Last updated: 22/01/2026
This Privacy Policy explains how Nexo Software LLC (“NEXO”, “we”, “us”, or “our”) collects, uses, and protects personal data when you access or use our website and software platform (the “Services”).
NEXO provides a B2B software platform that enables restaurants and suppliers to receive, process, and structure orders originating from communication channels such as WhatsApp and email.
This Privacy Policy is intended to comply with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.
Legal entity: NexoSoftware LLC
Registered agent: Northwest Registered Agent Service Inc
Registered address: 30 N Gould St Ste N Sheridan, WY 82801United States
Operating regions: EuropeanUnion and United States
Contact email: info@nexoapp.es
NEXO Software LLC is established outside the European Union. Based on the nature, scope, and limited risk of its processing activities at this stage, NEXO does not designate a representative in the EU pursuant to Article 27(2) GDPR.
NEXO’s Services are intended exclusively for business users.
Our customers are business entities (such as restaurants and suppliers). Individual users (e.g. employees) access the platform on behalf of their employer, with role-based permissions defined by the customer.
NEXO does not knowingly provide services to minors.
Depending on the context, NEXO acts as:
a) Data Processor
When processing personal data contained in messages, emails, orders, or attachments on behalf of our business customers, in accordance with their instructions.
b) Data Controller
When processing personal data necessary to operate our own business, including:
- Account creation and administration
- Platform security, logging, and access control
- Billing and subscription management
- Legal, regulatory, and compliance obligations
Depending on usage of the Services, we may process the following categories of data:
a) Account and Business Information
- Business name, address, VAT/NIF
- Contact person name, email address, phone number
- User credentials (email address and encrypted password)
b) Communication Data
- WhatsApp messages processed via third-party providers
- Emails sent to NEXO for order processing
- Attachments such as PDFs, images, or invoices
c) Order and Operational Data
- Product names, quantities, and related order details
- Order history and timestamps Supplier–restaurant relationships
d) Technical and Usage Data
- Platform logs
- Error and performance data
- Security and access records
NEXO does not intentionally process special categories of personal data as defined under Article 9 GDPR.
Purpose
Providing and operating the Services
User authentication & access control
Platform security, logging, fraud prevention
Customer support and communications
Legal, tax, and compliance obligations
Service reliability & error monitoring
Website analytics and performance measurement
Legal Basis
Contract (Art. 6(1)(b) GDPR)
Contract (Art. 6(1)(b) GDPR)
Legitimate interests (Art. 6(1)(f))
Contract / Legitimate interests
Legal obligation (Art. 6(1)(c))
Legitimate interests
Consent (Art. 6(1)(a) GDPR)
NEXO uses artificial intelligence tools to assist with:
- Parsing unstructured messages into structured orders
- Suggesting missing or inconsistent information
- Supporting data classification and enrichment
These processes are designed to assist users and do not result in fully automated decision-making with legal or similarly significant effects. Orders are subject to human validation before confirmation or ERP integration.
Users remain fully responsible for reviewing, validating, and approving any outputs generated with AI assistance before operational use.
NEXO uses cookies and similar technologies on its website.
Strictly necessary cookies are always enabled and are required for the operation, security, and basic functionality of the website.
With the user’s consent, NEXO also uses analytics cookies to understand how visitors interact with the website and to improve its content and performance.
Google Analytics
NEXO uses Google Analytics (GA4), a web analytics service provided by Google LLC, to collect aggregated and anonymized information about website usage (such as pages visited, device type, and approximate location).
Google Analytics is configured to load only after the user has provided explicit consent via the cookie consent banner. Analytics cookies are disabled by default.
The legal basis for this processing is consent pursuant to Article 6(1)(a) GDPR.
Users may withdraw or modify their consent at any time via the “Cookie Preferences” link available on the website.
Further information about the cookies used, their purposes, and retention periods is available in the Cookie Policy.
This Privacy Policy should be read together with the Cookie Policy.
We may share personal data with trusted third-party service providers acting as data processors, including:
- Hosting and infrastructure providers (e.g. Vercel)
- Database providers (e.g. Supabase)
- Communication service providers (e.g. Twilio)
- Platform and messaging providers (e.g. WhatsApp / Meta, where applicable)
Such providers process data solely in accordance with our instructions and applicable data protection agreements.
A current list of sub-processors may be provided upon reasonable request.
Where personal data is transferred outside the EU, NEXO ensures appropriate safeguards are in place, such as:
- Adequacy decisions adopted by the European Commission, or
- Standard Contractual Clauses (SCCs) approved by the European Commission.
In relation to Google Analytics, data may be processed by Google LLC in the United States. Where applicable, such transfers are safeguarded through Standard Contractual Clauses (SCCs) approved by the European Commission and additional technical measures.
Personal data is retained only for as long as necessary to:
- Provide the Services during the contractual relationship
- Enable data export or migration following termination (up to 60 days)
- Comply with legal, tax, and accounting obligations
- Maintain security, audit, and access logs as required by law. Data no longer required is securely deleted or anonymized.
Where applicable under GDPR, individuals have the right to:
- Access their personal data
- Request rectification or deletion
- Restrict or object to processing
- Request data portability
- Lodge a complaint with a supervisory authority
Where NEXO acts as a data processor, requests relating to data processed on behalf of a customer must be addressed to the relevant customer acting as data controller.
How to Exercise Your Rights
Users can submit data export and deletion requests directly via buttons in their account settings:
- Export Data: Generates a request for all business records (contacts, orders). Team fulfills within 30 days via secure email download.
- Delete Data: Triggers review and deletion of all personal data associated with the account (excluding data required for legal compliance).
Requests may be submitted to info@nexoapp.es.
Where NEXO acts as a data processor, such requests should be directed to the relevant customer acting as data controller.
NEXO integrates WhatsApp Business Platform to enable restaurant suppliers to receive and process orders via WhatsApp.
We process Platform Data (messages, phone numbers, metadata) only as necessary for order automation, in compliance with Meta's Platform Terms.
- Data is processed transiently by authorized service providers
- Retained maximum 90 days or until service disconnection
- Deleted immediately upon supplier request or account termination
- Full compliance with GDPR data minimization and processor requirements
Suppliers control data via "Disconnect WhatsApp" (purges all Platform Data).
WhatsApp Platform Data
Maximum 90 days from receipt (messages, metadata). Deleted on disconnect.
Business Records
[Orders, Contacts]: Retained as necessary for supplier operations.
WhatsApp Rights
Disconnect WhatsApp → immediate cessation + data purge (30 days max).
NEXO does not control or manage end-user consent for WhatsApp communications. Customers are solely responsible for ensuring that they have obtained all necessary consents or lawful bases from their contacts to receive communications via WhatsApp.
Measures include, among others, encryption in transit and at rest, role-based access controls, authentication mechanisms, and activity logging.
Individuals in the EU also have the right to lodge a complaint with their local supervisory authority, including the Spanish Data Protection Authority (AEPD).
We may update this Privacy Policy from time to time. The most current version will always be available on our website, with the “Last updated” date revised accordingly.
For any questions regarding this Privacy Policy or data protection matters, please contact:
info@nexoapp.es
