing terms of your chosen AI provider apply to the content processed through their API.

NebulaHex uses two AI model providers to power its Service: Anthropic (Claude) for conversation responses, and OpenAI for text embeddings used in knowledge retrieval. Both providers are invoked under API terms that contractually prohibit using customer inputs and outputs to train, fine-tune, or improve their models.

Specifically:

• Anthropic’s Commercial Terms of Service confirm that data submitted via the Anthropic API is not used to train Anthropic’s models.
• OpenAI’s API Data Usage Policy (effective March 2023) confirms that data submitted via the OpenAI API is not used to train OpenAI’s models by default for API customers.

This commitment extends to:

• Conversation messages between your end users and your bot.
• Knowledge sources you upload (documents, URLs, sheet data, integration records).
• Tool-use outputs from connected integrations (Google Sheets rows, Salesforce records, Shopify orders, HubSpot contacts, and similar).
• BYOK (Bring Your Own Key) traffic, which is governed by your own contract with the AI provider.

Google’s Workspace API User Data and Developer Policy explicitly prohibits the use of Workspace data for AI/ML model training. We follow this prohibition verbatim:

“Transferring, selling, or using user data to create, train, or improve a machine learning or artificial intelligence model beyond that specific user’s personalized model for the appropriate use case or user-facing feature.”

If you use NebulaHex’s Bring Your Own Key feature, conversation data passes through your own AI provider account and is governed by the terms of that account, not by ours. See Section 05 for the BYOK data handling specifics.

For questions about how we handle AI model training and inference, contact privacy@nebulahex.com.

We engage a small set of third-party service providers (subprocessors) to deliver the Service. Core subprocessors include Clerk (authentication), Supabase (database and storage), Anthropic and OpenAI (AI model inference), Resend (transactional email), Upstash (rate-limit cache), Paddle (billing and Merchant of Record), Vercel (hosting), Firecrawl (URL knowledge ingestion), and Supadata (YouTube transcript extraction). Conditional subprocessors include Google, Meta, and a range of CRM and helpdesk providers, engaged only when you connect the corresponding integration or channel.

The complete current list — including legal entity names, processing purposes, data categories, and processing regions — is published at our Subprocessors page. We update that list whenever a subprocessor changes.

NebulaHex Pvt Ltd offers a Data Processing Agreement to customers who require one to comply with their own data protection obligations under the GDPR, the UK GDPR, or equivalent legislation. To request a DPA for your organization, email legal@nebulahex.com.

We do not sell your personal information to any third party. Data shared with subprocessors is limited to what is necessary to deliver the Service.

Conversations are stored on a per-bot basis within your organization. Each organization can configure its own data retention settings. Chat data includes:

• Message content and timestamps.
• End-user identifiers (name, email if provided).
• Bot responses and any referenced knowledge base content.
• Conversation metadata such as channel source and resolution status.

Organization administrators can view, export, and delete conversation data at any time from the dashboard.

For Shopify-connected workspaces specifically: we subscribe to Shopify’s three mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact) and process the requested actions within Shopify’s published 30-day SLA. Customer data deletion requests received via these webhooks are handled in the same manner as direct customer deletion requests; see our Data Deletion page for the end-to-end process.

When you connect your bot to a third-party messaging channel — WhatsApp, Instagram Direct Messages, Facebook Messenger, Telegram, or Slack — message data flows between NebulaHex and the channel provider. For Meta-owned channels (WhatsApp, Instagram, Messenger), Meta Platforms Inc. is the data recipient on the channel side, and the data flow is governed by both this Privacy Policy and Meta’s Platform Terms.

When you connect a Meta channel, the following data may flow:

• Incoming messages from your end users (visitor message content, sender phone number or handle, timestamps, attached media).
• Outgoing messages from your bot to your end users (response content, attached media).
• Metadata about the conversation (WhatsApp Business Account ID, Instagram Business Account ID, Facebook Page ID, message IDs, delivery and read receipts).

We store this data in our database to enable conversation history, analytics, and audit logging. Retention follows the policy described in Section 10 (Data Retention). End-user data deletion requests are processed via the mechanism described at our Data Deletion page (page in development — will be live before Meta-channel general availability).

When you disconnect a Meta channel from NebulaHex, message data already received remains in your workspace until you delete it via the methods described in Section 09 (Your Rights). Future messages stop flowing immediately upon disconnect.

The same data-flow principles apply to non-Meta channels (Telegram, Slack); the respective provider’s terms govern the channel-side processing.

For questions about channel data handling, contact privacy@nebulahex.com.

We use essential cookies only. These cookies are strictly necessary for the operation of the Service, including authentication and session management. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

You can configure your browser to refuse cookies, but doing so may prevent you from using certain features of the Service.

For a complete enumeration of cookies and browser storage used by NebulaHex, see our Cookie Policy at /cookies.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Deletion: request that we delete your personal data, subject to legal retention requirements.
• Export: receive your data in a structured, commonly used, machine-readable format.
• Rectification: request correction of inaccurate or incomplete data.
• Objection: object to certain types of data processing.

NebulaHex Pvt Ltd is working toward full alignment with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection regulations. We honor the rights enumerated above for all users regardless of jurisdiction.

To exercise any of these rights, email privacy@nebulahex.com with the request and proof of identity (the email address associated with your NebulaHex account). We respond to requests within 30 days as required by applicable law. There is no charge for the first request in any 12-month period; manifestly unfounded or excessive requests may be declined or charged a reasonable administrative fee.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

Account data — including organization records, user profiles, bot configurations, and knowledge sources — is retained for as long as your account is active or as needed to provide the Service.

Conversation data and lead-capture data are retained until the operator (account owner) deletes them through the dashboard or until 30 days after account termination, whichever is sooner.

Audit log data is retained for 180 days as required for security and compliance review.

When you request deletion of your account, we will remove your personal data within 30 days of receiving the request, except where retention is required by law (for example, for tax or anti-fraud purposes). Subprocessor backups may retain data for an additional period consistent with the subprocessor’s standard backup retention policy.

NebulaHex’s Service is intended for business operators 18 years and older, as specified in our Terms of Service (Section 3). We do not knowingly collect personal information from anyone under 18 in connection with operating the Service.

NebulaHex’s widget may be embedded by our customers on their websites where end-user age is not verified by us. We do not knowingly collect personal information from end-users under 13 via any surface. If you believe a child under 13 has interacted with a NebulaHex-powered bot, please contact privacy@nebulahex.com and we will work with the operating organization to delete the data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via email at the address associated with your account and update the “Last updated” date at the top of this page.

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

NebulaHex Pvt Ltd is the controller of personal data processed under this policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

privacy@nebulahex.com

When you connect a Google Workspace account to NebulaHex (currently: Google Sheets as a live-data connector), our handling of data accessed through Google Workspace APIs is governed by Google’s Workspace API User Data and Developer Policy. We commit to the following Limited Use requirements verbatim:

“Limit your use of data to providing or improving your appropriate use case or features that are visible and prominent in the requesting application’s user interface.”

“Transfers of data are not allowed, except: To provide or improve your appropriate use case or user-facing features … only with the user’s consent; For security purposes …; To comply with applicable laws and/or regulations; or, As part of a merger, acquisition or sale …”

“Do not allow humans to read user data, unless: You have obtained and documented the user’s explicit consent …; The data is aggregated and anonymized and used for internal operations …; It’s necessary for security purposes …; To comply with applicable laws and/or regulations.”

“Transferring, selling, or using user data to create, train, or improve a machine learning or artificial intelligence model beyond that specific user’s personalized model for the appropriate use case or user-facing feature.”

In practice, this means data accessed from your connected Google Sheets is used solely to answer your end users’ queries on bots you have configured to use that sheet as a knowledge source. We do not transfer the data to third parties (except our AI model providers Anthropic and OpenAI under the non-training terms described in Section 05a), do not allow our employees to read your sheet contents (except for incident response or with your explicit consent), and do not use the data to train or improve any AI model.

We currently request only the OAuth scope necessary for the use case: read-only access to specific sheets you authorize. We do not request broader Drive access. If you disconnect the Google Sheets connector, NebulaHex stops accessing your Google Workspace data immediately; copies retained for caching purposes are purged within 24 hours.

For questions about Google data handling, contact privacy@nebulahex.com.